One of world’s biggest bank heists spans 27 countries, run from New York City

Loretta Lynch, United States Attorney for the Eastern District of New York, speaks at a news conference in New York, May 9, 2013. REUTERS/Lucas Jackson
Loretta Lynch, U.S. attorney for the eastern district of New York, speaks at a news conference Thursday. Credit: Lucas Jackson/Reuters

In one of the biggest ever bank heists, a global cybercrime ring stole $45 million from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries, U.S. prosecutors said.

The U.S. Justice Department accused eight men of allegedly forming the New York-based cell of the organization, and said seven of them have been arrested. The eighth, allegedly a leader of the cell, was reported to have been murdered in the Dominican Republic on April 27.

The ringleaders are believed to be outside the United States but prosecutors declined to give details, citing the ongoing investigation. What’s clear is the sheer scope and speed of the crimes: In one of the attacks, in just over 10 hours, $40 million was raided from ATMs in 24 countries involving 36,000 transactions.

“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” U.S. Attorney for the Eastern District of New York Loretta Lynch said at a news conference. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City.”

The case demonstrates the major threat that cybercrime poses to banks around the world. It also shows how increasingly international and sophisticated criminal gangs have become, particularly those using the Internet.

Prosecutors highlighted the “surgical precision” of these hackers, the global nature of their organization, and the speed and coordination with which they executed operations in 27 countries.

According to the complaint, the gang broke into the computers of two credit card processors, one in India in December 2012 and the other in the United States this February. The companies were not identified.

The hackers increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by Bank of Muscat of Oman, and National Bank of Ras Al Khaimah PSC (RAKBank) of the United Arab Emirates, according to the complaint. They then distributed counterfeit debit cards to “cashers” around the world, enabling them to siphon millions of dollars from ATMs in a matter of hours.

In New York, for example, members of the cell fanned out into the city on the afternoon of Feb. 19, armed with cards bearing a single Bank of Muscat account number. Ten hours later, they had completed 2,904 withdrawals for $2.4 million in all, the final transaction coming around 1:26 a.m., prosecutors said.

Casher crews in other countries were busy doing the same, pulling some $40 million from Bank of Muscat to add to the $5 million they stole from RAKBank in December, according to the indictment. In total, cashers made some 40,500 withdrawals in 27 countries during the two coordinated incidents.

Prosecutors said the method of attack was known as “unlimited operations” in the cyber underworld.

Representatives for the two banks could not be reached for comment outside of regular business hours.

In a statement, Mastercard said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.

In late February, Bank of Muscat disclosed that it would take an impairment charge of up to 15 million rials ($39 million) because it had been defrauded overseas by 12 prepaid debit cards used for travel. That charge was equal to more than half of the 25 million rials profit it posted in its first quarter ended March 31.

Highly skilled hackers

Cyber experts said they believe the operation likely required the work of several hundred people, at least several of whom were highly skilled hackers capable of devising ways to penetrate well-protected financial systems.

“Hackers only need to find one vulnerability to cause millions of dollars of damage,” said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.

The group may have targeted Middle Eastern banks because they tend to allow customers to put much larger sums on cards and do not monitor them as closely as banks in other regions, said Shane Shook, global vice president of consulting for the security firm Cylance Inc.

“It’s a target-rich environment in terms of soft electronic security,” said Shook, an Arabic speaker who has spent more than a decade investigating cyber crimes.

The case is similar to one in 2009 that targeted the prepaid debit-card unit of Royal Bank of Scotland, which lost more than $9 million in less than 12 hours, said Jason Weinstein, a former federal prosecutor who supervised the Justice Department’s handling of that case.

That case was considered a watershed moment in cyber crime prosecutions at the time. “This dwarfs that case,” he said.

It is not clear if banks can seek to recover losses from card processors, legal experts said. Contracts usually have specific language governing the security protocols that must be in place, said Frederick Rivera, an attorney with Perkins Coie who specializes in financial services litigation.

If the processors failed to follow those requirements, they could be liable for the losses. If they had adequate security, however, the banks “could be left holding the bag,” Rivera said.

The banks might also be able to seek reimbursement under their insurance policies, many of which now have cyber crime provisions, or from the processors’ insurance carriers.

Weinstein also said that the processors could face regulatory scrutiny over whether they provided proper security.

