If The Money Never Stopped Coming
Imagine for a second that your bank account is bottomless. Tap the card, money comes out. Tap again, money comes out. Sports car? Done. Tropical holiday with everyone you know? Booked. Penthouse weekend in Sydney? Why not. No alarms, no calls from the bank, no consequences. Honestly, even sitting here typing it, I'm getting a little goosebumpy. There's a reason every kid daydreams about this exact scenario.
This is the part of security work most people never see. We patch vulnerabilities every single day. Bugs get found, bugs get fixed, the bank's blue team logs another ticket. On the other side, APT crews and black hats are hunting for the same bugs to drain accounts and exfiltrate data. Both sides are professionals. Both sides have budgets.
But what happens when the bug is found by neither? What happens when the zero day in the banking system gets discovered, by accident, at 1am on a Friday, by a drunk Australian bartender on his way home? Do you tell the bank, or do you keep tapping?
In 2011, a 29 year old in Wallan, Victoria called Dan Saunders answered that question with one of the wildest 18 months any bank has ever had to explain. By the time he was done he had spent roughly AU$1.6 million of money that didn't really exist. Then he went on national television and confessed. This is that story.
A Bartender, A Long Shift, And A Tipsy Walk Home
Dan Saunders worked behind a bar. Long shifts, late finishes, the usual. By his own account on national TV later, he'd had a few drinks himself when he stopped at a National Australia Bank (NAB) ATM in the small hours one night in early 2011. He wanted to move some cash from his savings into his credit card account, the way most of us occasionally do.
He punched in an amount, hit confirm, and the ATM happily processed it. The receipt looked normal. He went home and slept it off.
The next morning he checked his accounts and noticed something strange. The credit card had received the money, but his savings had not actually been debited. He shrugged it off as a banking delay. Then later that night, on the way home from another shift, he walked past the same ATM and tried it again, just to see. Same machine, same hour, same result. Money appeared in his credit account. Savings stayed flat. He did the maths. He had a working glitch.
The 1AM to 3AM Window: How The Bug Actually Worked
The technical reason was almost embarrassing. NAB's core banking systems went into a maintenance window roughly between 1am and 3am. During those two hours, ATMs across the country temporarily lost their live connection to the central authorisation server. To avoid leaving customers stranded, the machines fell back into an offline authorisation mode. They could still take some types of transactions, log them locally, and reconcile when the central system came back online.
The bug was in the reconciliation. When Dan moved money from his savings to his credit card during the offline window, the credit card got the credit straight away on the local node. The savings side, however, was supposed to be debited later when the systems came back online. For some classes of transaction, that debit never properly applied. The transaction went through one half of the books and quietly disappeared from the other half.
In Pentest Terms
This is a classic offline authorisation race condition. The ATM trusted itself instead of waiting for the server. Reconciliation was treated as a background job rather than a hard, atomic constraint. The result was a window every single night where the savings side of an internal transfer could be skipped without an alarm. From a security architecture standpoint, it was a textbook violation of "do not authorise what you cannot atomically settle".
The really uncomfortable part is that the system stayed broken for over a year. NAB's fraud team had triggers for credit cards being used overseas, for unusual ATM withdrawals, for new merchant patterns. But a customer slowly building up phantom balance during a known maintenance window? That ran straight under the radar.
Four Months Of Free Money
Dan didn't sit on it. Once he had confirmed the bug was real, he started hitting that 1am to 3am window almost every night. Move money, withdraw cash, pay it off, move more money, withdraw, repeat. He told a few close friends. Some of them benefited from the same parties, the same hotels, the same bar tabs.
Over roughly 4 months, he later admitted, he ran around AU$1.6 million through that ATM. Five star hotels. Helicopter rides. Private jets and limos. Strip clubs. Long benders in Sydney and Melbourne. By his own admission later, he was running on alcohol and very little sleep, with what he described as serious mental health issues underneath the whole thing.
He tried to stop more than once. He couldn't. The money was always there at 1am.
Confessing On National Television
By 2014 the spree had ended. Dan was broke, broken, and reportedly suicidal. He approached 60 Minutes Australia and offered them the entire story on camera. The segment aired in June 2014. He described the glitch, the windows, the lifestyle, and the fall.
