The U.S. Government has charged eight people in a cyber-scheme that prosecutors say used stolen prepaid debit card data to drain millions of dollars from two banks in a matter of hours.
The suspects belonged to the New York cell of an international operation that broke into computer networks of companies that process MasterCard debit card transactions to steal data they used to withdraw $45 million from automated teller machines, the Department of Justice charged in an indictment unsealed today in U.S. District Court in Brooklyn.
In New York City alone, the defendants allegedly netted $2.4 million via 3,000 ATM withdrawals over the course of about 13 hours, according to law enforcement authorities.
The cards were issued by National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK, and Bank of Muscat in Oman. RAKBANK's processor is based in India, and Bank of Muscat's processor is based in the U.S. Their identities are known to the grand jury, according to the indictment, but they have not been disclosed publicly.
"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe," U.S. Attorney Loretta Lynch charged in a press release.
According to Lynch, the group "worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours."
Seven people said to be residents of Yonkers, N.Y., were arrested on the charges, prosecutors said: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
Prosecutors also charged an eighth defendant, Alberto Yusi Lajud-Peña, who is reported to have been murdered in April in the Dominican Republic.
Lawyers for the defendants could not be reached immediately.
According to prosecutors, over the course of months, the cell hacked its way into processors' computers, where itincreased balances and eliminated withdrawal limits on the debit card accounts.
The cell distributed the hacked cards' account numbers to conspirators in 26 countries, who allegedly encoded magnetic-stripe cards with the hacked information that they later matched with PINs received from the hackers.
With the PINs in hand, the cell's members allegedly fanned out to withdraw as much money from ATMs as they could before the cards were finally shut down. The network later laundered the funds, often by buying luxury goods, and funneled a portion of the proceeds to the group's leaders, prosecutors said.
Prosecutors said the attacks occurred in two phases: one in December and the other in February.
In the December attack, the group allegedly carried out more than 4,500 ATM transactions in 20 countries around the world, resulting in roughly $5 million in losses to the processor and RAKBANK.
In the February attack, the group allegedly used compromised debt cards issued by Bank of Muscat to withdraw about $40 million from ATMs in 24 countries.
Lynch thanked RAKBANK, the Bank of Muscat and MasterCard for their cooperation with the investigation.
MasterCard spokesman Jim Issokson said in an email that the company’s "systems were not involved or compromised during these cyberattacks."
Correction: The suspects are accused of withdrawing cash with the compromised card accounts. They are not accused of directly hacking the processors.