THE CRIME TYPE

‘Skimming’ refers to the illegal use of electronic devices to steal bank and credit/debit card details, whether cards are inserted in automatic teller machines (ATMs) or used at point-of-sale (POS) terminals. Unfortunately, this type of crime is widespread across Australia and around the world. The technology employed to skim information varies depending on whether the device is an ATM or a POS terminal.

‘Shimming’ is a form of skimming that uses a ‘shimmer’—a thin metal and electronic device inserted into an ATM card slot. It sits between the card and the ATM’s card reader and copies card data, including the personal identification number (PIN). Some shimmers transmit the data immediately to a nearby device; others require offenders to retrieve the data from the machine to access it.

UNITED STATES SECRET SERVICE

In early 2023 the United States Secret Service investigated a card skimming racket in San Diego, California,¹ where shimmers were deployed to steal the personal data of welfare recipients who used government-provided electronic benefits cards. The offenders then encoded blank cards with the captured data before using the cloned cards to withdraw money from ATMs. Many of the transactions occurred at the beginning of each month, immediately after the accounts had been loaded with new government funds.

In early June 2023 the Secret Service arrested five Romanian nationals who used cloned cards and PINs to withdraw cash from ATMs. In addition to possessing numerous cloned cards, each offender had fake Czech Republic identification documents and sizeable amounts of cash on them. One also had a receipt for a FedEx package recently sent to Australia, containing what was described as plastic part samples weighing a pound (454 grams) and worth USD$80. The consignee was listed as ‘Alexei Avrames’ at a premises in the inner-western Sydney suburb of Wentworth Point. A mobile phone number for Avrames was also listed on the receipt. The Secret Service decided to notify the AFP about the package as they suspected it contained shimming equipment.

PRELIMINARY INQUIRIES

The AFP-led Joint Policing Cybercrime Coordination Centre (JPC3) was established in 2022 to harness the skills, technology and capacities of multiple policing and allied agencies. With an aim of maximising law enforcement’s impact on high-volume cybercrime, JPC3’s capabilities include target development and disruption, intelligence analysis and investigations.

On Monday 5 June 2023 the Secret Service’s attach. to JPC3 briefed the team about the San Diego arrests. AFP intelligence officers set about compiling a profile, a painstaking multiweek process involving interrogating data holdings of several government agencies as well as seeking information from banks, telecommunications, car hire and courier companies.

Records revealed the FedEx package from San Diego had already been collected by ‘Alex Avrames’ at a newsagency collection point in Homebush, near Wentworth Point. No records of an Alex Avrames could be found on any police or immigration database, nor on the electoral role. Further, the Wentworth Point address listed on the FedEx receipt did not exist.

Subsequent bank checks revealed the fictitious address had also been used in May 2023 by a man claiming to be Cestmir Bozdech, a Czech national and Audi sales manager, when he had opened multiple Australian bank accounts. Bozdech had also earlier attempted to open a Commonwealth Bank account but the application was rejected by staff who deemed the passport to be fraudulent. The bank did not notify police of the incident at the time.

The phone number listed on the San Diego FedEx receipt was linked to an ‘Owen Smith’ at an address in rural Briagolong, Victoria. The address was real but there were no records of Smith ever being there. Significantly, the international mobile equipment identifier (IMEI) number of the phone’s handset was associated with several other mobile numbers, including one from the United Kingdom (UK). This suggested the phone’s user regularly cycled through SIM cards, an indicator of criminal activity.

One of the suspicious mobile numbers – the UK one – was found to be linked to 33-year-old Alexandru Vasile Badaric, a Romanian who had arrived in Australia on a temporary ‘eVisitor’ visa in April 2023. When the visa expired in July, Badaric applied for a student vocational visa. He was immediately issued a bridging visa pending the outcome of the student visa application, allowing him to remain in the country. The residential address nominated by Badaric in the application was a real one in the Sydney suburb of Burwood but AFP inquiries indicated he wasn’t living there.

Additional inquiries uncovered other names, addresses and phone numbers, however, the AFP’s focus gravitated towards Badaric after his Romanian passport was compared with the Czech passport in the name of Cestmir Bozdech. The photos in the two documents were of the same man.

SUSPICIOUS CONSIGNMENTS

Inquiries with the Australian Border Force (ABF) linked the phone number on the San Diego FedEx receipt to three DHL consignments sent to Australia by what proved to be fictitious identities in Hong Kong and the UK. Paperwork for the consignments listed the contents as a ‘machining metal shell’, ‘printed circuit boards’ and an ‘audio interface Focusrite.’²

The nominated consignee for two of the packages was ‘Andreas Madison’ with ‘Harvey Saunders’ listed for the third.