The eight defendants – all U.S. citizens and residents of Yonkers, New York – were charged with withdrawing cash from the ATMs and transporting money, not hacking into the credit card processing firms or managing the operation.

The seven arrested are: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin (known as “Chino El Abusador”). All except for Rodriguez were arraigned on Thursday and pleaded not guilty. Rodriguez’s attorney was unavailable. Only Pena has been released on bail.

The defendant who reportedly had been killed was Alberto Yusi Lajud-Peña, also known as “Prime” and “Albertico.” Lynch said it was unclear whether the murder was related to this case.

Prosecutors said cashers often laundered their proceeds by purchasing luxury goods, and sending a portion of the money back to the organization’s leaders.

Lynch said the New York gang kept roughly 20 percent of their takes, and sent the rest to the organizers. Authorities said they seized hundreds of thousands of dollars in cash and bank accounts, as well as two Rolex watches and a Mercedes SUV, from the defendants.

Investigators said that they found an email exchange with an account associated with a criminal money laundering operation in St. Petersburg, Russia, describing wire transfers.

An investigation is ongoing to see if other cells are operating in the country, Lynch said, adding that U.S. law enforcement had worked with counterparts in Japan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia to uncover the ring.

No individual bank accounts were compromised by the scheme, Lynch said.

The case is U.S. v. Lajud-Pena et al., U.S. District Court, Eastern District of New York, No. 13-cr-259.



News
Entertainment
Sports
Lifestyle
National

Dogs are capable of feeling jealousy - U.S.…

By Curtis Skinner(Reuters) - Dogs are a man's best friend, and research released on Wednesday says canines want to keep it that way.Dogs are capable…

Local

G train riders brace for five-week shutdown

G train service will be suspended between Brooklyn and Queens between Friday, July 25, and Tuesday, Sept. 2.

International

Peaches Geldof's death was drugs-related, coroner rules

LONDON (Reuters) - The death of Peaches Geldof, the daughter of musician and Band Aid founder Bob Geldof, was drugs-related, a coroner ruled on Wednesday.The…

Local

Family, supporters gather in Brooklyn for Eric Garner…

Family members gathered on Wednesday for the funeral of Eric Garner, who died shortly after police put him in a banned chokehold as they arrested him.

Going Out

Where to go drinking on National Tequila Day…

Thursday is just close enough to the end of the week to make you envision yourself already sunning on a beach towel or lounging by…

Going Out

Things to do in NYC this week: July…

Performing arts A 70’s Summer Night Friday, 6:30 p.m. The Green Building 452 Union St., Gowanus $35, 347-529-6473 Party like it’s summer in the 1970s…

Going Out

5 must-try dishes at Edible Manhattan's Good Beer

Rooting out the exotic amid the New York City bar scene is noble quest. But if you’d like to have it all come to you,…

Books

Art imitates life (almost) in David Shapiro's new…

David Shapiro talks about his book, "You're Not Much Use To Anyone."

NFL

Jerry Reese confident with Giants, skipping countdown clocks…

Last year, Giants GM Jerry Reese installed a countdown clock in the locker room to inspire Big Blue to play in their own stadium for Super Bowl XLVIII.

MLB

Brandon McCarthy finds his calling on Twitter

Yankees starter Brandon McCarthy joined Twitter three year ago for the same reason many people do: to get news quickly.

Sports

NBA great LeBron James sends 800 cupcake apologies…

By Kim PalmerCLEVELAND (Reuters) - NBA star LeBron James, whose recent return to the Cleveland Cavaliers in his home state of Ohio sparked a frenzy…

NFL

Fantasy football: Johnny Manziel could give your running…

Fantasy football: Johnny Manziel could give your running game a boost

Food

Recharge with a post-workout smoothie from Nicky Hilton

Some people can roll out of bed right as their alarm goes off. And that alarm isn’t set for 20 minutes before they have to…

Education

Colleges are increasingly embracing the concept of gender-neutral…

  Northwestern University recently made headlines after announcing that it would be installing two gender-neutral bathrooms in the university's student center. “These are two gender-open…

Career

How to prepare to interview for your dream…

    Congratulations! You landed a job interview at your dream company! A lot of hard work has gone into determining which companies to apply…

Style

The shirtdress is a summer must-have

  We love throwing on our boyfriend’s shirt and a pair of jeans (no matter how much he grumbles that it’s his turn to wear the…