Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:56 AM
Dark Reading
Dark Reading
Products and Releases

Members Of New York Cell Of Cybercrime Organization Plead Guilty In $45 Million Cybercrime Campaign

Cyberattacks employed by the defendants and their co-conspirators known in the cyberunderworld as "Unlimited Operations"

BROOKLYN, NY – Earlier today, Evan Jose Peña pleaded guilty to participating in two worldwide cyberattacks that inflicted $45 million in losses on the global financial system in a matter of hours. Peña's plea followed two other guilty pleas in this case entered by defendants Emir Yasser Yeje and Elvis Rafael Rodriguez in October 2013. These three defendants were members of the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then instantly disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe. The New York cell in which Pena, Yeje, and Rodriguez participated withdrew almost $2.8 million in a matter of hours.

The pleas were announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Steven Hughes, Special Agent in Charge, United States Secret Service, New York Field Office.

"These three defendants participated in a criminal flash mob, using data stolen through the most sophisticated hacking techniques to withdraw millions of dollars in mere hours in an unprecedented cyber heist," stated United States Attorney Lynch. "Their pleas demonstrate that the United States government will not relent in its efforts to investigate and prosecute the perpetrators of these financially devastating cyberattacks." Ms. Lynch expressed her grateful appreciation to the United States Secret Service, New York Field Office for their work on the investigation.

The "Unlimited Operation"

As alleged in the indictment and other court filings, the cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as "Unlimited Operations" -- through its hacking "operation," the cybercrime organization can access virtually "unlimited" criminal proceeds.

The "Unlimited Operation" begins when the cybercrime organization hacks into the computer systems of a payment card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts and also manipulates the security protocols that would alert the victim to the attack. The compromised card data is then distributed to cells worldwide who use the data to encode magnetic stripe cards to use at ATMs. These sophisticated techniques enable the participants to withdraw literally unlimited amounts of cash until the operation is finally detected and shut down. "Unlimited Operations" are marked by three key characteristics: (1) the surgical precision of the hackers carrying out the cyberattack, (2) the global nature of the cybercrime organization, and (3) the speed and coordination with which the organization executes its operations on the ground. These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible.

The Defendants' Roles in the Charged Cyberattacks

Evan Peña, Elvis Rafael Rodriguez, and Emir Yasser Yeje participated in two recent "Unlimited Operations" of staggering size. The first operation, on December 22, 2012, targeted a payment card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. After the hackers penetrated the credit card processor's computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign. In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK.

The second, and even more damaging, of these Unlimited Operations occurred on the afternoon of February 19 and lasted into the early morning of February 20, 2013. This operation again breached the network of a payment card processor that serviced MasterCard prepaid debit cards, this time issued by Bank Muscat, located in Oman. Again, after the cybercrime organization's hackers compromised Bank of Muscat prepaid debit card accounts and distributed the data, the organization's casher cells engaged in a worldwide ATM withdrawal campaign. Over the course of approximately 10 hours, cyber cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.

Peña, Rodriguez, and Yeje operated the New York cell of "cashers," who encoded magnetic stripe cards, such as gift cards, with the compromised card data. After receiving the compromised account information and personal identification numbers (PINs) for the hacked accounts, the defendants' cells sprang into action, immediately fanning out across the New York area making thousands of withdrawals from ATMs. During the RAKBANK Unlimited Operation, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City. The Bank Muscat Unlimited Operation was even more devastating. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.

The defendants then passed portions of the proceeds back to the hackers organizing the attack and kept the rest for themselves. Notably, defendants Rodriguez and Yeje laundered hundreds of thousands of dollars in illicit cash proceeds. In one transaction alone, nearly $150,000 in the form of 7,491 $20 bills, was deposited at a bank branch in Miami, Florida, into an account controlled by defendant Alberto Yusi Lajud-Peña, who is now deceased. New York cell members also invested the criminal proceeds in portable luxury goods, such as expensive watches and cars. To date, the United States has seized hundreds of thousands of dollars in cash, bank accounts, and luxury merchandise, including two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 in proceeds of this scheme.

In announcing the pleas, United States Attorney Lynch praised the extraordinary efforts of the Secret Service in responding to these attacks and investigating both the complex network intrusions that occurred overseas and the criminal activity occurring locally, and also expressed gratitude to U.S. Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI) in New York for their assistance in this investigation. Ms. Lynch also thanked MasterCard, RAKBANK, and Bank Muscat for their cooperation with this investigation.

Today's plea took place before United States District Judge Kiyo A. Matsumoto. When sentenced, the defendants face up to 7.5 years in prison, as well as forfeiture and a fine of up to $250,000.

The government's case is being prosecuted by Assistant United States Attorneys Cristina Posa, Hilary Jager, David Sarratt, and Brian Morris.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
PUBLISHED: 2019-12-10
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
PUBLISHED: 2019-12-10
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
PUBLISHED: 2019-12-10
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
PUBLISHED: 2019-12-10
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.