DHL records showed that ‘Madison’ had redirected his consignments to an authorised collection point in Mascot; the third consignment (in the name of Saunders) remained unclaimed. Forensic examination of the unclaimed package by ABF and AFP personnel revealed a shimmer securely taped to circuitry inside the casing of the audio interface box.

CCTV footage from the Mascot collection point showed ‘Andreas Madison’ was the same person who had attended the Homebush newsagency using the name of Alexei Avrames, and he closely resembled the photographs of Alexandru Badaric (aka Cestmir Bozdech). The Mascot CCTV also showed him driving a Sixt rental vehicle which had been hired using the Bozdech passport. The vehicle had been returned to Sixt before police identified its significance. Clearly, Alexandru Badaric was using multiple aliases.

Those inquiries took several weeks to complete, during which time evidence emerged regarding a Romanian organised crime syndicate operating shimmers in ATMs in Sydney, Melbourne and Brisbane. Information provided by the National Australia Bank (NAB) implicated two individuals, a Romanian and a Polish national, engaging in skimming activities in Brisbane. That information was passed by JPC3 to the Queensland Police Service, who arrested and charged the men on 3 August 2023 with offences under the Queensland Criminal Code 1899.

Meanwhile, information began emerging of multiple shimming offences in Melbourne. Call charge records suggested Badaric had travelled to Melbourne during the period of these offences, however – by late July – call-associated data indicated his phone was back in the Sydney suburb of Rhodes. Because of the prevalence of multi-storey apartments throughout the suburb, it was impossible to pinpoint the phone to an exact address. Checks also showed ‘Cestmir Bozdech’ (the alias used by Badaric) had recently hired a Mitsubishi car in Sydney.

A breakthrough came in early August 2023 when, in response to a police inquiry, Airbnb advised JPC3 that ‘Bozdech’ had booked a third-floor unit in a six-storey apartment complex on Shoreline Drive, Rhodes. He was due to check out on Saturday 5 August.

THE SEARCH WARRANT

On the morning of Friday 4 August, a Crimes Act 1914 (Commonwealth) s.3E search warrant was obtained for the Airbnb unit, from the court registrar at the Downing Centre Court in Sydney’s central business district. 

Twelve members were assigned to the raid on the unit – 11 AFP (including two unsworn cyber technicians) and a NSW Police Force member attached to JPC3, Detective Sergeant Paul Garlick.

At 12.30pm the entry team assembled a few streets away from the apartment complex to receive their last-minute briefing. Three plain-clothed members of the team took up observation positions at and near the front of the unit complex, in preparation for the arrival of their colleagues. The ‘go’ time was set for just after 1pm.

Then, a fortuitous event occurred.

A Kia Sportage was seen to drive from a side street onto Shoreline Drive and then stop in front of the complex’s row of letterboxes. Two people were in the vehicle – a male driver and a female passenger.

Both got out and moved towards a wall of letterboxes near the main entrance. Police moved in, identified themselves, and discovered the couple were Badaric and 32-year-old Romanian national, Izabela Vintila. The two had just packed their belongings from the Airbnb unit into the car and were in the process of leaving a day earlier than scheduled. Having driven out of the underground garage, they were dropping off the keys in the unit’s letterbox before driving to an undisclosed destination.

Responding to developments, the rest of the team swiftly arrived at the complex. A search was commenced of the unit after legal rights were explained to the Romanians.³ It proved to be a very short search as the two had put all their property into the Kia. This gave rise to a complication in that the 3E search warrant was limited to the unit. 

After discussions with his AFP colleagues and now suspecting the vehicle contained stolen items, or other items used in connection with the commission of offences, Sergeant Garlick exercised his powers to search the Kia pursuant to section 36 of the New South Wales Law Enforcement (Powers and Responsibilities) Act 2002.

TREASURE TROVE

A treasure trove of evidence was located throughout the vehicle, including eight functional shimming devices (some wrapped in tissue paper), an assortment of card readers, electronic components and tools, and a computer containing card-reading software. The laptop’s internet browser was found to have the saved address of a site where users can check the validity of credit card numbers – an essential aid when cloning cards. A document listing 35 credit card numbers and their PINs was also located in the car.

Other items seized by police included the Czech passport for Cestmir Bozdech, along with an Italian driver licence and a Romanian driver licence. All three documents displayed a photo of Badaric. Multiple credit cards for aliases including Cestmir Bozdech were located in the driver’s seat area, along with AUD$14,085 in cash.

