Cyber-Attackers Stole $45M in Worldwide Fake ATM Card Breach
Hackers stole data from banks that was then encoded onto plastic cards.
May 9, 2013 — -- Eight defendants have been charged in the largest bank heist of its kind, a $45 million worldwide theft that took just hours using fabricated ATM cards.
Federal prosecutors said the cyber-theft was as intricate as a movie plot.
"This scheme was organized for months and planned down to the minute, reminiscent of the casino heist in 'Ocean's Eleven,'" said Loretta Lynch, U.S. attorney for the Eastern District of New York.
The scheme, which started overseas, was detailed in an indictment unsealed today. Unknown hackers stole data from banks that was then encoded onto plastic cards sent to crews in two dozen countries, according to the Justice Department. The local operatives went from ATM to ATM, withdrawing millions.
Lynch said she saw photos of one defendant in New York.
"Surveillance photos show his backpack getting heavier and heavier as his efforts go on," she said.
According to court records, the hackers targeted a credit card processor that handled prepaid debit card transactions for Rakbank in the United Arab Emirates.
In a separate attack, the hackers, who are unknown to prosecutors, targeted a processor that serviced MasterCard prepaid debit cards issued by the Bank of Muscat in Oman.
In each case, the cards were compromised, withdrawal limits were eliminated and the stolen data was encoded onto plastic cards distributed to local operatives in 27 countries, officials said. In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the globe.
"Instead of guns and masks, this cyber crime organization used laptops and malware," Lynch said.
The New York cell withdrew $3 million of the total $45 million stolen. In 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions totaling nearly $400,000 at more than 140 different cash machines, according to the Department of Justice.
Seven members of the New York cell have been arrested. The eighth, Alberto Yusi Lajud-Pena, said to be the ringleader, was found murdered last month in the Dominican Republic.
The men have been charged variously with conspiracy to commit access device fraud, money laundering conspiracy and money laundering.
"New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes," said Steven Hughes, special agent in charge of the Secret Service office in New York.
The defendants also invested the stolen funds in portable luxury goods, including expensive watches and cars. Two Rolex watches, a Mercedes SUV, a Porsche Panamera, and hundreds of dollars in cash have at this point been seized by the U.S. government.
If convicted, the defendants face a maximum sentence of 10 years' imprisonment on each of the money laundering charges and 7 1/2 years on the conspiracy to commit access device fraud charge, as well as restitution and as much as $250,000 in fines.
Law enforcement agencies in Japan, Canada, Germany, Romania and 12 other countries were involved in the investigation.
The financial sector as a whole faces thousands of attempted cyber attacks per day -- from "probes" and "pings" to various attempts at disruption, intrusion or fraud, according to Greg Garcia, an advisor to the Financial Services Information Sharing and Analysis Center.
However, most of the attacks are stopped. The industry has many sophisticated tools and experts making the efforts more complicated and expensive for the criminals.
ABC News' Zunaira Zaki contributed to this report.