FASTCash was a multi-year North Korean state-sponsored campaign (2016–ongoing) targeting bank payment switch servers — the AIX-based systems that approve or decline ATM transactions. The Lazarus Group sub-unit known as ‘BeagleBoyz’ (also tracked as APT38) compromised banks primarily in Asia and Africa using spearphishing for initial access, then moved laterally to identify and implant the payment switch servers. The FASTCash implant intercepted ATM authorization requests for specific pre-loaded compromised card numbers and returned fraudulent approval responses, enabling unlimited ATM withdrawals even for accounts with zero balances. Mule networks executed simultaneous global ATM cashouts — one 2018 operation involved simultaneous withdrawals in 23 countries. US-CERT and Treasury attributed the campaign to DPRK’s Hidden Cobra (Lazarus) in an October 2018 advisory (AA18-275A). Affected institutions included banks in Taiwan, India, Sri Lanka, Maldives, Malawi, and others. Estimated total theft exceeded $100 million across all FASTCash operations. The campaign continued through at least 2020, when a follow-up US-CERT advisory documented updated TTPs. FASTCash was notably more sophisticated than SWIFT heists: by compromising the switch layer itself, attackers could conduct cashouts without leaving traces in SWIFT messaging systems.