Individuals employed around the world by a sophisticated cyber crime ring stole $45 million from thousands of bank automated teller machines within a matter of hours, using hacked debit-card data, U.S. prosecutors said on Thursday.
Members of the global criminal organization hacked into two credit card processors and used stolen data to make more than 40,500 withdrawals in 27 countries, during two separate coordinated incidents in December 2012 and February 2013, the Justice Department said.
The government charged eight individuals in New York with participating in the larger scheme by withdrawing $2.8 million in thousands of ATM transactions, in what U.S. Attorney Loretta Lynch said was the second-biggest bank robbery in the history of New York City.
Lynch said it was likely that the headquarters of the global scheme was located outside the United States and that the current charges focused only on the New York-based cell. Investigators were examining whether other cells were operating elsewhere in the United States, she said.
"In the place of guns and masks, this cyber crime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours," said Lynch, whose office in Brooklyn, New York, brought the case.
- PHOTOS: What's Brewing in Steamy Hallows, the Harry Potter-Inspired Cafe19 Pictures
- PHOTOS: Frida Kahlo at the Brooklyn Museum doesn't hold back23 Pictures
The case demonstrates the major threat that cyber crime poses to banks around the world. Security experts frequently identify electronic fraud as one of the key challenges facing banks today.
"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.
In the December attack, hackers gained access to an Indian credit card processor that handled prepaid Mastercard Inc debit cards for National Bank of Ras Al Khaimah PSC, or RAKBANK, according to a criminal indictment.
In February, the hackers broke into the system of a U.S.-based credit card processor to steal account numbers for prepaid Mastercard debit cards issued by Bank of Muscat, the indictment said.
The second operation was far larger than the first attack, eventually totaling $40 million in losses to Bank of Muscat.
In late February, Bank Muscat disclosed that it would take an impairment charge of up to 15 million rials ($39 million) because it had been defrauded overseas using 12 prepaid debit cards used for travel. That charge was equal to more than half of the 25 million rials profit it posted in its first quarter ended March 31.
The indictment does not identify the processor companies.
Bank representatives could not be reached for comment outside of regular business hours.
In both cases, the hackers boosted the available balance for each card and eliminated the withdrawal limits, allowing them to take out huge sums of money from ATMs in what prosecutors called an "unlimited operation."
A single account number, for instance, yielded nearly $9 million in profits, including $2.4 million in New York City alone, prosecutors said.
The hackers distributed the account numbers to coordinated "casher" crews stationed across the globe, who siphoned millions of dollars from ATMs within a span of hours in December 2012 and February 2013.
One of the New York defendants was caught in surveillance footage from ATMs in Manhattan during the February operation, prosecutors said.
After the cards were shut down, cashers laundered the proceeds, often by purchasing luxury goods, and sent a portion of
the money back to the organization's leaders, prosecutors said.
Prosecutors said they seized hundreds of thousands of dollars in cash and bank accounts, as well as two Rolex watches and a Mercedes SUV, from the New York defendants.
No individual bank accounts were compromised by the scheme, Lynch said.
Authorities said they arrested seven of the eight defendants, all U.S. citizens and residents of Yonkers, New York. They are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
The eighth defendant charged in the indictment, Alberto Yusi Lajud-Peña, also known as "Prime" and "Albertico," was murdered on April 27 in the Dominican Republic, according to prosecutors. Lynch said it was unclear whether the murder was related to the cybercrime case.
It wasn't immediately known which lawyers were representing the defendants.