In a plot straight out of a Hollywood movie script, a pair of computer hackers based in Eastern Europe allegedly masterminded an elaborate rip off that involved 2,100 bank machines in 280 cities, including some in Canada.
The scam was so organized, U.S. officials allege, that the pair assembled a network of paid helpers who withdrew nearly $10-million (U.S.) in less than 12 hours last November from bank machines around the world.
"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world," said Sally Quillian Yates, acting U.S. Attorney for northern Georgia. She added that the case involved police agencies in the Netherlands, Estonia and Hong Kong. So far, seven people have been arrested or charged, and authorities are still trying to find at least one more person.
Details of the plot emerged in court filings unsealed yesterday in Atlanta, the epicentre of the alleged scam. According to allegations in those filings, the hacking was led by Sergei Tsurikov, 25, of Tallinn, Estonia, and Viktor Pleshchuk, 28, of St. Petersburg, Russia. The pair allegedly managed to find a way to hack into the computer system of the U.S. branch of RBS WorldPay, a division of Royal Bank of Scotland Group PLC.
Based in Atlanta, the RBS WorldPay office managed payroll operations for dozens of banks and companies across the United States. RBS WorldPay specialized in prepaid payroll cards, with which employers pay employees by loading money onto a type of debit card. The cards can then be used immediately at banks or stores, to make payments or withdraw funds.
Prosecutors alleged that in early November, 2008, Mr. Tsurikov and Mr. Pleshchuk found a flaw in the RBS WorldPay computer system that allowed them to obtain card numbers and PIN codes. They allegedly tapped into the system and created 44 prepaid payroll cards with inflated limits and usable PIN codes.
Together with others, the men allegedly distributed the cards to a network of "cashers." On Nov. 8, 2008, the two men notified the cashers to start withdrawing money from bank machines. Within hours, the group hit bank machines in the United States, Canada, Russia, Estonia, Italy, Hong Kong, Japan and Ukraine and withdrew nearly $10-million, according to court documents. The cashers kept about half what they withdrew and forwarded the rest to the men.
Prosecutors alleged Mr. Tsurikov and Mr. Pleshchuk followed the withdrawals by accessing the RBS WorldPay computer system and tracking each transaction. They then allegedly manipulated computer files to cover their tracks.
RBS WorldPay did not disclose the breach publicly for more than a month.
Police in Estonia have arrested Mr. Tsurikov and three others. Mr. Pleshchuk is at large.
Royal Bank of Scotland is selling RBS WorldPay to meet antitrust concerns raised by European Union authorities. RBS WorldPay operates in more than 40 countries and processes about 4.4 billion transactions a year.Report Typo/Error