There's some evidence that the first attack was used in the wild, but the banks deleted the logs showing whether a PINless transaction took place so the customers were found liable for the charges.