The U.S. government charged eight individuals with using data obtained by hacking into two credit card processors in a worldwide scheme that netted some $45 million within hours, a crime prosecutors described as one of the biggest bank heists in history.
The individuals formed the New York-based cell of a global cyber criminal organization that stole Mastercard, Inc., debit card data from two Middle Eastern banks, the Justice Department said. The information was used to make more than 40,500 withdrawals at automated teller machines in 27 countries, prosecutors said.
The cards were issued by National Bank of Ras Al-Khaimah in the United Arab Emirates and Bank of Muscat in Oman, prosecutors said.
Bank representatives could not be reached for comment outside of regular business hours.
The case demonstrates the major threat that cyber crime still poses to banks around the world. Security experts frequently identify electronic fraud as one of the key challenges facing banks today.
“Hackers only need to find one vulnerability to cause millions of dollars of damage,” said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.
Authorities said they arrested seven of the eight defendants, all U.S. citizens and residents of Yonkers, New York. They are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose PeIna, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
The eighth defendant charged in the indictment, Alberto Yusi Lajud-PeIna, also known as “Prime” and “Albertico,” was murdered on April 27 in the Dominican Republic, according to prosecutors. U.S. Attorney Loretta Lynch in Brooklyn, New York, who filed the charges, said at a press conference it was unclear whether the murder was related to the cybercrime case.
Prosecutors said the attacks, known as unlimited operations,’ occurred in two separate incidents in December 2012 and February 2013.
The hackers gained access to companies that process debit card transactions, eliminated the maximum withdrawal limits on the cards and then employed casher’ crews to take money out of ATMs around the world using the stolen data, prosecutors said.
After the cards were shut down, cashers laundered the proceeds, often by purchasing luxury goods, and sent a portion of the money back to the organization’s leaders, prosecutors said.
In the New York City area, the ring withdrew nearly $400,000 in less than three hours at more than 140 ATM locations, prosecutors said. On another occasion, approximately $2.4 million was collected in nearly 3,000 ATM withdrawals over a 10-hour stretch, according to prosecutors.
That makes the case the second biggest bank robbery in New York City history, Lynch said, after the so-called Lufthansa heist in which robbers stole millions in cash and jewelry from John F. Kennedy International Airport.
Lynch said it was likely that the headquarters of the global scheme is located outside the United States and that the current charges focused only on the New York-based cell. Investigators are examining whether other cells are operating elsewhere in the United States, she said.
In a statement, Mastercard said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.