8 Charged in $45 Million CybertheftFraudulent ATM Transactions Yielded Millions in Hours
Federal prosecutors have charged eight individuals in a massive cybercrime operation that involved hacking into payment card processors' networks, manipulating prepaid debit-card limits and speedily withdrawing $45 million from ATMs worldwide. Federal authorities allege the participants in the cyberheist used some of the cash to buy expensive watches and luxury automobiles.
See Also: 2016 State of Threat Intelligence Study
The U.S. Department of Justice and other law enforcement officials announced May 9 that seven of the eight defendants had been arrested; the eighth apparently was murdered in April.
"The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe," says Loretta Lynch, United States attorney for the Eastern District of New York. "In the place of guns and masks, this cybercrime organization used laptops and the Internet."
The alleged fraudsters conducted two massive fraud operations, the Justice Department says.
In the first operation, on Dec. 22, 2012, the defendants targeted a payments processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates.
Once they penetrated the processor's network, the fraudsters compromised the RAKBANK prepaid card accounts, manipulated the balances and withdrawal limits, and then launched a coordinated, worldwide ATM withdrawal campaign using altered prepaid debit cards, authorities say.
In total, more than 4,500 ATM withdrawals were conducted in approximately 20 countries around the world using the compromised RAKBANK debit-card data, resulting in approximately $5 million in losses to the processor and RAKBANK. In Greater New York City, the defendants and co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000 in just two hours and 25 minutes, prosecutors say.
In the second operation, which occurred Feb. 19-20, the attackers breached the network of a processor that services transactions conducted on MasterCard-branded prepaid debit cards issued by the Bank of Muscat in Oman.
Over the course of approximately 10 hours, so-called casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs, according to a statement issued by the Justice Department. In the New York City area, the alleged fraudsters were able to conduct nearly 3,000 ATM withdrawals totaling nearly $2.4 million in about 10 hours, federal authorities say.
If convicted, each defendant faces a maximum sentence of 10 years in prison on each money laundering charge and 7 1/2 years on charges related to conspiracy to commit access-device fraud and up to $250,000 in fines and restitution.
For expert commentary on the incident, see interview with Gartner's Avivah Litan.