US charges eight over $45m ATM theft

US charges eight over $45m ATM theft

US authorities have charged eight people with taking part in two cyber-attacks that saw card data stolen from payment processors and used to withdraw $45 million from ATMs around the world.

According to a four-count federal indictment, the eight charged made up the New York cell of a massive cyber-crime ring spread across as many as 26 countries.

The scam saw hackers spend several months working to gain access to the computer networks of credit card processors, stealing pre-paid card details and upping the balance limits, say court filings. The data was then sent to cells of 'cashers' around the world who used it to make counterfeit cards before being sent PINs to make ATM withdrawals.

The first operation carried out by the gang, on 22 December, targeted a processor that dealt with transactions for pre-paid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC in the UAE. More than 45000 transactions were made using the stolen information, costing the bank and processor around $5 million.

The second attack, on 19 and 20 February, targeted a processor that serviced MasterCard pre-paid debit cards, this time issued by the Bank of Muscat, in Oman. In just 10 hours casher cells in 24 countries executed 36,000 transactions and withdrew about $40 million from ATMs.

The New York cell alone managed to steal around $2.8 million over the two operations, say authorities. Members then laundered hundreds of thousands of dollars in illicit cash proceeds. In just one transaction, nearly $150,000 in the form of 7491 $20 bills, was deposited at a bank branch in Miami. Cell members also invested the proceeds in portable luxury goods, such as expensive watches and cars.

Over the last few weeks, seven of the eight defendants - Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje, and Chung Yu-Holguin - have been arrested, while the eighth, Alberto Yusi Lajud-Peña, is reported to have been murdered in the Dominican Republic.

United States Attorney Loretta Lynch says: "As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organisation used laptops and the Internet. Moving as swiftly as data over the Internet, the organisation worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours."

If convicted, the defendants face a maximum sentence of 10 years' imprisonment on each of the money laundering charges and seven and a half on the conspiracy to commit access device fraud charge, restitution, and up to $250,000 in fines.

Comments: (2)

Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 10 May, 2013, 10:02Be the first to give this comment the thumbs up 0 likes

Hats off for the arrests. I wrote a commentary on this heist here.

A Finextra member
A Finextra member 12 May, 2013, 01:12Be the first to give this comment the thumbs up 0 likes

Hats off for the arrests, but thumbs down on financial institutions and related service providers that do run unsecure systems.

It has not become public yet whose systems were hacked in this case, but chances are that these were low cost systems based on PC technology and running under Windows or Linux. And guess what, hacking such systems isn't too difficult - but trying to make and keep them really secure is next to impossible, given those thousands of vulnerabilities found in these environments.

Unlike the peddlers of PC technology try to make us believe, there are other systems around that are pretty robust and malware-resistant. Not considering such better alternatives adds significantly to the risks of running IT systems, in particular in FSI.