Russian Hackers Have Been Robbing US Banks for a Long Time

Illustration by Nick Gazin

In July 1994, Citibank officials notified the FBI of what was then a novel crime: Hundreds of thousands of dollars had simply disappeared from corporate bank accounts. By October of that year, the total had ballooned to $10 million. It was, according to the FBI, the first time that a bank robbery had been committed by a computer.

It wasn’t until the end of 1994 that Netscape Navigator, the first web browser to find major commercial success, was released. The finance industry was an early internet adopter, but security was lacking: Citibank officials claimed that the hacking team, led by Russian computer programmer Vladimir Levin, had used valid accounts to access the bank’s unencrypted cash-management system and steal passwords and account data.

After being notified of a pair of suspicious transactions totaling nearly $522,000, the FBI tracked the transfers to a pair of Russian nationals, Yevygeny and Yekaterina Korlokova, in San Francisco. According to statements from FBI agents who were part of a San Francisco white-collar-crime unit (the city did not yet have a cyber crime squad), Ekaterina rushed to her apartment after finding her fraudulent bank accounts had been frozen. As the story goes, she was arrested with suitcases packed and a one-way ticket to Russia in hand.

Following their arrest, the Korlokovas told the FBI that Levin was engineering the heists out of St. Petersburg, and they agreed to help track him down. In the spring of 1995, Levin was persuaded to visit London, where he was arrested. In January 1998, after being extradited to the US, he pleaded guilty to federal charges related to bank, wire, and computer fraud. He was sentenced to three years in prison and ordered to pay $240,000 in restitution. By that time, Citibank said it had recovered nearly all of the stolen funds and fixed its security measures to prevent a similar attack.

The theft kicked off two decades of the familiar cat-and-mouse game between increasingly sophisticated hackers and banks. And while $10 million seemed like an immense sum in 1994, the impact of cybercrime has grown by multiple orders of magnitude in the intervening decades. According to a 2014 report by the security firm McAfee, the global economic cost of cybercrime is now roughly $400 billion a year, with much of that cost directly hitting banks and retailers. In August, it was discovered that Russian criminals made off with $1.2 billion in user names and passwords from 420,000 websites, the largest known theft of online credentials in history.

Follow Derek Mead on Twitter