New York • A gang of cyber-criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then fanning out around the globe to drain cash machines, federal prosecutors said Thursday.
Brooklyn U.S. Attorney Loretta Lynch called it "a massive 21st-century bank heist" and compared its size to the Lufthansa heist in the late 1970s immortalized in the film "Goodfellas." Lynch said the thieves had moved with astounding speed to loot financial institutions around the world.
Seven people are under arrest in the U.S. in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards. The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly murdered in the Dominican Republic late last month with a suitcase full of about $100,000 in cash, prosecutors said. More investigations are ongoing and other arrests have been made in other countries, but prosecutors did not have details.
An indictment unsealed Thursday accused the eight of being members of the New York cell, saying they withdrew $2.8 million in cash from hacked accounts in less than a day. One of the suspects was caught on multiple surveillance cameras, his backpack increasingly loaded down with cash. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
Lynch said the cells would take a cut of the money then launder it through expensive purchases or ship it wholesale to the global ringleaders, but didn't say where they were located. Prosecutors said the scheme involved attacks on two banks, Rakbank, which is in the United Arab Emirates, and the Bank of Muscat in Oman. Hackers obtained debit card data, eliminated withdrawal limits on the accounts, created access codes and then sent a network of operatives fanning out to rapidly withdraw money in multiple cities, authorities said.
Lynch called it a "virtual criminal flash mob." She said they could use any plastic card to withdraw the cash an old hotel key card or an expired credit card as long as they had the account data and correct access codes.
There were two separate attacks, one in December and one in February. In the second attack, more than 36,000 transactions were made worldwide and about $40 million was stolen.
Lynch would not say who masterminded the attacks globally, who the hackers are or reveal their locations, citing an ongoing investigation.
The seven men arrested in New York were U.S. citizens originally from the Dominican Republic, lived in Yonkers and were mostly in their 20s. Lynch said they all knew each other and were recruited together, as were other cells in other countries. They were charged with conspiracy and money laundering. If convicted they face 10 years in prison.
Law enforcement agencies in Japan, Canada, Germany, Romania and 12 other countries have been involved in the investigation, U.S. prosecutors said.
Avivah Litan, an analyst who covers security issues for Gartner Inc., said Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
Some of the fault lies with ubiquitous magnetic stripes on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor ones with built-in chips that are nearly impossible to copy. Because U.S. banks and merchants have stuck to cards with magnetic stripes, they are still accepted in many places in the world.
In 1978, $5.8 million in cash was stolen from a Lufthansa Airlines vault at Kennedy Airport, a heist masterminded by Jimmy Burke, the inspiration for Robert De Niro's character in "Goodfellas."
Hackers obtained debit card data, eliminated withdrawal limits on the accounts, created access codes and then sent a network of operatives fanning out to rapidly withdraw money in multiple cities, authorities said.