The 8 Steps Behind The Massive $45M Cyber Bank Heist

Seven Men Charged In Massive ATM Heist

Seven men face charges for their role in a massive credit card fraud ring that drained more than $45 million from bank accounts in what some say could be the largest bank robbery in history. Instead of masks and weapons, the attackers used computers and malware, stealing debit cards associated with banks in the United Arab Emirates and Oman. Investigators said the heist was an ATM cash-out scheme that eliminates withdrawal limits on individual accounts.

The technique is not new. A heist in 2011 using prepaid debit cards netted organized cybercriminals about $13 million. In 2008, RBS Worldpay was targeted in a heist that netted $9 million.

Here's a step-by-step breakdown of how this extensive ATM cash-out scheme went down.

1. Credit Card Processor Data Breach

Cybercriminals first targeted an Indian credit card processor that handles Visa and MasterCard prepaid debit cards. The attack was being directed by an extensive cybercriminal network based in St. Petersburg, Russia. The attack took place in December, and investigators believe it was an extensive network intrusion, giving cybercriminals access to the data contained on the magnetic strip of the card and the PIN number associated with RAKBank, located in the United Arab Emirates.

2. Cyberattackers Program Cards With Exclusive PIN Number

An ATM cash-out scheme, such as the one the cybercriminal organization implemented, uses a programming technique that eliminates withdrawal limits on individual accounts. Attackers must associate each account with a bank identification number. Once the information has been matched up, the technique gives attackers the ability to withdraw an unlimited amount of cash from ATMs. The card data is then sent to money mules around the world.

"Successful unlimited operations are rare events requiring a high degree of technical proficiency, coordination and patience on the part of the criminal actors," investigators said in court documents filed with the Eastern District of New York that were obtained by CRN.

3. Recruit Money Mules

Financially motivated cybercriminals have become experts in recruiting people in the United States to cash out stolen credit and debit cards. Using scams, organized cybercriminals in Eastern Europe and Russia often target the poor and unemployed, promising employment and the ability to work remote. Often the scheme involves setting up phony websites, making it look like a legitimate job opportunity. Money mules that have been arrested in the past have told investigators they didn't know they would be used to drain money from stolen accounts.

Between Dec. 21 and Dec. 22, the cybercriminal organization distributed five account numbers from the RAKBank accounts to individuals located in 20 countries around the world, investigators said.

4. Money Mules Strike ATMs Globally

Once the cybercriminal organization distributed the account information, the receiving individuals, or mules, encoded the data onto magnetic stripe cards, such as gift cards and hotel key cards, to withdraw the funds from ATMs. Investigators found the men conducting numerous transactions in Brooklyn, Queens and Long Island, among other U.S. locations. At first, the transactions were low, indicating the men were testing the cards. Even still, the scheme involved more than 5,700 attempted ATM transactions using the RAKBank account data, resulting in a total loss of approximately $5 million.

5. Heist Repeated With Greater Success

In February, investigators believe the same cybercriminal organization struck a credit card processor in the U.S., stealing the same data. Although details are scarce, the attack in December and the attack in February apparently used similar methods; the intruders used multiple debit cards and associated with accounts from the Bank of Muscat, located in Oman.

6. Credit Card Data Distributed To Money Mules

Investigators said the cybercriminal organization distributed 12 account numbers from the compromised Muscat bank accounts to money mules in 24 countries in February. The accounts were configured with increased balances to people across the globe including Brooklyn and other U.S. locations. The heist took place in late February, and the cybercriminals, who were able to log at least 36,000 transactions within 10 hours, netted $40 million from ATMs.

7. Money Laundering Begins

After the money mules withdraw the funds and take their cut, the remaining money is sent, typically by Western Union, to the cybercriminals.

In the court documents, investigators said they traced funds to a known money laundering operation in Russia.

8. U.S. Secret Service, Law Enforcement Make Arrests

U.S. Justice Department officials have charged seven men from Yonkers, N.Y., for their role in the attacks. Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Pena, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje, and Chung Yu-Holguin face money-laundering charges and conspiracy to commit access device fraud. An eighth man, Alberto Yusi Lajud-Pena, who also is suspected of playing a role, was reportedly murdered in the Dominican Republic. The seven men could face 10 years of prison time on each money-laundering charge and up to $250,000 in fines.