Federal authorities have slapped the cuffs on several alleged members of a cyber-gang who are charged with taking part in a massive heist that stole as much as $45 million in a matter of hours.
According to an indictment unsealed Thursday, seven of eight people have been charged with being members of the New York-based cell of a sophisticated international bank fraud operation. The eighth defendant was reportedly murdered in April in the Dominican Republic.
"In place of guns and masks, this cyber-crime organization used laptops and the Internet," said U.S. Attorney Loretta E. Lynch of the Eastern District of New York, in a statement. "Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours."
According to authorities, from roughly between October 2012 and April 2013, the defendants and their co-conspirators worked together in two separate operations to defraud victims around the globe.
The first operation began Dec. 22, 2012, when the gang targeted a credit card processor that handled transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates. After the gang hacked the organization's network, they compromised prepaid card accounts and manipulated account balances and withdrawal limits.
The next step was to distribute the hacked prepaid debit card numbers to associates around the world that authorities refer to as "cashers." The cashers encode magnetic stripe cards, such as gift cards, with compromised card data and then withdraw cash from the compromised accounts.
In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world resulting in the roughly $5 million in losses. In the New York City area alone, the defendants allegedly stole nearly $400,000 at more than 140 different ATMs in just two hours and 25 minutes.
In the gang's second operation, which occurred between Feb. 19 and Feb. 20, they again breached the network of a credit card processor that serviced MasterCard prepaid debit cards issued by the Bank of Muscat in Oman. Just as before, the gang hacked prepaid debit card accounts and distributed the data.
The organization then began a worldwide withdrawal campaign, ultimately taking about $40 million from ATMs in 24 countries in approximately 10 hours, authorities said. Approximately $2.4 million was taken from ATMs in the New York City area.
"Several attacks of this nature have occurred in the past few years," said Tom Cross, director of security research at Lancope. "What makes this type of attack unique is not just the technical skill required to pull it off, but the level of logistical coordination needed to perform nearly simultaneous withdrawals from large numbers of ATM machines."
"The vulnerabilities that led to that compromise need to be identified and closed," he said. The defendants are charged with numerous offenses, including conspiracy to commit access device fraud, money laundering conspiracy and money laundering. If convicted, the defendants face a maximum sentence of 10 years in prison for each money laundering charge and 7.5 years on each conspiracy to commit access device fraud charge.