A global posse of cyberthieves, armed with laptops in place of guns, hacked into financial institutions and stole $45 million from automated teller machines in a first-of-its-kind heist made for the 21st century, authorities in New York said Thursday.
Over a seven-month period ending last month, the authorities said, hackers broke into computer networks of financial companies in the United States and India and eliminated the withdrawal limits on prepaid debit cards.
Then, people involved in the heist withdrew tens of millions of dollars from ATMs in Manhattan and more than 20 other places around the world. In one case, surveillance cameras picked up a member of the “cashing crew” going from machine to machine, his cash-stuffed bag growing bigger with each hit.
In unsealing an indictment Thursday against eight men accused of helping to orchestrate the looting, the authorities described an underworld of cybercrime that they said was a burgeoning threat in the Internet age.
“This was a 21st-century bank heist that reached through the Internet and spanned the globe,” said Loretta Lynch, U.S. attorney for the Eastern District of New York. “Moving literally at the speed of the Internet, the organization made its way from the computer systems of international corporations to the streets of New York.”
Banks, not individual ATM users, were harmed. But the heist reinforced fears that new payment systems — such those being built into smartphones — raise a variety of new risks for consumers.
“New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes and provided new opportunities for the criminal element to threaten the world’s financial systems,” said Steven Hughes, special agent in charge of the Secret Service office in New York.
According to the indictment, the eight defendants — mostly men in their mid-20s and all residents of Yonkers, about a half-hour north of Manhattan — carried out the New York-based part of the fraud. Seven of them were arrested in recent weeks. An eighth man was reportedly slain last month in the Dominican Republic.
The authorities dubbed the heist an “unlimited operation” because hackers eliminated the withdrawal limits of debit cards. According to the indictment, the efforts began in October.
The masterminds of the scheme — whose identities or locations, if known, were not disclosed — breached an Indian firm that processes credit card transactions for MasterCard debit cards issued by Rakbank, an institution in the United Arab Emirates. These hackers attempted to either dramatically increase or eliminate withdrawal limits.
They next distributed prepaid card numbers associated with hacked accounts to cashing crews around the world, including the defendants in New York, the indictment says. These crews, armed with cheap technology easily bought online, reprogrammed gift cards and other disposable cards with the account data delivered by the hackers.
The crews conducted 4,500 ATM transactions in locations around the world, withdrawing $5 million, the indictment says.
A few months later, a second — and much larger — heist was conducted.
Once again, hackers launched an unlimited operation, attacking a MasterCard processor in the United States that handled transactions for prepaid debit cards issued by the Bank of Muscat in Oman. The name of the processing firm wasn’t disclosed.
Crews in two dozen countries set out over 10 hours, withdrawing $40 million in cash in 36,000 transactions. About $2.4 million was taken from ATMs in New York.
The thieves, according to the indictment, took a variety of steps to dispose of the money.
One defendant allegedly deposited nearly $150,000 worth of $20 bills in a bank branch in Miami. Others allegedly bought expensive items such as Rolex watches and a Mercedes SUV.
Authorities from around the world, from Canada to Thailand, were involved in the investigation. The defendants in New York each face 17 1/2 years in prison and up to $250,000 fines if convicted.
Henry Schwarz, a security expert who provides consulting to ATM companies, said the main vulnerability lay with the networks that were penetrated by hackers. He said it is extremely difficult to break into a network and obtain a regular customer’s four-digit personal identification number.
“The vulnerability was the ability to hack into the card processors’ servers,” he said. With a PIN, he said, “it’s very difficult because a PIN is stored by the card issuer in a heavily fortified” server.
Brian Riley, senior research director at CEB TowerGroup, said that although most people would suffer a terrible inconvenience, they would be protected if their ATMs were hacked.
“There’s no doubt it will be a major inconvenience to get your way through this,” he said. “Consumers are generally protected by the terms and agreements they signed up for with the card.”
He added that there will always be growing threats as companies seek to broaden access to financial transactions through new technologies.
“The first thing the card business is trying to do is to make it easier for people to transact,” Riley said. “As you do that, you’re opening up new areas to get attacked in. You’re opening up new vulnerabilities that never existed.”