International Cyberthieves Stole $40 Million from a Bank in Ten Hours

Create phony bank account, withdraw ill-gotten cash, repeat 40,000 times, via.

In December 2012, and again in February of this year, a couple of highly coordinated cyberattacks targeted two Middle Eastern banks—Oman’s Bank of Muscat and the United Arab Emirates’ Bank of Ras Al Khaimah—in a $45-million heist that evidently surprised the shit out of authorities and "impressed" cybercrime experts worldwide. It was only announced late last week that the heist occurred, and it’s believed that operations in 27 countries led to the grand total of $45 million stolen. That said, arrests have only been made in the United States (one of the suspects was caught with an iPhone full of cash-filled selfies) and Germany—which is extra crazy because the authorities believe the ringleaders were working outside of the United States. So, where are the rest of these digital bank robbers and their ringleaders?

To make matters even more intense, news broke on Saturday morning that the man believed to be leading the American wing of this global-bank-robbing scheme was executed in the Dominican Republic in late April. It doesn’t take a massive stretch of the imagination to conclude that someone is trying to prevent the information that was swirling around in that man’s head—i.e., how these cyberbank robbers were able to steal so much money from the banking system, without causing any alarms that would freeze the tampered accounts they were using—from being spilled out into the hands of the authorities. When his body was found, there was $100,000 of cash in his residence, along with an assault rifle, telescopic sight, and three pistols. According to Reuters, the American operation alone, allegedly led by this dead man, netted $2.4 million in stolen cash, taken from over 3,000 ATMs, within ten hours. This part of the story alone can now be referred to simply as the second-largest bank robbery in New York’s history.

From all the reports that are out now, it appears that these bank thieves hacked into two different credit card processing companies: one in India, which has admitted to a system breach, and one in the United States. Once they got in there, they accessed the companies’ prepaid credit card databases, took a bunch of the account numbers, increased their credit limits, erased their withdrawal limits, and passed that information out to people known as “cashers” who were able to create cards that would be able to access these newly tampered accounts. Between the heists in December and February, it’s alleged that over 40,000 withdrawals were processed.

This technique is known as “unlimited operations”—which refers to the breaches in credit card limits and the demolition of typical withdrawal minimums. This, of course, allows cybercriminals to take out a ton of money in a short time. CRN picked up some New York court documents pertaining to this case that stated: “Successful unlimited operations are rare events requiring a high degree of technical proficiency, coordination and patience on the part of the criminal actors.” So clearly, the world is dealing with some incredibly advanced, internet-based bank robbers who are hungry for stolen cash.

So far a total of nine people (plus the one dead suspect in the Dominican Republic) have been arrested in connection with the heists, but authorities claim that hundreds of people, worldwide, are involved. Apparently, the organizers use “money mules” to head out into the world with compromised bank cards and physically withdraw cash—these mules, in the past, have actually been tricked into thinking they are doing legitimate work for an ostensibly bullshit business.

Loretta Lynch, a US Attorney in New York, said at a press conference that American authorities had worked with law enforcement agencies in “Japan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia” in an attempt to put all of the pieces of this cybercrime ring together.

It will be very interesting to see whether or not further arrests pop up in these allegedly affected countries—and if the supreme leaders of this criminal operation are ever revealed and captured. Lynch also said that the men involved in the New York operation were sending 20 percent of their proceeds back to organizers. So it would follow that the authorities have some idea of who the organizers are. There have been reports of email exchanges that describe wire transfers linking back to Russia. Plus, stolen funds have also, apparently, been linked back to a Russian money-laundering ring.

The number of thieves who have so far escaped prosecution in connection to this global bank heist is a stupefying accomplishment. While the German suspects, who are now in custody, were caught withdrawing 170,000 euros, and the American team was responsible for $2.4 million in cash, that still leaves over $43 million unaccounted for. The banks are left with an “uncertain path” on how to get all their cash back since it doesn’t seem like the authorities have too great of an idea on how these hundreds of people stole millions of dollars from the banks in a very short time.

Given the recent assassination of the alleged American kingpin, it would appear that there is a lot on the line—for those powerful enough to coordinate a multimillion-dollar cyberheist and have people killed at will to presumably protect their secrets—so it’s anyone’s guess as to whether more information will trickle out into the public.

One thing can be said right now: recent advancements in cybercrime are astoundingly complex and reaching epic scales. Couple that with the fact that this heist didn’t actually target any civilian accounts—this money was purely stolen from the banks—and most comment sections covering this story will tell you that public sympathy for the banks is pretty fucking low. It's a perfect storm, in that this case is clearly hard to prosecute and inoffensive to the public at large. Regardless, what we have here is a cybercrime story of 007 proportions that will require a lot of investigative power to ensure the authorities understand this crime as quickly as possible, and prevent it from happening again, on an even wider scale.

Follow Patrick on Twitter: @patrickmcguire

Read more about cybercrime:

Speaking with the SEA about Hacking the Onion's Twitter Account