The great $45m bank cyber-heist: Seven New Yorkers cuffed

Gang accused of turning gift cards into debit cards


Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards.

The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the scam would be detected in time to block the cards and foil the plot. As well as lifting the data, the gang is said to have used other hacking techniques to boost their cash-withdrawal limits.

Eight people are accused of being members of the New York cell of the operation, which allegedly withdrew $2.8m in cash from hacked accounts. They were named as suspects in an indictment unsealed on Thursday. All of them, we're told, live in Yonkers, New York.

Seven of the defendants have been arrested and charged "variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering," according to the Feds.

The first to be cuffed tried to flee from the US to the Dominican Republic on March 27, according to a US Department of Justice statement on the case.

The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña (aka Prime and Albertico), 25, who was reportedly murdered late last month in the Dominican Republic. It is understood that Lajud-Peña was shot dead at his house while playing dominoes with friends about two weeks after returning home from the US. He was named by US investigators as the leader of the New York cell. Lajud-Peña's murder by two masked men was allegedly motivated by disputes over how to split the loot from the digital heist, according to local news outlet La Nacion Dominicana.

It is alleged that the e-robbery was known to denizens of the internet underworld as "Unlimited Operation" – prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, and the Bank of Muscat, Oman, were drained of cash in the hack, according to prosecutors.

We're told the main hacking phase of the operation ran between October 2012 and April 2013. During this period, cybercrooks as said to have distributed stolen prepaid debit card numbers to trusted associates in 26 countries around the world.

These associates are said to have operated cells – or teams of "cashers" – encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts fired the starting gun for a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe, investigators say.

Two separate cash-out operations occurred on December 22, 2012 against RAKBANK, and on 19 February into the early hours of 20 February against Bank of Muscat. Before the pull was spotted by RAKBANK and its unnamed Indian card processor, it had suffered $5m in losses through more than 4,500 ATM fraudulent transactions in 20 countries. Bank of Muscat was hit even harder with $40m in losses through 36,000 fraudulent ATM transactions in 24 countries.

"From 3pm on February 19 through 1.26am on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area," according to the Feds.

The fraud was carried out against just 12 no-limits compromised accounts at the Bank of Muscat, and prompted an official statement by the bank to the stock exchange in Oman in late February, as we reported at the time.

When the fraud was detected and the cards cancelled, the casher cells are said to have laundered the proceeds, often through the purchase of luxury goods such as expensive watches and sports cars, before keeping a proportion for themselves and kicking money back up to the cybercrime kingpins and hackers masterminding the scam. If the Feds know where the real masterminds of the scam are located, they aren't saying – at least for now.

US authorities have seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and are in the process of seizing a Porsche Panamera, all linked to the scam.

The investigation into the cyberfraud was led by the US Secret Service, which worked with MasterCard, RAKBANK, and the Bank of Muscat in unravelling the scam, as well as law enforcement agencies in Japan, Canada, Germany, and Romania, and authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, the United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

Prepaid debit cards are used by many employers to pay staff, and by charitable organizations to distribute disaster-assistance funds.

The Unlimited Operations mega-scam may have been the biggest of its type, but it's not the first time cybercrooks have looted prepaid debit card accounts after hacking into bank databases. Much the same methodology was employed in a ATM fraud against cards issued by RBS WorldPay in November 2009 that netted crooks $9m, for example, as cybercrime blogger Gary Warner noted.

Costin Raiu, director of global research & analysis team at Kaspersky Lab, commented: "This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims. Nevertheless, it's a VERY serious incident and it raises a lot of questions about the security of the current payment systems."

Raiu added that the success of the attack relied on the use of mag-stripe technology instead of harder-to-forge plastic smartcards in many countries in the world.

"I'd like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips," Raiu said.

"The cybercriminals specialised in carding focus on replicating real cards on 'blank' cards by reprogramming the magnetic stripe," he added. "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will for sure decrease or become a lot harder. I believe it makes sense for the banks to invest into upgrading the cards in the US and worldwide." ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading

Biting the hand that feeds IT © 1998–2022