Hackers steal $45M in ATM card breach

Feds say global cash crews got into debit accounts, raised withdrawal limit limits


NEW YORK — It was a huge bank heist — but a 21st century version in which the robbers never wore ski masks, never threatened a teller, and never set foot in a vault.

In two precision operations that involved people in more than two dozen countries acting in close coordination, the organization was able to steal $45 million from thousands of ATMs in a matter of hours.

In New York City alone, eight people struck 2,904 machines over 10 hours on Feb. 19, withdrawing $2.4 million.

Federal prosecutors in Brooklyn unsealed an indictment on Thursday that charges eight members of the New York crew — including their suspected ringleader, who was found dead in the Dominican Republic on April 27.

Authorities called it one of the most sophisticated and effective cybercrime attacks ever uncovered.

“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta Lynch, the U.S. attorney in Brooklyn.

The indictment outlined how they were able to steal data from banks, relay that information to a far-flung network of “cashing crews,” and then launder the stolen money by buying high-end luxury items like Rolex watches and expensive cars.

In the first robbery, hackers were able to infiltrate the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards.

The hackers — who are not named in the indictment — proceeded to raise the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, which is in United Arab Emirates.

By eliminating the withdrawal limits, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states.

With five account numbers in hand, the hackers distributed the information to individuals in 20 countries, who then encoded the data on magnetic stripe cards.

On Dec. 21, the “cashing crews” made 4,500 ATM transactions worldwide, stealing $5 million, according to the indictment.

But that robbery was just a prelude for what prosecutors said was a more brazen crime that took place two months later.

On Feb. 19, “cashing crews” stood at the ready at ATMs across Manhattan and in two dozen other countries waiting for word to spring into action.

This time, the hackers infiltrated a credit card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. The company’s name was not revealed in the indictment.

After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion.

Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours.

Surveillance photos of one suspect hitting various ATMs showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the robbery to the caper at the center of the movie Ocean’s 11.

The authorities did not provide details about how they became aware of the operation or whether any other arrests have been made. While the indictment suggests a far-reaching operation, there are no details about the people responsible for conducting the computer hacking or who might be leading the global operation.