In Hours, Thieves Took $45 Million in A.T.M. Scheme
It was a brazen bank heist, but a 21st-century version in which the
criminals never wore ski masks, threatened a teller or set foot in a
vault.
In two precision operations that involved people in more than two dozen
countries acting in close coordination and with surgical precision,
thieves stole $45 million from thousands of A.T.M.’s in a matter of
hours.
In New York City alone, the thieves responsible for A.T.M. withdrawals
struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing
$2.4 million.
The operation included sophisticated computer experts operating in the
shadowy world of Internet hacking, manipulating financial information
with the stroke of a few keys, as well as common street criminals, who
used that information to loot the automated teller machines.
The first to be caught was a street crew operating in New York, their
pictures captured as, prosecutors said, they traveled the city
withdrawing money and stuffing backpacks with cash.
On Thursday, federal prosecutors in Brooklyn unsealed an indictment
charging eight men — including their suspected ringleader, who was found
dead in the Dominican Republic last month. The indictment and criminal
complaints in the case offer a glimpse into what the authorities said
was one of the most sophisticated and effective cybercrime attacks ever
uncovered.
It was, prosecutors said, one of the largest heists in New York City
history, rivaling the 1978 Lufthansa robbery, which inspired the movie
“Goodfellas.”
Beyond the sheer amount of money involved, law enforcement officials
said, the thefts underscored the vulnerability of financial institutions
around the world to clever criminals working to stay a step ahead of
the latest technologies designed to thwart them.
“In the place of guns and masks, this cybercrime organization used
laptops and the Internet,” said Loretta E. Lynch, the United States
attorney in Brooklyn. “Moving as swiftly as data over the Internet, the
organization worked its way from the computer systems of international
corporations to the streets of New York City, with the defendants
fanning out across Manhattan to steal millions of dollars from hundreds
of A.T.M.’s in a matter of hours.”
The indictment outlined how the criminals were able to steal data from
banks, relay that information to a far-flung network of so-called
cashing crews, and then have the stolen money laundered in purchases of
luxury items like Rolex watches and expensive cars.
In the first operation, hackers infiltrated the system of an unnamed
Indian credit-card processing company that handles Visa and MasterCard
prepaid debit cards. Such companies are attractive to cybercriminals
because they are considered less secure than financial institutions,
computer security experts say.
The hackers, who are not named in the indictment, then raised the
withdrawal limits on prepaid MasterCard debit accounts issued by the
National Bank of Ras Al-Khaimah, also known as RakBank, which is in
United Arab Emirates.
Once the withdrawal limits have been eliminated, “even a few compromised
bank account numbers can result in tremendous financial loss to the
victim financial institution,” the indictment states. And by using
prepaid cards, the thieves were able to take money without draining the
bank accounts of individuals, which might have set off alarms more
quickly.
With five account numbers in hand, the hackers distributed the
information to individuals in 20 countries who then encoded the
information on magnetic-stripe cards. On Dec. 21, the cashing crews made
4,500 A.T.M. transactions worldwide, stealing $5 million, according to
the indictment.
While the street crews were taking money out of bank machines, the
computer experts were watching the financial transactions from afar,
ensuring that they would not be shortchanged on their cut, according to
court documents.
Comments
Post a Comment