Here's the part that almost nobody believes the first time they hear it. NAB initially denied the whole thing. The bank publicly said it had no record of the alleged glitch and that its systems would never permit such a withdrawal pattern. Reputation matters more than truth in the first 48 hours of a banking PR crisis. Letting customers believe the ATMs were quietly handing out free money during maintenance windows was, understandably, not a story NAB wanted on the front page.
The denial held for about a week. Once Dan handed over receipts and statements to investigators, NAB quietly shifted from "this never happened" to "the issue was identified and fixed years ago". The Australian Federal Police opened a file. Charges followed.
Court, Sentence, And A Surprisingly Light Landing
Dan was charged with multiple counts of fraud and dishonestly obtaining a financial advantage. He pleaded guilty. The sentencing in 2017 took into account several things at once. The amount of money was real. The intent was real. But so was the bank's design failure, his cooperation, the public confession, and the documented mental health condition during the spree.
The final sentence ended up being roughly 12 months in prison followed by an 18 month community corrections order. For someone who had spent over a million and a half dollars of someone else's money, that is an unusually mild outcome. Most legal commentators credited the early plea, the public confession, and the bank's slow response.
On release, Dan moved into public speaking and a recovery focused life. The story stuck. By the early 2020s a feature film was in pre-production with the working title ATM Boy, retelling the story for the screen.
What This Story Actually Teaches Us
Strip the headline away and this is one of the most useful real world banking security stories I know of. A few things that I keep coming back to whenever I'm reviewing a payment system.
- Offline modes are where banks bleed. Any time a financial system is allowed to authorise without a live link to the source of truth, you have an exploit window. Travel cards, ATMs, contactless payments, point of sale terminals. The pattern shows up everywhere.
- Atomicity is not optional. An internal transfer is not done until both legs are settled. Treating one leg as immediate and the other leg as a "we'll catch it overnight" job is how you build a Dan Saunders sized hole in your books.
- Reconciliation is a control, not a chore. NAB had reconciliation. It just didn't fail loudly enough when the numbers stopped matching. A control that doesn't alarm is decoration.
- Insider threat doesn't have to be inside. Dan was a customer with a card. He never wrote a line of malware. He used the published interface in the order it was published. That's what made the abuse so hard to spot.
- Reputation risk slows investigation. NAB denying it publicly for a week is not a unique reaction. Most banks will. Plan for that human delay when you build incident response into your threat model.
And the part nobody asks out loud. If you, the reader, found this glitch tonight at your local ATM, would you really walk into the branch the next morning and report it? Most security professionals will say yes immediately. Most regular people will say "I'd take a small amount, then report it, only fair". Some, like Dan, would not stop until something stopped them. The same human curve shows up in every banking fraud case file going back decades. The only thing that has ever reliably stopped it is good engineering on the bank's side.
Important Footnote
Dan Saunders said in later interviews that the worst part wasn't the spending or the prison sentence. It was the realisation, sober, that nobody had ever loved him for him. They loved the cash. The lifestyle. The night out. When the ATM stopped paying, the friends stopped calling. That's a quieter, more brutal lesson than the technical one, and it's the part the movie will probably get right.
References & Further Reading
Sources I cross checked while writing this. Worth reading if you want the long form versions.
- 9News / 60 Minutes Australia (June 2014), Dan Saunders confession on the NAB ATM glitch the original primetime interview where Dan walked through the glitch on camera.
- The Guardian (June 2014), Australian man who stole AU$1.6M via ATM glitch says he wants to pay it back overview of the case and his stated intent to repay.
- ABC News Australia (Sep 2017), Dan Saunders jailed over NAB ATM glitch spending spree the sentencing report with prison and community corrections details.
- BBC News (June 2014), Australian admits exploiting ATM glitch for AU$1.6M international coverage of the confession.
- Sydney Morning Herald (Sep 2017), "Victim of his own mind", Dan Saunders on his AU$1.6M spree long form interview covering mental health and aftermath.
- IMDB, ATM Boy (in pre production) the planned feature adaptation of the story.
- National Australia Bank, Security & fraud the bank's current statements on banking security and fraud reporting.