How do you get $45 million from ATMs? Cyberthieves did it in 12 hours.

Most of a New York City 'casher' crew is under arrest, suspected of stealing $2.8 million from ATMs as part of a global cyberscheme that netted $45 million from tampered debit card accounts.

Gene J. Puskar/AP
A person inserts a debit card into an ATM machine in Pittsburgh, in January. A gang of cyber-criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday.

In two digital bank heists that took a total of just 12 hours to pull off, cyberthieves working with “casher” crews around the world were able to withdraw $45 million dollars in cash from ATM machines in 26 countries.

The new-era cyberheists were plotted over months by hacker masterminds who stealthily infiltrated the computer networks of two credit card processors responsible for pre-paid debit card transactions – one in India and one in the United States, according to a federal indictment unsealed late Thursday by authorities in New York.

The document details a scheme in which the hackers – who were not named in the document – first gained internal access to a critical banking computer system. Then, they raised the balances and maximum withdrawal amounts on a handful of debit card accounts they controlled in what the indictment terms an “unlimited operation.” Those account numbers and access data were then transmitted to accomplices worldwide ready to use them at ATM machines, the indictment said.

The “cashers” took the data that was sent to them and then encoded it onto the magnetic stripes of gift cards. With the faked cards, the cashers made more than 40,000 withdrawals averaging more than $1,100 each.

Among the casher teams was a single team of eight New York City men, alleged to have withdrawn $400,000 in the first attack in 750 fraudulent transactions at 140 ATM machines in New York.

That Dec. 22, 2012 attack took just two hours and 25 minutes. But it was only the warm-up to a much larger global attack on Feb. 20, where the same New York casher group scooped up another $2.4 million from 3,000 ATM machines. That attack lasted from 3 p.m. on Feb. 19 to 1:26 a.m. the next morning, according to the indictment.

Seven of the eight New York men are under arrest. But the eighth member and purported leader of the gang – Alberto Yusi Lajud-Peña, also known as “Prime” and “Albertico” – was murdered in the Dominican Republic late last month, not long after fleeing the country, according to authorities who announced the arrests Thursday.

“The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe,” said Loretta Lynch, United States attorney for the Eastern District of New York, in a statement. “In the place of guns and masks, this cybercrime organization used laptops and the Internet.”

Indeed, the New York City casher crew was just a cog in a much larger ATM machine scam. In the first global attack in December, a total of $5 million was taken in 4,500 ATM transactions in 20 countries in under three hours. In the far bigger attack in February, $40 million was taken in 36,000 ATM transactions across 24 counties in less than 11 hours.

In the first attack in December, hackers gained access to the network of a credit card processor in India that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, the indictment says.

In that attack, five RAKBANK accounts were hacked and their withdrawal limits lifted. In the second attack, a US-based processor was infiltrated along with the accounts of 12 MasterCard prepaid debit cards, this time issued by the Bank of Muscat, located in Oman.

During both operations, the hackers maintained access to the computer networks of the credit card processors to keep a close eye on the fraudulent ATM transactions as they were happening – and to tally the totals so they could be sure how much was taken – and compare that with how much they received back from the cashers.

After the attack, the casher crews began laundering the money. In one transaction, nearly $150,000 in the form of 7,491 $20 bills, was deposited in a Miami bank account controlled by Mr. Lajud-Peña. Members of that group also used the cash to buy expensive watches and cars, including Rolex watches, a Mercedes SUV, and Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 from the scam.

The ATM heists appear to be part of a countertrend among cyberthieves, who generally have moved toward smaller financial cyberscams and away from bigger more dramatic efforts that attract police attention, cybersecurity experts say.

"Pulling off a huge heist might achieve fame and fortune, but it also attracts a lot of unwanted attention,” concluded the 2012 Data Breach Investigations Report, an industry study by Verizon.

That appears to be true in this most recent case. If convicted, the seven defendants face a maximum sentence of 10 years’ imprisonment on each of the money laundering charges and 7.5 years on conspiracy to commit access device fraud as well as $250,000 in fines.

Although the indictment says nothing about the masterminds behind the ATM heists, officials say the cyberthefts are still under investigation.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to