US officials have indicted eight individuals for a massive cyber attack that allowed for a coordinated ATM heist which landed the criminals approximately $45 million (£30 million) in cash.
The scammers targeted banks that processed pre-paid debit cards, used a hack to erase the limit on those cards, and called on a network of criminals across the globe to withdraw millions from ATMs in a matter of hours.
The US Attorney's Office in Brooklyn this week unsealed an indictment that charged the men with money laundering and conspiracy to commit access device fraud. Seven are in custody, but the alleged ringleader of the New York cell - Alberto Yusi Lajud-Peña - was murdered in the Dominican Republic in late April.
"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organization used laptops and the Internet," Loretta E. Lynch, US Attorney for the Eastern District of New York, said in a statement.
Prior the actual heist, the criminals worked for months to hack into the computer systems of Rakbank in the United Arab Emirates and the Bank of Muscat in Oman. They compromised pre-paid debit card accounts and erased their limits. "The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down," the US attorney's office said.
The hacked pre-paid debit card numbers were then distributed to a network of teams, or "cashers," around the world. This case included cells in 26 countries, "who encode[d] magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distribute[d] the personal identification numbers (PINs) for the hacked accounts, the casher cells [sprang] into action, immediately withdrawing cash from ATMs across the globe."
Withdrawals were then monitored by those who hacked the banks in the first place.
According to the US Attorney's office, the actual ATM heists took place on 22 December, 2012 and on 19-20 February of this year.
In December, using accounts stolen from Rakbank, the scammers made 4,500 ATM transactions in 20 countries, stealing $5 million (£3.3 million). In New York alone, they made 750 fraudulent transactions and stole $400,000 (£260,000) from 140 ATMs in just under three hours.
The February heist was the big one, though. Using card data from the Bank of Muscat, cells in 24 countries made 36,000 transactions over 10 hours, stealing $40 million (£26 million). In New York, they got $2.4 million (£1.6 million) from 3,000 ATMs in the city.
To hide their tracks, the men laundered the money, usually via luxury items. The US has since seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera.
Those under arrest face up to 10 years in prison for each money laundering charge and 7.5 years on the conspiracy to commit access device fraud charge, restitution, and up to $250,000 (£163,000) in fines. They'll also likely lose anything they bought with the fraudulent funds.
The arrested defendants include Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje, and Chung Yu-Holguin, all residents of Yonkers, New York.