Eight members of a New York cybercrime cell have been indicted in a carefully coordinated heist that drained $45 million from thousands of ATMs in less than 24 hours.
In an federal indictment unsealed Thursday in Brooklyn, authorities charge the attacks were reminiscent of a suspense movie in which the defendants and their co-conspirators carried out a scheme dubbed “Unlimited Operation” because of the unlimited proceeds that were possible.
Authorities allege the cybergang hacked into a credit card processor’s networks and compromised prepaid debit cards to dramatically raise withdrawal limits or account balances. The card numbers were given to associates around the world (in at least 26 countries) to cash out the fake cards using compromised card data, including PINs, as quickly as possible. The cash was then spent on kickbacks or luxury goods, such as Porsche and Mercedes cars and Rolex watches, and spent around the world.
The global attacks were marked by “the surgical precision of the hackers carrying out the cyberattack.” Of the $45 million believed to have been stolen, $2.8 million came from New York City machines.
“As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe,” said U.S. Attorney Loretta Lynch in a prepared statement. “In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours.”
Among the eight charged in the elaborate scheme were alleged New York ringleader Alberto Yusi Lajud-Pena, 23, also known as “Prime” and “Albertico.” He was reportedly murdered a few weeks ago in the Dominican Republic. Others included in the four-count federal indictment are Elvis Rafael Rodriguez, 24; Emir Yasser Yeje, 24; Joan Luis Minier Lara, 22; Evan Jose Pena, 35; Jose Familia Reyes, 24; Jael Mejia Collado, 23; and chung Yu-Holguin, 22.
According to the government’s filings, the first operation on December 22, 2012, targeted a credit card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. “After the hackers penetrated the credit card processor’s computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign,” the U.S. Justice Department outlined.
“In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK. In the New York City area alone, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City.”
The second heist took place between the afternoon of February 19 and early morning of February 20, 2013. This time the target was a credit card processor that serviced MasterCard prepaid debit cards for the Bank of Muscat, located in Oman. “This attack was particularly devastating: Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.”
The global investigation involved assistance and cooperation from authorities from numerous countries, including MJapan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand and Malaysia.