Global Network of Hackers Accused of Stealing $45 Million from ATMs

Global network of hackers
U.S. Attorney's Office/AP Images released by federal investigators show a man referred to as "defendant Reyes" allegedly using fraudulent magnetic cards to steal money from several cash machines in Manhattan (map).

NEW YORK -- The sophistication of a global network of thieves who drained cash machines around the globe of an astonishing $45 million in mere hours sent ripples through the security world, not merely for the size of the operation and ease with which it was carried out, but also for the threat that more such thefts may be in store.

Seven people were arrested in the U.S., accused of operating the New York cell of what prosecutors said was a network that carried out thefts at ATMs in 27 countries from Canada to Russia. Law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors in New York said Thursday.

"Unfortunately these types of cybercrimes involving ATMs, where you've got a flash mob going out across the globe, are becoming more and more common," said Rose Romero, a former federal prosecutor and regional director for the U.S. Securities and Exchange Commission.

"I expect there will be many more" of these types of crimes, she said.

Brooklyn U.S. Attorney Loretta Lynch, who called the theft "a massive 21st-century bank heist," announced the case Thursday in New York.

Here's how it worked:

Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe -- an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.

A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn't say where they were located.

It appears no individuals lost money. The thieves plundered funds held by the banks that back up prepaid credit cards, not individual or business accounts, Lynch said.

Ori Eisen, a cybercrime expert and founder of 41st Parameter, a fraud detection and prevention firm, said the $45 million heist was on the "high-end" of what can be done by cybercriminals who exploit banking systems connected to the Internet.

"Given the scale of the global credit card networks, it is almost impossible to detect every kind of attack," he said. "This attack is not the last one, and if the modus operandi proves to be successful crooks will exploit it time and again."

There were two separate attacks in this case, one in December that reaped $5 million worldwide and one in February that snared about $40 million in 10 hours with about 36,000 transactions. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, prosecutors said.

Such ATM fraud schemes aren't uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.

Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.

Magnetic Strips to Blame

"It's a really easy way to turn digits into cash," Litan said.

Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.

Lynch wouldn't say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.

The New York suspects were U.S. citizens originally from the Dominican Republic who lived in the New York City suburb of Yonkers. They were mostly in their 20s. Lynch said they all knew one another and were recruited together, as were cells in other countries. They were charged with conspiracy and money laundering. If convicted, they each face 10 years in prison.

The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. More investigations continue and other arrests have been made in other countries, but prosecutors did not have details.

An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day.

Arrests began in March.

Lajud-Pena was found dead with a suitcase full of about $100,000 in cash, and the investigation into his death is continuing separately. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.

The first federal study of ATM fraud was 30 years ago, when the use of computers in the financial community was growing rapidly. At the time, the Bureau of Justice Statistics found nationwide ATM bank loss from fraud ranged from $70 and $100 million a year.

By 2008, that had risen to about $1 billion a year, said Ken Pickering, who works in security intelligence at CORE Security, a white-hat hacking firm that offers security to businesses.

He said he expects news of the latest ring to inspire other criminals.

"Once you see a large attack like this, that they made off with $45 million, that's going to wake up the cybercrime community," he said.

"Ripping off cash, you don't get that back," he said. "There are suitcases full of cash floating around now, and that's just gone."


Associated Press technology writer Peter Svensson in New York, national writer Martha Mendoza in San Jose, Calif., and writer Ezequiel Abiú López in Santo Domingo, Dominican Republic, contributed to this report.

Increase your money and finance knowledge from home

Forex for Beginners

Learn about trading currencies and foreign exchange transactions

View Course »

Professional Vs Do it Yourself Investing

Should you get advice or DYI?

View Course »

Add a Comment

*0 / 3000 Character Maximum


Filter by:

Well, that sure is one way to get back some of that oil money !
But, only 45$ Mil ? They must have been slow.

May 11 2013 at 11:40 AM Report abuse rate up rate down Reply

If we weren't convinced before that our money isn't safe with banks, this certainly should convince us all. How can it be said that no customers lost money when it is individuals that deposit money onto their individual pre-paid cards.

May 11 2013 at 11:21 AM Report abuse rate up rate down Reply

Anyone who thinks the banks are hurting from all this is dreaming. This kind of thing is nothing new so the banks already have a system in place for protecting themselves from loss. The real losers, as always, are ordinary folks like you and I.

May 11 2013 at 10:52 AM Report abuse rate up rate down Reply

So let me understand this. Some small time thieves stole some money from the big time thieves. Well I guess this just shows that Karma DOES exist and it works. My only problem is that now the big time thieves [the banking world] is going to steal from us at a bigger rate than before and probably get the goverment [all of us taxpayers] to foot the bill.

May 11 2013 at 9:40 AM Report abuse rate up rate down Reply
1 reply to bfgair's comment


May 11 2013 at 10:07 AM Report abuse rate up rate down Reply

I agree with rb7583. Your government (U.S.) lets everyone into your country. Background checks are virtually unknown. Well, you do deport a few Mexicans and make a big deal out of it which is the least of the problems. Obviously nothing has been learned in the last 20 years of attacks and bombings and all the way to the Boston attack and now the theft and millions from the banks not to mention the Chinese steal or you give them your technology and now turn them against you. Your political correctness and cavalierly attitude damages your country but the rest of the world as well.

May 11 2013 at 9:34 AM Report abuse +1 rate up rate down Reply

sweet... a victimless crime

May 11 2013 at 8:54 AM Report abuse rate up rate down Reply

Thats why I don,t like ATM,s or debit cards, I will continue using cash

May 11 2013 at 8:06 AM Report abuse rate up rate down Reply
1 reply to whelaniii's comment

I don't like ATM's either for one good reason (although there are more!)! But the one problem with the ATM is if it tells you you have a zero balance---when you precisely know that you have $30,000 dollars in your account----it will tell you that for 1000 years, pretty much no matter how many numbers or passwords you type in!! But facing a human teller, at least that teller will say, "Well let me check such-and-such!", or the teller will say. "let me get a supervisor to look into this!" An ATM simply will not do that, since it has a one track program. That's the difference!!

May 11 2013 at 10:15 AM Report abuse rate up rate down Reply

Yep, that is right, US citizens from another country who were probably provided citizenship without any constraints as to having a means of supporting themselves, zero background checks i am certain. Stick these theives in jail then deport them when they get out in 6 months due to overcrowding and being a minority who needs our sympathy. Pitiful.

May 11 2013 at 7:44 AM Report abuse +2 rate up rate down Reply

The banks won't lose. They'll just raise our fees once more, to make it up.

May 11 2013 at 7:37 AM Report abuse +2 rate up rate down Reply
1 reply to Bob's comment

That's it, blame the banks for being robbed.

May 11 2013 at 7:45 AM Report abuse +1 rate up rate down Reply

WOuldn't it be something if these tykes would use their brians and other gifts for something good?

May 10 2013 at 6:07 PM Report abuse rate up rate down Reply