A bloodless bank heist that netted more than $45 million has left even cybercrime experts impressed by the technical sophistication, if not the virtue, of the con artists who pulled off an internationally organized attack.
On the creative side of the heist, a small team of highly skilled hackers penetrated bank systems, erased withdrawal limits on prepaid debit cards and stole account numbers. On the crude end, criminals used handheld devices to change the information on the magnetic strips of old hotel key cards, used credit cards and depleted debit cards.
Seven people were arrested in the U.S., accused of operating the New York cell of what prosecutors said was a network that carried out thefts at ATMs in 27 countries from Canada to Russia. Law enforcement agencies from more than a dozen nations were involved in the investigation, which was being led by the Secret Service.
Here’s how it worked:
First, the hackers, quite possibly insiders, broke into computer records at a few credit card processing companies, first in India and then the U.S. This has happened before but here’s what was new: They didn’t just take information. They actually raised the limit on prepaid debit cards kept in reserves at two large banks.
“It’s pretty scary if you think about it. They changed the account balances,” said Chris Wysopal, co-founder of security company Veracode.
The next step was technically simpler, almost an arts-and-crafts activity.
Crime ring members in 27 countries ran used plastic cards, just about anything with a standard magnetic strip, through handheld magnetic stripe encoders, widely available online for less than $300. Those devices allow users to change information on magnetic stripes or to write new cards with a simple swipe.
In this case, the stripes were rewritten with information from the hackers. That allowed the thieves to turn the cards into gold, instantly transforming them into prepaid debit cards with unlimited amounts of money stored on them.
On two pre-arranged days — once in December and again in February — criminals loaded with the lucrative debit cards and PIN numbers, headed into city streets around the world, racing from one ATM to the next, often taking out the maximum the cash machine would allow in a single transaction: $800.
In December, they worked for about 2 1/2 hours, reaping $5 million worldwide in about 4,500 transactions. Two months later, apparently buoyed by their success, they hit the ATMs for 10 hours straight, collecting $40 million in 36,000 transactions.
The New York money runners made off with $2.8 million, according to the indictment, a fraction of the total amount yielded by the heist.
Players kept a cut but sent the bulk of the money back to the masterminds through wire transfers and sometimes in person, prosecutors said.
One New York suspect, Elvis Rodriguez, 24, planned to travel to Romania in January to pay about $300,000 to organizers of the operation, but American Airlines canceled the reservation because the airline was concerned it had been booked with a stolen credit card, according to the criminal complaint. The reservation was canceled, but the suspect paid for the trip in cash, it said.
Authorities said they seized his iPhone and found a photo of him and another suspect posing with a stack of cash between them in a car.
“There were obviously a lot of … minds behind this exploit, and then there were the pawns, the mules. They are entirely exploitable,” said Phyllis Scheck, vice president at the security firm McAfee who has testified to Congress about how banks and small businesses need to prepare for cyber thieves.
“They executed while the iron was hot. They got in and got out,” she said.
In the end, the victims weren’t individuals. They were two banks, Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, which had their card processors breached, prosecutors said.
In New York, the cell was led by Alberto Lajud Pena, 23, who was found dead in the Dominican Republic with $100,000 in cash on him, prosecutors said. A man arrested in his death told authorities it was a botched robbery, and two other suspects were on the lam.
About $2 million is still missing, officials said.
Some of the Biggest Bank Heists in History
Some other notable heists in recent years:
— 2006, London: Thieves take the equivalent of $92 million from a cash depot.
— 2005, Fortaleza, Brazil — Thieves take $70 million from Central Bank over an August weekend.
— 2004, Belfast, Northern Ireland: The Irish Republican Army holds families of bank employees hostage and steals $50 million in the biggest cash robbery in history.
— 2003, Iraq: $900 million in U.S. bills and as much as $100 million worth of euros is taken from Iraq Central Bank in thefts blamed on members of Saddam Hussein’s family.
— 1992, Toulon, France: Robbers strap a bank security guard with dynamite and lead him to the Bank of France, where safes are emptied of $30 million. Twenty suspects are arrested two months later.
— 1987, London — $65 million is stolen from Knightsbridge Safe Deposit Center.
— 1984, Rome — $21.8 million from Brink’s Securmark.
— 1983, London: Gold worth $37.5 million is stolen from a warehouse in the richest haul in British history.
— 1983, North Miami, Fla.: Two masked gunmen steal gold worth as much as $11 million from a smelting firm.
— 1983, London: A 14-member gang makes off with $10.5 million in bank notes from Security Express.
— 1983, London: Nine certificates of deposit worth $15 million are stolen from the Bank of Sepah-Iran.
— 1982, South Africa: Thieves steal $13 million in precious metals from Rustenburg Platinum Holdings Ltd.
— 1982, New York City: Two men break into the Sentry Armored Car Courier Co. office and rob it of $11 million in the largest cash robbery in U.S. history.
— 1978, New York City: $5.8 million in cash is stolen from a Lufthansa Airlines vault at Kennedy Airport in a heist masterminded by Jimmy Burke.
— 1976, Beirut: Robbers take $20 million to $50 million from safe deposit boxes at the British Bank of the Middle East.