When you think of cybercrime, you probably imagine a hacker (or cracker, as many of our readers prefer) sitting far from his victims, breaking in digitally and making off with the valuables in similar fashion.
For many cybercrooks, that is, indeed, how it goes down.
If your goal is to get illicit remote access to a database, for example, and steal a bunch of bank card numbers, you can probably do it without leaving your apartment.
But when your final goal is to turn those bank cards into hard cash, cybercrime and old-fashioned street crime meet.
That’s because you can’t just click on a virtual on-screen ATM in your bedroom and watch banknotes spilling out of your DVD slot.
When it comes to cash withdrawals, you face the same problems that old-school bank robbers have for hundreds of years.
In the unforgettable words of 1930s Tommy-gun-wielding bank robber Willie Sutton:
Go where the money is...and go there often.
21st century cyber-robbery
So here’s how a modern-day ATM cyber-robbery usually works:
- Crooks acquire bank card magstripe details and associated withdrawal PINs.
- Crooks split up card details and distribute them to on-the-ground teams of “casher crews”, or “cashers”.
- Cashers prepare cloned cards using magstriped blanks such as gift cards, phone cards and old hotel keys.
When all the ducks are, so to speak, in a row, then:
- Crooks email PIN numbers to the cashers. (Holding these back until the last minute avoids early exposure.)
- Cashers take to the streets mob-handed and go on a looting spree.
- The cashers return most of the money to their handlers, often in some already-laundered form such as easily-resold luxury goods.
- The cashers keep their cut, in money or in kind (supercars seem popular), and wait for a GOTO 4 instruction.
With each ATM typically restricting the amount of money it will dispense in one go (since they can only hold so much), you need to do a lot of transactions.
With a $500 maximum, you need 2000 withdrawals to hit a cool million; pick a bank with an $800 jackpot limit and you’re still looking at a workflow of 1250 repetitions of insert card – enter PIN – remove card – take money.
And you can’t hang around, because once a crew starts looting, alarm bells are going to start ringing back at bank HQ – much like they used to for Wille “The Actor” Sutton.
A bank that spots an out-of-the-ordinary sequence of transactions might not be able to scramble the cops, especially if the looting is happening in cities all around the world, but it can shut you out if it works out a pattern to your illicit withdrawals.
The good news: NY casher crew busted
Anyway, the good news in this is that the US Justice Department’s Eastern District of New York has just unsealed an indictment [charges in full here (PDF, 5.8MB)] against eight members of a New York based casher crew who are alleged to have made off with about $2,800,000 in two separate outings.
The alleged crew leader, Alberto Yusi Lajud-Peña, won’t stand trial for the rather unfortunate reason that he is dead, murdered in the Dominican Republic last month.
The other seven, if convicted, are looking down the barrel of 17.5 years inside, charged with “conspiracy to commit access device fraud” and money laundering.
They allegedly made large cash deposits, as well as buying luxury items such as a Mercedes Benz SUV, a Porche Panamera, and swanky watches.
The gang certainly paid attention to speed and volume.
The Justice Department has produced a fascinating “crime visualisation” map that makes it clear how systematically cashers go to work. (It also gives a whole new meaning to “On Broadway.”)
In the first looting run in December 2012, the crew allegedly hit more than 140 ATMs for an average of about five withdrawals each, pulling out close to $400,000 in under three hours – presumably working with a $500-per-transaction limit.
The second run took place in February 2013, where they seem to have gone for an $800-per-transaction value, netting some $2,400,000 over nine-and-a-half hours in 3000 separate withdrawals.
With eight cashers in action, 3000 transactions in under ten hours is an average of just over 90 seconds per withdrawal.
The bad news: rest of iceberg still at large
What made these cyberheists particularly interesting, aside from the speed with which the New York crew were nabbed, is what went on in Step One of the crime.
It seems that they indirectly targeted two banks in the Persian Gulf – the National Bank of Ras Al-Khaima (RAKBANK), UAE, and the Bank of Muscat, Oman.
They broke into the databases of the companies that handled those banks’ debit card business – an unnamed Indian outfit in the case of RAKBANK, and an unnamed US outfit in the case of Bank of Muscat.
Then they orchestrated what is known as an “unlimited operation.”
That means they didn’t just end up with a motley bunch of debit card account numbers worth an unknown amount each.
Instead, they removed the cards’ withdrawal limits and boosted their account balances to the point that the amount available was effectively limited only by the speed of the cashing crews, not by the wealth of the cardholders.
And Step Two didn’t just make use of our hapless New York casher crew.
According to prosecutors, the RAKBANK looting raids took place simultaneously in about 20 countries, for an illicit withdrawal total of $5,000,000.
And the Bank of Muscat operation was co-ordinated across some 24 countries, netting an astonishing $40,000,000 in under 24 hours.
The silver lining: swift international co-operation
Often, we read about bank-related cybercrime prosecuted years in arrears, mainly due to the complexities of working across many jurisdictions and with numerous financial institutions.
This time, the cops (technically, in this case, the US Secret Service) got their man, or at least their alleged men, pretty quickly.
Loretta E. Lynch, the United States Attorney for the Eastern District of New York who announced these arrests, was generous in her praise for the international co-operation received, formally thanking, amongst others:
MasterCard, RAKBANK, and the Bank of Muscat for their cooperation with this investigation, ... law enforcement authorities in Japan, Canada, Germany, and Romania, and ... authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.
Quite a list.
Now we shall have to wait and see if any of the carder crews in the other 23 countries, or the cybercrooks behind the “unlimited operation” intrusions, will ever be caught.
Oh, and, if they’re caught, what will happen to them – in the WorldPay example above, the Russian hacker behind it all ended up with a suspended sentence.