NEW YORK - A gang of cyber-criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then fanning out around the globe to drain cash machines, federal prosecutors said Thursday.
Brooklyn U.S. Attorney Loretta Lynch called it "a massive 21st-century bank heist" and compared its size to the Lufthansa heist in the late 1970s immortalized in the film Goodfellas. Lynch said the fraudsters had moved with astounding speed to loot financial institutions around the world.
A security analyst said it was the biggest ATM fraud case she had heard of.
Seven people are under arrest in the United States in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards. The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly murdered in the Dominican Republic late last month, prosecutors said. More investigations are under way and other arrests have been made in other countries, but prosecutors did not have details.
An indictment unsealed Thursday accused the eight of being members of the New York cell, saying they withdrew $2.8 million in cash from hacked accounts in less than a day. One of the suspects was caught on multiple surveillance cameras, his backpack increasingly loaded down with cash. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
Lynch said the cells would take a cut of the money and then launder it through expensive purchases or ship it wholesale to the global ringleaders, but didn't say where they were located. Prosecutors said the scheme involved attacks on two banks, Rakbank, which is in the United Arab Emirates, and the Bank of Muscat in Oman. Hackers obtained debit card data, eliminated withdrawal limits on the accounts, created access codes, and then sent a network of operatives fanning out to rapidly withdraw money in multiple cities, authorities said.
Lynch called it a "virtual criminal flash mob." She said they could use any plastic card to withdraw the cash - an old hotel key card or an expired credit card - as long as they had the account data and correct access codes.
There were two attacks, one in December and one in February. In the second attack, more than 36,000 transactions were made worldwide and about $40 million was stolen.
Lynch would not say who masterminded the attacks globally, who the hackers are, or where they were located, citing an ongoing investigation.
The seven men arrested in New York were U.S. citizens originally from the Dominican Republic, lived in Yonkers and were mostly in their 20s. Lynch said they all knew each other and were recruited together, as were other cells in other countries. They were charged with conspiracy and money laundering. If convicted, they face 10 years in prison.
Law enforcement agencies in Japan, Canada, Germany, Romania, and 12 other countries have been involved in the investigation, U.S. prosecutors said.
Arrests began in March. Lajud-Pena was found dead with a suitcase full of about $100,000 in cash. The investigation into his death is continuing separately.
Avivah Litan, an analyst who covers security issues for Gartner Inc., said similar ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previous, known cases. Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
"It's a really easy way to turn digits into cash," Litan said.
Some of the fault lies with ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted in many places in the world.