Identification and Australian credit cards for the detained passenger, Izabela Vintila, were found in the passenger seat area. Subsequent checks established the accounts opened by Vintila with the NAB, St George and Westpac banks were linked to the false Wentworth Point address also used by Badaric in the name ‘Alexei Avrames’.

All the property located in the car, including clothing, was seized by police.

The degree of Badaric and Vintila’s engagement with police lessened during the search of their car.

Both initially had been prepared to answer questions including identifying some of their property. Vintila accepted some of the bags were hers and admitted the money had been fraudulently obtained from bank accounts, but she denied knowledge of the electronic items and credit cards. As time passed and the seriousness of the incident became apparent, Vintila asked to phone a lawyer and Badaric asked to ring a friend. After their calls, both declined to answer further questions and refused to disclose their personal phone PINs.

By 3:30pm the search was completed. The two Romanians were arrested and conveyed to Burwood Police Station for charging and processing. At the station, they consented to having their fingerprints taken as well as providing a DNA sample (buccal swab). Neither applied for bail when they appeared at the Burwood Local Court the following day. If they had, police would have opposed bail on the grounds of the two being a flight risk.

FOLLOW-UP INQUIRIES

As is often the case with investigations, the evidence and information gathered at the ‘resolution phase’ at Rhodes prompted numerous additional inquiries. The workload was such that, as per AFP guidelines, an operational name was assigned to the case. The name ‘Helsing’ was chosen as a nod to Romania’s Transylvania region and the story of Count Dracula.⁴

One mystery was solved the following week when the Czech Consul General in Sydney formally confirmed the Cestmir Bozdech passport had been stolen from its owner in 2022.

Inquiries also established the Italian and Romanian licences found in Badaric’s possession were forgeries. Additionally, it was confirmed Badaric had used the false passport to open a total of six bank accounts in Australia – two with the NAB and one each with ANZ, HSBC, St George and Westpac.

A priority line of inquiry for JPC3 was establishing Vintila’s bona fides and the details of her activities in Australia, beyond hiring the Kia Sportage the day before her arrest. Over subsequent days a picture emerged that she had arrived in Sydney on a flight from London via Dubai on 17 June 2023. She was issued a temporary transit visa to enable a short stopover before flying on to New Zealand. The self-declared hairdresser decided to remain in Australia.

On 4 July she was in Brisbane and used the alias of Isbela Vimila to collect a package posted from the UK, whose contents were labelled as a car MP5 player. After receiving the package Vintila travelled to Sydney.

MELBOURNE CRIME SPREE

Less than a week after arriving in Sydney, on 11 July 2023, Vintila, Badaric and third person travelled by train to Melbourne.⁵ Post-arrest inquiries established that the journey coincided with the dispatch of two consignments from the UK to different Melbourne locations.

Analysis of SMS text records of a SIM card used in Vintila’s phone indicated she was a knowing participant in redirecting the consignments immediately prior to their delivery. The first of the packages to arrive – labelled as a car MP5 player – was collected by Vintila using the alias ‘Cemir Bode’, from a Port Melbourne DHL service centre locker on 16 July. The second consignment, addressed to ‘Isbela Vimila’, was collected by Vintila from a shop near the Flemington Racecourse on 26 July.

Meanwhile, starting 15 July, Vintila and Badaric embarked on a two-week crime spree. They inserted or attempted to insert shimmers into ATMs belonging to ANZ, Bendigo Bank, HBSC and NAB, in Melbourne’s CBD and in South Yarra, Malvern, Elwood, Werribee and Point Cook. They had several ‘wins’, obtaining approximately $36,000 using captured data, including almost $13,000 from a single account. The pair kept just under half the cash they had collected, the rest was deposited into their accounts, with most of those funds then transferred offshore.

The two also had ‘losses’ in that most of the shimmers were quickly detected by bank staff when the devices caused some ATMs to malfunction, or when observant staff members noticed a shimmer inside the ATM’s card slot. Unfortunately, in the case of the Elwood ATM, Victoria Police destroyed the retrieved shimmer just prior to it being linked to this syndicate.

CCTV footage retrieved from the ATM sites showed Badaric and Vintila loitering near and using the machines at the times the tampering occurred. In some cases the imagery showed them struggling to insert the shimmers, in others they were using data retrieval devices on the inserted shimmers, withdrawing cash from compromised accounts, or were using the ATMs to deposit their illegally gotten gains. In many instances the pair wore distinctive clothing that police later seized in the car at Rhodes. The clothing, the CCTV footage and other evidence from Melbourne (including using a credit card in the name of Bozdech used to hire a vehicle), helped build what proved to be a comprehensive brief of evidence.

