It was one of the largest cyber-heists in human history.
Like in many other cyber attacks, it started with breaching a secure network. This time the target was a US-based processor of prepaid cards issued by Bank of Oman. The attackers went in, took control of several accounts, raised the withdrawal limits and,
most importantly, stole the PIN numbers associated with the accounts. Now all it took was to go to ATMs and get cash. Serious cash.
The attackers may be clever hackers, but they have absolutely no cash-out capabilities, and certainly no worldwide operation in place. Once such cash-out operation starts, it’s only a matter of hours before enough alarm bells ring and someone pulls the virtual
power cord off at the processor’s end. So you need to be quick, and you need to work in parallel, hitting as many simultaneous cash machines as you can. The hackers knew they can’t do it themselves, and hired a cash-out crew to do the legwork.
And what a legwork it was. In just 10 hours, ATMs around the world were used to get $40 million dollars. In Japan, for instance, $10 million were withdrawn. In New York alone, a team of 8-12 runners went from one cash machine to the other and cleaned out
$2.4 million in just a few hours from 2,900 ATMs, according to the
This heist was carried out by the same gang who did a $5 million cash-out operation a few months ago, this time by hitting an Indian-based prepaid card processor. The total is a staggering $45 million withdrawn from ATMs in 26 countries, in a combination
of a virtual robbery combined with very real, brick-and-mortar operation to get the cash out without being caught.
But the NY crew was caught. Less than 90 days after they carried out the heist, 8 members of the crew were charged by the DOJ with fraud. 7 were arrested, while the 8th, according to some
reports, was murdered by hit men a few weeks ago, probably because of some argument about the money.
Hats off for another successful investigation.
Such success stories, which used to be extremely rare five years ago and are now becoming much more prevalent, send a clear message to cybercriminals: you’re not invisible, you’re not anonymous, and if you make even the slightest mistake, you’re in for a
long time in jail.
A couple of lessons here. Once it starts, it’s very difficult to stop such operation. The cash-out process is very quick, spans many countries and individual ATMs belonging to multiple networks, and in just a few hours a huge amount of money can be cleaned.
Two things can be done:
The first is to put more controls inside the network of prepaid card processors. There are many companies processing prepaid cards and anyone with sufficient access can create fake accounts or take over existing ones, load them with money, and remove the
withdrawal limits. A tighter monitoring at the processor’s end can immediately alert against such actions and foil the scam.
The second is to have a quick investigation using state-of-the-art video processing in order to identify individual cash-out runners as soon as possible and start closing in on their operation, hoping to recover the money before it’s sent back to the masterminds
behind the attack; or at least make arrests that will allow impounding the money and returning it to the rightful owners. Other investigation methods include monitoring the forums where such groups communicate, and trying to infiltrate the operation.
This is one of the largest cyber heist operations in history; but certainly not the first using the exact same method. In 2009 a very similar
heist took place when three East European hackers went into a US-based processor network, took control of several prepaid debit cards used for paying salaries, raised the withdrawal limits,
and teamed up with an international cash-out crew that sent runners to 2100 ATMs in 8 countries, including Japan, Italy, Canada and US, withdrawing a whooping $9 million in just twelve hours. The cash-out mastermind, BadB, who was known in the fraud underground
community because of his funny video promotions, was
arrested a few months later.
Bottom line: next time you hit the banks for $45 million, you need to take the money - and run