In two digital bank heists that took a total of just 12 hours to pull off, cyberthieves working with “casher” crews around the world were able to withdraw $45 million dollars in cash from ATM machines in 26 countries.
The new-era cyberheists were plotted over months by hacker masterminds who stealthily infiltrated the computer networks of two credit card processors responsible for pre-paid debit card transactions – one in India and one in the United States, according to a federal indictment unsealed late Thursday by authorities in New York.
The document details a scheme in which the hackers – who were not named in the document – first gained internal access to a critical banking computer system. Then, they raised the balances and maximum withdrawal amounts on a handful of debit card accounts they controlled in what the indictment terms an “unlimited operation.” Those account numbers and access data were then transmitted to accomplices worldwide ready to use them at ATM machines, the indictment said.
The “cashers” took the data that was sent to them and then encoded it onto the magnetic stripes of gift cards. With the faked cards, the cashers made more than 40,000 withdrawals averaging more than $1,100 each.
Among the casher teams was a single team of eight New York City men, alleged to have withdrawn $400,000 in the first attack in 750 fraudulent transactions at 140 ATM machines in New York.
That Dec. 22, 2012 attack took just two hours and 25 minutes. But it was only the warm-up to a much larger global attack on Feb. 20, where the same New York casher group scooped up another $2.4 million from 3,000 ATM machines. That attack lasted from 3 p.m. on Feb. 19 to 1:26 a.m. the next morning, according to the indictment.
Seven of the eight New York men are under arrest. But the eighth member and purported leader of the gang – Alberto Yusi Lajud-Peña, also known as “Prime” and “Albertico” – was murdered in the Dominican Republic late last month, not long after fleeing the country, according to authorities who announced the arrests Thursday.
“The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe,” said Loretta Lynch, United States attorney for the Eastern District of New York, in a statement. “In the place of guns and masks, this cybercrime organization used laptops and the Internet.”
Indeed, the New York City casher crew was just a cog in a much larger ATM machine scam. In the first global attack in December, a total of $5 million was taken in 4,500 ATM transactions in 20 countries in under three hours. In the far bigger attack in February, $40 million was taken in 36,000 ATM transactions across 24 counties in less than 11 hours.
In the first attack in December, hackers gained access to the network of a credit card processor in India that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, the indictment says.
In that attack, five RAKBANK accounts were hacked and their withdrawal limits lifted. In the second attack, a US-based processor was infiltrated along with the accounts of 12 MasterCard prepaid debit cards, this time issued by the Bank of Muscat, located in Oman.
During both operations, the hackers maintained access to the computer networks of the credit card processors to keep a close eye on the fraudulent ATM transactions as they were happening – and to tally the totals so they could be sure how much was taken – and compare that with how much they received back from the cashers.
After the attack, the casher crews began laundering the money. In one transaction, nearly $150,000 in the form of 7,491 $20 bills, was deposited in a Miami bank account controlled by Mr. Lajud-Peña. Members of that group also used the cash to buy expensive watches and cars, including Rolex watches, a Mercedes SUV, and Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 from the scam.
The ATM heists appear to be part of a countertrend among cyberthieves, who generally have moved toward smaller financial cyberscams and away from bigger more dramatic efforts that attract police attention, cybersecurity experts say.
"Pulling off a huge heist might achieve fame and fortune, but it also attracts a lot of unwanted attention,” concluded the 2012 Data Breach Investigations Report, an industry study by Verizon.
That appears to be true in this most recent case. If convicted, the seven defendants face a maximum sentence of 10 years’ imprisonment on each of the money laundering charges and 7.5 years on conspiracy to commit access device fraud as well as $250,000 in fines.
Although the indictment says nothing about the masterminds behind the ATM heists, officials say the cyberthefts are still under investigation.