U.S. Justice Department officials say the men formed the New York cell of the international crime ring, which used "sophisticated intrusion" methods to break into the computers of the credit card processor for MasterCard to steal debit cards issued by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates, on Dec. 22, 2012, and then between Feb. 19 and 20, 2013, to pilfer debit cards issued by the Bank of Muscat in Oman. The ring stole and manipulated the value of prepaid debit cards and then cashed them out in massive ATM withdrawals worldwide after each computer break-in.
"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours," said U.S. Attorney Loretta Lynch.
Law enforcement officials say the first of the two campaigns in late 2012 against RAKBANK resulted in $5 million in losses to the credit card processor and RAKBANK. The ring conducted more than 4,500 ATM withdrawals across 20 countries using the stolen RAKBANK accounts that were altered by the hackers to higher withdrawal limits. The New York City cell, including the defendants and co-conspirators, cashed out $400,000 in more than 140 ATMs.
The second campaign on February 19 and 20 of this year went after the same credit-card processor and stole MasterCard prepaid debit cards from the Bank of Muscat in an even bigger heist, with cells in 24 different countries withdrawing $40 million from ATMS with 10 hours via some 36,000 transactions. The New York cell cashed out $2.4 million from 3,000 ATM withdrawals in the city.
DOJ officials call this type of crime an "unlimited operation," where the hackers wipe out any account withdrawal limits to get as much cash as they can. These operations typically include targeted cyberattacks that span the globe, and quick, coordinated ground operations for cashing out at ATMs.
Cybercrime cases like these "demonstrate the importance of closely monitoring the internal corporate network for signs of a breach," says Gary Warner, director of research in computer forensics at the UAB Center for Information Assurance and Joint Forensics Research. "It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing" these problems, he wrote in a blog post today.
The indictment and other court filings in the case say Lajud-Pena was the head of the New York cell, and that he, Rodriguez, and Yeje laundered hundreds of thousands of dollars. The cell members also purchased Rolex watches, a Mercedes SUV, and a Porsche using money made in the scam. They could face 10 years of prison time on each money-laundering charge and 7.5 years on conspiracy to commit access device fraud, as well as up to $250,000 in fines.
The U.S. Secret Service investigated the cyberattacks and U.S.-based criminal activity, and law enforcement in Japan, Canada, Germany, and Romania all assisted in the investigation.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.