It is being called one of the most sophisticated cyberattacks on bank machines ever conducted, allowing a ring of hackers to withdraw $45-million (U.S.) from automated tellers around the world – including Canada – before they were caught.
The massive operation came to light on Thursday when federal prosecutors in Brooklyn, N.Y., indicted eight men believed to be at the core of the operation, charging them with a slew of crimes, including money laundering and conspiracy to commit access-device fraud.
The attack was executed with speed, precision and scale and the network needed only a few hours at hundreds of bank machines to drain millions of dollars from prepaid debit cards administered by banks in the United Arab Emirates and Oman, targeted as vulnerable soft spots in the international banking system. Prosecutors in New York, where many of the withdrawals took place, called the ring a "massive 21st-century bank heist that reached across the Internet and stretched around the globe."
"In the place of guns and masks, this cybercrime organization used laptops and the Internet," Loretta Lynch, United States Attorney for the Eastern District of New York, stated in the indictment unsealed Thursday afternoon. "Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours."
Some withdrawals appear to have been made in Canada, but it is unclear which bank machines and cities were targeted. The Canadian Bankers Association said it was not immediately aware of the charges when they were issued.
The hacking operation ran between October, 2012, and April, 2013, and used attacks known as "unlimited operations" because of their potential for endless proceeds.
The group allegedly hacked into prepaid debit-card networks, boosted balances, then successfully erased daily withdrawal limits, giving them the ability to drain money from the accounts. The account numbers for the hacked debit cards were then distributed to accomplices, dubbed "cashiers," in 26 countries, including Canada. The cashiers then allegedly encoded the stolen data onto new cards, complete with new personal identification numbers, and withdrew the funds through hundreds of ATMs. Prepaid debit card accounts typically have finite amounts in them, the hackers were able to withdraw amounts far beyond what the accounts held by falsely inflating the balances and then making the withdrawals, until the operation was shut down.
The first heist took place on Dec. 22, 2012, when hackers targeted a credit-card processor that handled transactions for prepaid MasterCard debit cards issued by National Bank of Ras Al-Khaimah PSC, a bank in the United Arab Emirates. The cashiers went to work in a co-ordinated effort, executing more than 4,500 transactions at ATMs in 20 countries using the compromised data, resulting in more than $5-million of losses to the UAE bank and to the credit-card processor. In less than 2 1/2hours, 750 withdrawals totalling $400,000 were made from 140 different ATM locations in New York City alone.
The second heist took place on Feb. 19 and 20 this year, targeting the network of a credit-card processor handling MasterCard prepaid debit cards for the Oman-based Bank of Muscat. That attack, lasting more than 10 hours, landed the cashiers $40-million, withdrawn through 36,000 transactions at ATMs in 24 countries. Of that total, $2.4-million was withdrawn in New York, prosecutors said.
Of the eight men charged, seven between the ages of 22 and 35 have been arrested. The eighth suspect, 23-year-old Alberto Yusi Lajud-Peña, is believed to have been killed in the Dominican Republic after fleeing the United States. Mr. Lajud-Peña is believed to have been the ringleader of the operation.
The men had attempted to launder much of their proceeds, including $150,000 worth of $20 bills deposited at a bank branch in Miami. The ring also bought luxury goods in an attempt to launder the stolen money, including purchasing expensive watches and cars, such as a Mercedes SUV and a Porsche bought with $250,000 in cash.
Ms. Lynch thanked authorities in Canada, Japan, Romania and Germany for "extensive assistance" in the investigation, which included the U.S. Secret Service. Authorities from the United Arab Emirates, Dominican Republic, Mexico and a host of other countries were also involved. If convicted, the defendants face up to 10 years in prison on the money-laundering charges, and up to 7 1/2 years for each count of access-device fraud.