They didn’t use guns, masks or even threatening notes passed to bank tellers.
But an alleged international gang of cyberthieves managed to steal $45 million from thousands of ATMs in carefully coordinated attacks conducted in a matter of hours, federal authorities charged Thursday.
The US Justice Department accused eight men of allegedly forming the New York-based cell of the organisation, and said seven of them have been arrested. The eighth, allegedly a leader of the cell, was reported to have been murdered in the Dominican Republic on April 27.
Federal prosecutors said the cyber-theft was as intricate as a movie plot.
“This scheme was organized for months and planned down to the minute, reminiscent of the casino heist in ‘Ocean’s Eleven,'” said Loretta Lynch, U.S. attorney for the Eastern District of New York.
Here’s how it worked: Hackers broke into the networks of companies responsible for processing prepaid debit cards issued by banks.
They raised the cards’ available balances, eliminated their withdrawal limits, and forwarded the account numbers and access codes to “cashing crews,” who transferred the data onto empty magnetic stripe cards. Those cards were then used to withdraw money from ATMs all over the world at a coordinated time.
“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” US Attorney for the Eastern District of New York Loretta Lynch said at a news conference.
“Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City.”
The network used fake cards to target banks in the United Arab Emirates and Oman, court documents said.
Prosecutors said law enforcement agencies in Japan, Canada, the UK, Romania and 12 other countries were involved in the investigation.
Arrests had been made in other countries, they said, although details were not released, says BBC News.
According to the indictment, the alleged gang carried out two lucrative unlimited operations between October 2012 and last month.
In the initial attack, hackers working with the gang on Dec. 22 allegedly targeted a credit card processor that handled prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah, a bank also known as Rakbank.
After penetrating the processor’s computer network, the hackers fraudulently manipulated the balances and withdrawal limits on Rakbank prepaid debit card accounts. As a result they managed to get more than $5 million from more than 4,500 ATMs in about 20 countries, reports the USA Today.
During the February robbery, the New Yorkers alone stole $2.4 million — the second-largest cash heist in the city’s history.
After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours, says the NY Times.
The New York crew’s leader, 23-year-old Alberto Lajud-Pena, was found dead with a suitcase carrying $100,000 in the Dominican Republic last month.
Arrests of his accomplices — 23-year-old Jael Mejia Collado, 22-year-old Joan Luis Minier Lara, 35-year-old Evan Jose Pena, 24-year-old Elvis Rafael Rodriguez, 24-year-old Emir Yasser Yeje, and 22-year-old Chung Yu-Holguin — began in March. They’ve been charged with conspiracy and money-laundering.
Each of the seven living indicted suspects faces a maximum of 10 years in prison on each of the money laundering counts and 71/2 years for conspiracy raps.
The case demonstrates the major threat that cybercrime poses to banks around the world. It also shows how increasingly international and sophisticated criminal gangs have become, particularly those using the Internet.
The New York City theft ranked behind the theft of $5 million from John F. Kennedy International Airport after the money had arrived on a Lufthansa flight in 1978.