This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

The article has changed 10 times. There is an RSS feed of changes available.

Version 3 Version 4
Cyberthieves Looted A.T.M.’s of $45 Million in Just Hours In Hours, Thieves Took $45 Million in A.T.M. Scheme
(about 4 hours later)
It was a huge bank heist but a 21st-century version in which the robbers never wore ski masks, threatened a teller or set foot in a vault. It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault.
Yet, in two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, the organization was able to steal $45 million from thousands of A.T.M.'s in a matter of hours. In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.’s in a matter of hours.
In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours on Feb. 19, withdrawing $2.4 million. In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.
On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight members of the New York crew including their suspected ringleader who was found dead in the Dominican Republic on April 27 offering a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered. The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.
“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.'s in a matter of hours.” The first to be caught was a street crew operating in New York, their pictures captured as they traveled the city withdrawing money and stuffing backpacks with cash.
The indictment outlined how they were able to steal data from banks, relay that information to a far-flung network of “cashing crews,” and then launder the stolen money by buying high-end luxury items like Rolex watches and expensive cars. On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight men including their suspected ringleader, who was found dead in the Dominican Republic last month. The indictment and criminal complaints in the case offer a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.
In the first robbery, hackers were able to infiltrate the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery, which inspired the movie “Goodfellas.”
The hackers who are not named in the indictment proceeded to raise the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RAKBANK, which is in United Arab Emirates. Beyond the sheer amount of money involved, law enforcement officials said, the robbery underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.
By eliminating the withdrawal limits, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. “In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.’s in a matter of hours.”
With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic stripe cards. The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of “cashing crews,” and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars.
On Dec. 21, the “cashing crews” made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment. In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.
But that robbery was just a prelude for what prosecutors said was a more brazen crime that took place two months later. The hackers, who are not named in the indictment, then raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.
On Feb. 19, “cashing crews” stood at A.T.M.'s across Manhattan and in two dozen other countries waiting for word to spring into action. Once the withdrawal limits have been eliminated, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.
This time, the hackers infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. The company’s name was not revealed in the indictment. With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the “cashing crews” made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment.
After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City alone, a team of eight people made 2,904 withdrawals, stealing $2.4 million. While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be shortchanged on their cut, according to court documents. MasterCard alerted the Secret Service to the activity soon after the transactions were completed, said a law enforcement official, who declined to be identified discussing a continuing investigation.
Surveillance photos of one suspect hitting various A.T.M.'s showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the robbery to the caper at the center of the movie “Ocean’s 11.” Robert D. Rodriguez, a special agent with the Secret Service for 22 years and now the chairman of Security Innovation Network, said that in some ways the crime was as old as money itself: bad guys trying to find weaknesses in a system and exploiting that weakness.
“New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes and provided new opportunities for the criminal element to threaten the world’s financial systems,” said Steven Hughes, a Secret Service special agent, who participated in the investigation. “However, as demonstrated by the charges and arrests announced today, the Secret Service and its law enforcement partners have adapted to these technological advancements and utilized cutting edge investigative techniques to thwart this cybercriminal activity.” “The difference today is that the dynamics of the Internet and cyberspace are so fast that we have a hard time staying ahead of the adversary,” he said. And because these crimes are global, he said, even when the authorities figure out who is behind them they might not be able to arrest them or persuade another law enforcement agency to take action.
The authorities did not immediately provide details about how they became aware of the operation or whether any other arrests have been made in connection with the case. After pulling off the December theft, the organization grew more bold, and two months later they struck again this time nabbing $40 million.
While the indictment suggests a far-reaching operation, there are no details about the people responsible for conducting the computer hacking or who might be leading the global operation. Law enforcement agencies in more than a dozen countries, including Japan, Canada, Germany and Romania, have been involved in the investigation, prosecutors said. On Feb. 19, “cashing crews” were in place at A.T.M.’s across Manhattan and in two dozen other countries waiting for word to spring into action.
The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, who also went by the name Prime. His body was found in the Dominican Republic on April 27 and prosecutors said they believe he was killed. This time, the hackers had infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. Prosecutors did not disclose the company’s name.
Seven other people were charged with conspiracy to commit “access device fraud” and money laundering. The prosecutors said they were all American citizens and were based in Yonkers. After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City, a team of eight people made 2,904 withdrawals, stealing $2.4 million.
The indictment says that the defendants “invested the criminal proceeds in portable luxury good, such as expensive watches and cars.” Surveillance photos of one suspect at various A.T.M.’s showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the series of thefts to the caper at the center of the movie “Ocean’s 11.”
The authorities have already seized hundreds of thousands of dollars from bank accounts, two Rolex watches and a Mercedes S.U.V., and are in the process of seizing a Porsche Panamera. While the New York crew had a productive spree, the crews in Japan seem to have been the most successful, stealing around $10 million, probably because some banks in Japan allow withdrawals of as much as $10,000 from a single bank machine.

Mosi Secret contributed reporting.

“The significance here is they are manipulating the financial system to be able to change these balance limits and withdrawal limits,” said Kim Paretti, a former prosecutor in the computer crime division of the Justice Department who is now a partner in the law firm Alston & Bird. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.”
It was unclear to whom the hacked accounts belonged, and who might ultimately be responsible for the losses.
The indictment suggests a far-reaching operation, but there were few details about the people responsible for conducting the hacking or who might be leading the global operation. Law enforcement agencies in more than a dozen countries are still investigating, according to federal prosecutors. The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, whose body was found in the Dominican Republic late last month. Seven other people were charged with conspiracy to commit “access device fraud” and money laundering.
The prosecutors said they were all American citizens and were based in Yonkers. The age of one defendant was given as 35; the others were all said to be 22 to 24. Mr. Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said.
On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.

Nicole Perlroth, Frances Robles and Mosi Secret contributed reporting.