Skip to main content

Cyber caper: behind the scenes of the $45 million global ATM heist

Cyber caper: behind the scenes of the $45 million global ATM heist

/

Hackers coordinated with cells on the ground to carry out a precise, sophisticated attack

Share this story

atm robbers
atm robbers

Defendants Elvis Rafael Rodriguez and Emir Yasser Yeje posing with approximately $40,000 with cash. Source: US Attorney, Eastern District of New York

If you’d been waiting for the ATM inside the deli at East 59th and Third in Manhattan on Tuesday, February 19th around 9:24PM, you would have been annoyed. A young man in a black beanie and puffy black jacket made seven withdrawals in a row, stuffing around $5,620 into his blue backpack. The man wasted no time. He exited the deli and headed up five blocks to repeat the process at four more ATMs, finishing his route at a Chase bank at 69th and Third at 9:55PM, where he made four withdrawals totaling $4,000.

While the man in the black beanie was beelining along the Upper East Side, seven of his co-conspirators were doing the same thing across Manhattan, repeatedly swiping prepaid debit cards that seemed to be limitless. An unknown number of fellow "cashiers" were doing the same thing in Japan and 24 other countries around the world at the same time. The cashiers in Japan were pulling in even greater hauls, thanks to the $10,000 withdrawal limits at some machines.

A shadowy criminal ring netted nearly $45 million in cash

The man in the black beanie was part of a sophisticated "Unlimited Operation," according to prosecutors in New York. Hackers allegedly broke into the computer systems of at least two credit card processing companies, stole prepaid debit card account numbers and programmed them with astronomical balances. Normally, prepaid debit cards are capped according to how much the customer paid for the card; the hackers essentially created infinite cards.

Heist-300-1

Map of Reyes' alleged route withdrawing money from ATMs on February 19th. The numbers indicate the ATM cameras that allegedly captured him, in order. Source: US Attorney, Eastern District of New York

The account numbers were then emailed or texted to accomplices on the ground, who used a device called a "skimmer" to encode the account numbers onto the magnetic stripes of dummy cards. The groundlings then went on a withdrawal spree, hitting as many ATMs as they could in a matter of hours, while the hackers watched the transactions from behind remote screens, in real time. Between two tightly-coordinated heists, the shadowy criminal ring netted nearly $45 million in cash.

"The cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as ‘Unlimited Operations,’" the United States attorney for the Eastern District, which is prosecuting the case in New York, said in a statement. "These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible."

Unlimited Operations are marked by three key characteristics, the attorney’s office said.

The first hallmark of an Unlimited Operation is the "surgical precision" with which the hackers broke into the financial institutions’ systems and then determined exactly which ATMs to hit and how much to withdraw at a time in order to avoid automatic withdrawal caps.

The second characteristic of an Unlimited Operation is global reach. The third is the speed and coordination, Ocean’s Eleven style, of the ground operation.

Cyberheist

Details are still emerging, but an international investigation has turned up eight suspects, who were all indicted in New York on April 25th, despite the fact that one of them is dead. The eight suspects were all members of the New York cell, according to the US attorney’s office, which was responsible for $2.8 million of the take (all in $20 bills, of course). Other cells carried out similar heists in Canada, Mexico, the Dominican Republic, Colombia, the UK, Belgium, France, the Netherlands, Germany, Spain, Italy, Bulgaria, Romania, Latvia, Estonia, Ukraine, Egypt, South Africa, Russia, the United Arab Emirates, Pakistan, Sri Lanka, Russia, Thailand, Malaysia, Indonesia, and Japan.

"They became a virtual criminal flash mob."

The US attorney’s office says that no others were involved in New York. If that’s the case, eight men made 705 ATM withdrawals in two hours and 24 minutes. That would mean each man made a withdrawal every 98 seconds.

"They became a virtual criminal flash mob, going from machine to machine, drawing as much money as they could, before these accounts were shut down," US attorney Loretta Lynch said at a press conference.

Heist-300-1The ATM withdrawals happened so quickly that none of the financial institutions involved noticed in time to stop the thieves.

"One of the factors was the speed at which these transactions occurred," said Doug Johnson, vice president of risk management and policy at the American Bankers Association. "That frustrated detection to some degree."

The hackers targeted specific financial service providers, according to the indictment, suggesting that they were aware of some security vulnerability. These providers were third-party processors that serviced MasterCard and Visa prepaid debit cards.

In the first attack, hackers breached an Indian credit card processor that handles Visa and MasterCard prepaid debit cards and stole five account numbers issued by the National Bank of Ras Al-Khaimah PSC. Those accounts were used to withdraw nearly $5 million in 20 countries.

In the second attack, hackers attacked a US-based processor that also handles Visa and MasterCard debit cards and grabbed 12 accounts issued by the Bank of Muscat. These accounts were used to withdraw nearly $40 million in 26 countries.

Busted

Prosecutors have not released details because the international investigation, involving the Secret Service, the Department of Homeland Security, and authorities from 11 countries, is ongoing. But at some point in the game, MasterCard figured out something was up, according to The New York Times, and alerted the Secret Service. The agency, which is responsible for criminal investigations related to the nation’s financial infrastructure, quickly got to work tracking down the thieves. Agents had an easy starting point: the men on the ground had had their pictures snapped by ATM cameras. The manhunt began.

The manhunt began

The alleged leader of the group, 23-year-old Alberto Yusi Lajud-Peña, apparently attempted to escape to the Dominican Republic. His body was found on April 27th, after two hooded gunmen reportedly shot up the house where he was playing dominoes. "A manila envelope containing about $100,000 in cash remained untouched," according to the Times, suggesting that perhaps the organizers of the criminal ring had decided to dispose of witnesses.

Heist-300-1The other members of the New York cell survived. But after cashing in, they also had to cash out. The next phase of the scheme was laundering, which involved distributing smaller sums of money across bank accounts and purchasing fantastically expensive luxury goods, including a $42,000 Rolex Yachtmaster II. They also allegedly purchased a Mercedes G63 AMG and a Porsche Panamera.

Eventually, the gang was rolled up. Elvis Rafael Rodriguez was apprehended at John F. Kennedy International Airport on March 27th. Evan Jose Peña was picked up at the Raceway Diner in Yonkers in April, where he apparently had both of his Rolex Oyster Perpetual Datejust watches on him. Their accomplices were variously arrested, and they were all indicted on April 25th on charges of conspiracy to commit access device fraud and money laundering.

The hackers who engineered the heists, however, remain at large.

'Increasing sophistication'

This isn’t the first time hackers have ripped off ATMs for millions of dollars. Cyberattacks have resulted in hackers taking $2 million from European ATMs in 46 cities and tens of millions of dollars were stolen from 12 European banks just in the last year, according to research by Symantec.

The vulnerability that led to the hacks appears to have something to do with the complicated, fragmented system that relies on many providers to get customers cash on demand.

"There’s an increasing sophistication," Johnson, from the American Bankers Association, told The Verge. "As our systems get more sophisticated, so do the criminals. We as financial institutions are very well aware of the fact that we’re part of a new environment. The convenience that you enjoy as a consumer is something that a criminal tries to use to their advantage."

"The convenience that you enjoy as a consumer is something that a criminal tries to use to their advantage."

So has the traditional bank heist gone cyber? This hack and other similar crimes suggest that large-scale robbers are also becoming large-scale hackers, as computer crime against financial companies turns out to be an increasingly convenient way to net big money.