The Great ATM Heist: How Thieves Stole $45 Million in a Few Hours

ThinkStock / ThinkStock

By Peter Weber

Federal prosecutors in New York announced on Thursday that police had arrested seven suspects in one of the biggest bank heists in history — and none of the hundreds of people involved in 27 countries used a gun or bomb threat, or even set foot inside a bank lobby. U.S. Attorney Loretta Lynch compared the sophisticated, "surgical" heist — which netted $45 million in two separate operations — to the casino-theft movie Ocean's Eleven. (Watch an NBC News report on the heist below.)

The network of hackers and street criminals "participated in a massive 21st-century bank heist that reached across the internet and stretched around the globe," Lynch said at a news conference. The plot sounds ready-made for Hollywood. To give a sense of the scope of this operation, here are some key numbers:

$45 million
Amount stolen in a matter of hours in two ATM-withdrawal sprees, on Dec. 22, 2012, and Feb. 19-20, 2013

Total ATM withdrawals

Countries where ATMs were raided in the two operations

Prepaid credit card accounts used in the heist, five in December and 12 in February

$2.8 million
Amount stolen from Manhattan ATMs, including $2.4 million on Feb. 19-20

ATM withdrawals over the 10-hour spree in Manhattan on Feb. 19-20

How did several hundred people manage to pull off a huge bank heist without anyone noticing? The Justice Department says the thieves used what the cyber-criminal underground calls "Unlimited Operations." This is how it works, according to federal prosecutors:

The "Unlimited Operation" begins when the cyber-crime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down.... These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible.... First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds; such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance.... Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world.... These associates operate cells or teams of "cashers," who encode magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe. [DOJ]

The hacker-masterminds watched the ATM withdrawals on their computers, so they wouldn't get cheated out of their share — the eight-member New York cell kept 20 percent of their haul, Lynch said, and sent the rest to the heist organizers. Then the "cashers" laundered the money, in part by buying Rolex watches and luxury cars.

The feds didn't provide much information about the international investigation into the global heist, or say how many people have been arrested in other countries. And they didn't drop any clues as to who organized the operation, other than saying that an email links the New York cell to a money-laundering gang in St. Petersburg, Russia. But the New York group appears to have been caught at least partly through old fashioned police work, mixed with a dash of modern hubris: The thieves were photographed by multiple ATMs, their backpacks getting visibly heavier at each stop, and some posted photos of themselves with wads of cash.

Here's where things get really dramatic: The New York cell was made up of eight Dominican-Americans living in Yonkers. The first member was arrested March 27, trying to flee to the Dominican Republic, and the last two were picked up on Wednesday. The alleged ringleader, Alberto Yusi Lajud-Peña, wasn't arrested because he's dead. The New York Times explains:

Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said. On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. [New York Times]

Yikes, says Tom Levenson at Balloon Juice. "I have no doubt that there are folks involved in this that you really, really don't want to irritate." But while $45 million is a huge haul, this is still the "least surprising story of the year," he argues:

Part of me says that this is something to note because so much of the financial life of individuals and the economy writ large depends on the secure functioning of — and user trust in — global banking systems at every level from the corner ATM to the massive inter-bank clearing mechanisms. The cyber-security people I talk to have to hold their hands over the mouths to stop themselves from blurting "WAKE UP SHEEPLE!!!!!" — as that trust rests on a rickety tangle of hardware and software. So while there's a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed. [Balloon Juice]

In other words, even though no individual's bank account was compromised in this attack, everyone who doesn't keep their savings under the mattress is vulnerable. In this case, the hackers were able to exploit the weak links in the financial system — U.S. and Indian credit card processors, considered less secure than banks, and prepaid cards issued by banks in the Persian Gulf, where customers are generally allowed to put much larger amounts on prepaid cards and the banks don't monitor the cards as closely. "Hackers only need to find one vulnerability to cause millions of dollars of damage," former cyber-crimes prosecutor Mark Rasch tells Reuters.

Of course, the question everyone wants answered, says Balloon Juice's Levenson, is "what role George Clooney will play?"

NBC News explains the robbery:

Sources: The Associated PressBalloon JuiceGothamistJustice DepartmentThe New York Times,Reuters

More from The Week...

Owning Pets may be Good for your Heart


All the Films you Should See in May and June


What Two Dead Stars Reveal About Earth's Origins