German gets 4 years in clink for $14 MILLION global ATM fraud

‘No such thing as anonymity in the cyber world’ says Secret Service agent


A German man has been sentenced to 50 months in prison and ordered to repay $14m after he hacked into US banks, stealing debit card data and even removed withdrawal limits.

Qendrim Dobruna, 29, also known as "closEd" and "cLoz", stole card data and spread it worldwide. The stolen credentials were used to make fraudulent ATM withdrawals in excess of $14m in a single weekend, according to the US Attorney's Office.

"The defendants and his co-conspirators participated in a massive 21st Century heist that stretched around the globe," said Kelly T. Currie, acting US attorney for the Eastern District of New York.

"Using sophisticated methods, the organisation reached into the computer systems of American-based corporations and transmitted illegally obtained private financial information to confederates in 18 different countries who stole millions of dollars from hundreds of ATMs in a matter of hours," added Currie.

Dobruna's crimes took place between 27 February and 1 March 2011. He and his gang conducted an "unlimited operation", which began with them hacking into the computer systems of a credit card processor.

There they compromised prepaid debit card accounts and removed the withdrawal limits and account balances of those accounts. The elimination enabled the criminals to withdraw unlimited amounts of cash until the operation was shut down.

To manage that, the organisation distributed the hacked prepaid debit card numbers to trusted associates around the world, who then immediately withdraw cash from ATMs.

At the end of an operation, when the cards are finally shut down, so-called "casher cells" launder the proceeds – often investing the operation's proceeds in luxury goods – and kick back money to the cybercrime organization's leaders.

"Today’s sentence serves as a warning to cybercriminals around the world that law enforcement is committed to solving these cybercrimes, no matter how sophisticated, and bringing the perpetrators to justice, wherever they may be found," said Currie.

"There is no such thing as anonymity in the cyber world," added Secret Service special agent in charge, Robert J. Sica, who added: "Secret Service agents utilise state-of-the-art investigative techniques to identify and pursue cyber criminals around the world."

The defendant, from his apartment in Stuttgart, Germany, participated in the cyber-attack by obtaining account information from his co-conspirators, who had directly hacked into the US-based financial institution's database. They then sold that account information to other co-conspirators over the net, including to an individual in Brooklyn, New York.

In announcing the guilty plea, Currie praised the efforts of the Secret Service in responding so rapidly to the attacks, and investigating both the complex network intrusions that occurred overseas and the criminal activity that took place locally. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading

Biting the hand that feeds IT © 1998–2022