Share This Page

Cybergang swipes $45M across globe

| Thursday, May 9, 2013, 9:39 p.m.

NEW YORK — A worldwide gang of criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and draining cash machines around the globe, federal prosecutors said on Thursday — and outmoded card technology may be partly to blame.

Seven people are under arrest in the United States in the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks. The fraudsters moved with astounding speed to loot financial institutions around the world, working in cells, including one in New York, Brooklyn U.S. Attorney Loretta Lynch said.

She called it “a massive 21st-century bank heist” carried out by brazen thieves.

One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.

Here's how it worked:

Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes.

Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as they carried the account data and correct access codes.

A network of operatives fanned out to withdraw money rapidly in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn't say where they were located.

The targets were reserves held by banks to fund prepaid credit cards, not individual account holders, Lynch said.

She called it a “virtual criminal flash mob,” and a security analyst said it was the biggest ATM fraud case she had heard of.

There were two attacks, one in December that reaped $5 million worldwide and one in February that snared about $40 million in 10 hours with about 36,000 transactions. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, prosecutors said.

Aside from New York, ATMs were plundered in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said.

The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. More investigations continue and arrests have been made in other countries, but prosecutors did not have details.

An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million from hacked accounts in less than a day.

Such ATM fraud schemes are not uncommon, but the $45 million stolen was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.

“It's a really easy way to turn digits into cash,” Litan said.

Some of the fault lies with the ubiquitous magnetic strips on the back of cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are accepted around the world.

Lynch would not say who masterminded the attacks globally, who the hackers are or where they were located, citing the investigation.

The New York suspects were U.S. citizens originally from the Dominican Republic who lived in the New York City suburb of Yonkers and were mostly in their 20s. Lynch said they all knew one another and were recruited together, as were cells in other countries. Each is charged with conspiracy and money laundering. A conviction carries as much as 10 years in prison.

Arrests began in March. Lajud-Pena was found dead with a suitcase full of $100,000 in cash. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.