Eight Charged Over “Unlimited” $45m Cyber Bank Heist

In what may amount to one of the most brazen and well-executed cyber crime campaigns in history, financial institutions lost $45 million (£29m) after organised gangs raided their systems and then their coffers, US law enforcement revealed today.

It has led to the indictment of eight individuals in America today. The defendants are accused of forming the US cell of a global gang, which allegedly hacked into systems of credit card processors to steal prepaid debit card data to carry out their bank heists.

A 21st century bank heist

So-called “cashers” then created cards by encoding magnetic stripe cards, such as gift cards, with the stolen data, according to the Secret Service, which led the investigation.

The crooks then coordinated a time to withdraw funds from cash machines, using compromised PIN numbers, to avoid detection and withdraw the largest amount possible before the banks cottoned on, US law enforcement said.

Before that, the hackers removed withdrawal limits and made account balances unlimited. That’s why, on the dark web, crooks refer to the techniques used as an “Unlimited Operation”, the US Department of Justice said.

According to the four-count indictment, the US crew took $2.8 million out in a matter of hours. Seven of the eight indicted have been arrested, whilst the other, Alberto Yusi Lajud-Peña, also known as “Prime” and “Albertico”, was reportedly murdered in April in the Dominican Republic.

The indictment claimed Alberto Yusi Lajud-Peña, 23, was the leader of the New York cell.

It’s believed the gang spanned 26 countries. It was claimed two such “Unlimited Operations” were carried out between October 2012 and April 2013.

The first targeted a firm that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates.

It saw more than 4,500 ATM transactions conducted in approximately 20 countries around the world, causing $5 million in losses to the credit card processor and RAKBANK. The US group allegedly took out $400,000 from over 140 different ATM locations in New York.

The second campaign was far more devastating, US police said. The hackers again breached the network of a credit card processor that serviced MasterCard prepaid debit cards, this time issued by the Bank of Muscat, in Oman.

In total, over just ten hours in one day in February, $40 million was illegally withdrawn.

Brazen crooks

The crooks weren’t shy about using the stolen funds either. On one day, the US crooks strolled into a bank branch in Miami, Florida to deposit $150,000 in the form of 7,491 $20 bills into an account controlled by defendant Alberto Yusi Lajud-Peña.

The defendants face a maximum sentence of 10 years’ imprisonment on each of the money laundering charges and 7.5 years on the conspiracy to commit access device fraud charge, and up to $250,000 in fines.

“As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cyber crime organisation used laptops and the Internet,” said Loretta E Lynch, United States Attorney for the Eastern District of New York.

UPDATE: Reuters has reported two Dutch people have been arrested by German police in relation to the crime. Two individuals had allegedly visited Dusseldorf to withdraw funds.

Cops, Villains and Victims: Try our IT Law quiz!

Originally published on eWeek.