The cyber attack on the Atlanta-based subsidiary of the Royal Bank of Scotland (RBS) began Nov. 4, 2008, even as Americans went to polls to elect a new president. While Mr. Obama's supporters were savoring political victory, Sergei Tsurikov and alleged members of his hacker gang in Eastern Europe were nearing their own celebration: Having cracked the encryption protecting prepaid payroll cards of the bank's WorldPay, the cyber criminals were allegedly orchestrating a lightning-strike theft.
After providing 44 fake payroll debit cards and stolen PIN numbers to a platoon of "cashers," Mr. Tsurikov and his partners watched on computer screens as the cashers withdrew $9.4 million from 2,100 ATMs in at least 280 cities around the world – all in less than four days, according to a federal indictment.
Until recently, cyber thieves behind sophisticated thefts like the one at RBS had little to fear. Often operating from distant nations and across jurisdictional boundaries, law enforcement authorities in the US and elsewhere found it difficult to catch the suspects, much less get them to court.
Now come small yet substantial signs that the good guys may be gaining a bit of ground in the cyber fight. The Federal Bureau of Investigation (FBI), US Secret Service, and others cheered last week as Tsurikov was extradited from Estonia to Atlanta, where he now sits in a federal cell awaiting trial. On Friday he pleaded "not guilty" to federal charges concerning his alleged role in the RBS WorldPay cyber heist.
After years of struggle, US law enforcement officials and private cyber security firms say they have made some strides despite a massive and growing cyber theft problem.
“In just one day, an American credit-card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," United States Attorney Sally Quillian Yates said in a statement about the RBS WorldPay case. "With cooperation from law enforcement partners around the world, and most particularly in Estonia, we have now extradited to Atlanta one of the leaders of this ring."
That victory comes on the heels of another major FBI victory. In partnership with Spanish and Slovenian police, the FBI last month hailed the arrest in Spain of three suspected operators of the Mariposa botnet, a collection of infected computers used to steal passwords, credit-card data, and bank account information worldwide.
"We've had some recent successes, and those have been achieved as a direct result of our association with our foreign partners," says David Wallace, acting section chief of the cyber crime section of the FBI's cyber division in a phone interview. "The last several years have seen more arrests, convictions, and dismantling of these operations. Our success is growing. Obviously, the problem is growing as well."
One sign of success, he says, is the capture of the suspected creators of the software involved in the Mariposa botnet case. Authorities nailed the botnet's purported creator, a 23-year-old Slovenian known as "Iserdo." [Editor's note: The original version of this paragraph mistakenly cited the RBS case as a significant example in which software creators were captured. The FBI official referred only to the Mariposa case.]
In most cases, the suspects go to trial overseas – in Spain and Slovenia in the Mariposa botnet case, for instance. That's fine with the FBI's Mr. Wallace.
"We are very much in agreement with our partners that it's more important to hold them accountable for their actions no matter where it is," he says. "It's not always necessary to extradite them to the US."
That new flexibility comes after some early failures trying to extradite suspects by using complex multilateral partnerships to lasso cyber criminals, security experts say. Now, however, the FBI's pursuit of close bilateral ties is starting to pay off. The FBI now has embassy operations in 61 nations, up from about 40 a decade ago. In four cases – the Netherlands, Slovenia, Romania, and Estonia – the bureau has specially trained agents working closely with local authorities.
"I sat down four years ago with authorities on this side of the world, but it was impossible to get much done," says Chris Roberts, a Briton who is now managing partner of OneWorld Labs in Golden, Colo., a cyber security firm. "Our hands were tied."
That's changed, he says. US authorities are now more zealous about following up on initial investigative work by private firms like his – as well as sharing information about cyber threats with investigators abroad.
"You've got to give credit to the FBI and Secret Service, because those guys are helping educate people about the threat," Mr. Roberts says. "When someone gets hit over here, and we find the signs pointing back to this or that group overseas, they follow up."
Shifts in tactics have helped government investigators, too, says Don Jackson, a forensic cyber expert with SecureWorks, an Atlanta-based computer security firm. The FBI, he says, has begun "carefully privatizing some aspects of the investigation." It has also moved to mirror its cyber adversaries.
"They used to collect cyber cases and assign them to a field office," he says. "Now they seem to be moving toward assigning them to a virtual field office. That's the way cyber crime is moving. It's not Russian or Estonian, it's an international conference of cyber hackers."
Numbers are tough to come by to corroborate US authorities' assertion that they are making gains. Arrests in cases of cyber intrusion are up 300 percent in the past decade, an FBI spokesman says. However, criminal attacks soared from 231,493 complaints and $183 million reported stolen then to 335,655 complaints and $560 million lost now.
In the RBS WorldPay scam, the indictment alleges that Oleg Covelin, residing in Moldova, discovered a vulnerability, or "bug," in the RBS WorldPay network. He then disclosed it to Tsurikov in Estonia, who reverse-engineered the encryption to discover the PIN numbers for the cards. Viktor Pleshchuk, a Russian national who is alleged to be a key player in the plot, entered the bank's network and manipulated data – including raising the limits on the prepaid payroll cards. Mr. Pleschuk and Mr. Covelin are in the custody of Russia's FSB security police, according to the Baltic Times. The disposition of a fourth conspirator dubbed "Hacker 3" is not publicly known.
Tsurikov and any others who get extradited to the US each face 16 counts of conspiracy to commit wire fraud, wire fraud, and computer fraud, and aggravated identity theft. They are looking at fines of up to $3.5 million plus recovery of the $9.4 million. Each wire fraud count could result in as many as 20 years in prison.
To security experts, however, such victories only hint at the greater problem.
"My optimistic side says it's great that they've got more cooperation going, and that they managed to get some of these people who stole $9 million is really nice," says Roberts, the Colorado security expert. "My pessimistic side says, 'Yeah, but what about the other $5 billion that was stolen?' "