GUILTY PLEAS

Faced with the preponderance of evidence against them, both Badaric and Vintila pleaded guilty to Commonwealth charges when they appeared in the Campbelltown District Court on 1 May 2024.

Five of the seven charges against Badaric related to the Criminal Code Act 1995 – possessing identification with intent to commit fraud, dealing with more than $10,000 believed to be proceeds of crime, possessing a thing used to obtain financial information, dishonestly dealing in personal financial information and attempting to dishonestly obtain personal financial information. 

The two additional offences were providing false foreign travel documents with an intent for them to be used or acted upon (Foreign Passports Act 2005) and giving false information to specified entities, contrary to the Anti-Money Laundering and Counter Terrorism Financing Act 2006.

Badaric was sentenced to four years and two months’ imprisonment, with a non-parole period of two years and six months. In July 2025 he appealed the sentence to the NSW Court of Criminal Appeal. The following month the court ruled the sentencing judge erred on a technical point and reduced the aggregate total sentence to four years’ imprisonment with the same non-parole period. Badaric becomes eligible for parole in February 2026.

Vintila’s four Criminal Code Act 1995 charges were possessing a thing to obtain financial information, dealing with more than $10,000 believed to be proceeds of crime, dishonestly dealing in personal financial information and attempting to dishonestly obtain personal financial information. She was sentenced to two years and six months’ imprisonment, with a non-parole period of 18 months. Vintila was released from prison into immigration detention on 3 February 2025 and was deported four weeks later, on 5 March. Badaric will similarly be deported when he is released.

Of interest, in July 2024 both offenders sought the return of their mobile phones, arguing the devices contained essential personal information. Both had consistently refused to provide their phone PINs to police. Investigators remained concerned about the stored data containing potential evidentiary material, especially victim details. The AFP advised the lawyer representing both offenders that it would not return the phones unless PINs were provided, or the phones were reset to factory settings. Through their lawyer, the pair agreed for the phones to be reset. This was done in late 2024.

LEGAL LOOPHOLE

Although there is no lawful reason to possess or use a skimmer/shimmer device, investigators discovered during this case that the items are not prohibited from being imported into Australia. An AFP request to amend the Commonwealth Customs (Prohibited Imports) Regulations 1956 to classify the items as prohibited imports, and to explicitly prohibit the possession and use of an ATM card skimmer under the Criminal Code Act 1995, was lodged with the Commonwealth Attorney-General’s Department in 2024. It is hoped the necessary legislative amendments will be made soon.

REFLECTIONS

Detective Sergeant Kris Wilson was the Team Leader for Operation Helsing said this was an early investigation for JPC3 and “…emphasised the critical value of having representatives from multiple agencies in the unit”. He explained that it was the partnership with the United States Secret Service which was instrumental in alerting the AFP to the activities of an organised syndicate operating along the eastern seaboard.

“From that we were able to work with domestic partners, both government and private sector, to build an understanding of the scope and capabilities of the syndicate.

“The lack of cooperation from the two offenders was disappointing, especially in relation to not providing the PINs for their phones. It would have likely helped us to establish the identify of all their victims, but it wasn’t to be. Both offenders appeared to lack any remorse for their actions,” Detective Wilson said.

The operation’s case officer, Constable Gary Poon said it was an interesting investigation which moved very rapidly around the time of apprehending the offenders. “Our intelligence had suggested Badaric would be driving a Mitsubishi Outlander so we were very surprised to see the Kia Sportage. A lesson I took was we should have also obtained a person warrant which, under Commonwealth law, would have allowed us to search the Kia as well. The use of emergency search powers by NSW police in this case highlights the effectiveness of joint teams in tackling cyber related offences.”

ABOUT THE AUTHOR

Jason Byrnes APM has been a member of the Australian Federal Police since 1991 and has been involved with the APJ since 2001. He has authored two books, edited a third, and is also the host of Policing Australia: The Official Podcast of the Australian Police Journal. He wrote this article with the assistance of Australian Federal Police members Gary Poon and Kris Wilson.

FOOTNOTES

1. The Secret Service’s mission includes investigating crimes against the U.S. financial system. ↩︎
2. A small electronic device which connects microphones and musical instruments to a computer, for the purpose of recording sound inputs. ↩︎
3. Both were sufficiently proficient in English to avoid the need for interpreters. ↩︎
4. In Bram Stoker’s Dracula, Abraham Van Helsing was the vampire’s arch nemesis. ↩︎
5. The associate was another Romanian national who had overstayed his visa. In late July he flew out of the country from Adelaide. ↩︎