The government charged eight people with using data obtained by hacking into two credit card processors in a worldwide scheme that netted some $45 million within hours, a crime prosecutors described as one of the biggest bank heists in history.
The individuals formed the New York-based cell of a global cybercriminal organization that stole MasterCard debit card data from two Middle Eastern banks, the Justice Department said. The information was used to make more than 40,500 withdrawals at automated teller machines in 27 countries, prosecutors said.
The cards were issued by National Bank of Ras Al-Khaimah in the United Arab Emirates and Bank of Muscat in Oman, prosecutors said.
Bank representatives could not be reached for comment outside of regular business hours.
The case demonstrates the major threat that cybercrime still poses to banks around the world. Security experts frequently identify electronic fraud as one of the key challenges facing banks.
"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cybercrimes prosecutor in Bethesda, Md.
Authorities said they arrested seven of the eight defendants, all U.S. citizens and residents of Yonkers, NY. They are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
The eighth defendant charged in the indictment, Alberto Yusi Lajud-Peña, also known as "Prime" and "Albertico," was murdered April 27 in the Dominican Republic, according to prosecutors. U.S. Attorney Loretta Lynch in Brooklyn, NY, who filed the charges, said at a press conference it was unclear whether the murder was related to the cybercrime case.
Prosecutors said the attacks, known as "unlimited operations," occurred in two separate incidents, in December 2012 and February 2013.
The hackers gained access to companies that process debit card transactions, eliminated the maximum withdrawal limits on the cards and then employed "casher" crews to take money out of ATMs worldwide using the stolen data, prosecutors said.
After the cards were shut down, cashers laundered the proceeds, often by buying luxury goods, and sent a portion of the money back to the organization's leaders, according to prosecutors.
In the New York area, the ring withdrew nearly $400,000 in less than three hours at more than 140 ATMs, the prosecutors said. On another occasion, about $2.4 million was collected in nearly 3,000 ATM withdrawals over 10 hours, they said.
This is the second-biggest bank robbery in New York City history, Lynch said, after the so-called "Lufthansa heist," in which robbers stole millions in cash and jewelry from John F. Kennedy International Airport.
Lynch said it was likely that the headquarters of the global scheme is outside the U.S., adding that investigators are also examining whether cells are operating elsewhere in this country.
In a statement, MasterCard said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.
