Sitting at a computer somewhere overseas in January 2009, computer hackers went phishing.
Within minutes of casting their electronic bait they caught what they were looking for: A small Michigan company where an employee unwittingly clicked on an official-looking e-mail that secretly gave cyberthieves the keys to the firm's bank account.
Before company executives knew what was happening, Experi-Metal Inc., a suburban Detroit manufacturing company, was broke. Its $560,000 bank balance had been electronically scattered into bank accounts in Russia, Estonia, Scotland, Finland and around the U.S.
In August, the Catholic Diocese in Des Moines, Iowa, lost about $680,000 over two days. Officials there are not sure how hackers got into their accounts, but "they took all they could" before the bank noticed what was going on, according to Jason Kurth, diocese vice chancellor.
The diocese and the Detroit company were among dozens of individuals, businesses and municipalities around the U.S victimized by one of the largest cybertheft rings the FBI has uncovered.
In September, the bureau and its counterparts in Ukraine, the Netherlands and Britain took down the ring they first got wind of in May 2009 when a financial services firm tipped the bureau's Omaha, Nebraska, office to suspicious transactions. Since then, the FBI's Operation Trident Breach has uncovered losses of $14 million and counting.
Overall in the last two years, the FBI has opened 390 cases against schemes that prey on businesses that process payments electronically through the Automated Clearinghouse, which handles 3,000 transactions every five seconds. In these cases, bureau agents have uncovered attempted thefts totaling $220 million and actual losses of $70 million.
But the court records of Operation Trident Breach reveal a surprise: For all the high-tech tools and tactics employed in these computer crimes, platoons of low-level human foot soldiers, known as "money mules," are the indispensable cogs in the cybercriminals' money machine.
A dozen FBI criminal complaints filed in New York provide an inside look at how this cybertheft ring worked:
Operating from Eastern Europe and other overseas locations, the thieves used malicious software, known as malware, to infect the computers of unsuspecting users in the United States by e-mail. The malware-infected e-mails were written to look like they came from a company manager or colleague who might send an e-mail message to everyone in a company, such as the head of human resources.
When the e-mail recipient clicked on an embedded link to a Web site or opened an attachment, a Trojan horse virus called Zeus installed itself and gathered usernames, passwords and financial account numbers typed by the victims on their own computers. The hackers then used this information to move the victims' money electronically into bank accounts set up in the United States by the money mules.
The money mules set up shell bank accounts to receive the money. Then they withdrew the funds from the shells accounts in amounts they thought were small enough to elude detection by banks and law enforcement. In some cases, the cyberthieves bombarded telephone numbers attached to the targeted accounts with calls to block the company from calling to verify the transactions.
The mules sent most of the stolen funds overseas electronically to accounts controlled by the ring leaders; the mules usually kept 8 to 10 percent as their cut.
For instance, the FBI said money belonging to one TD Ameritrade customer landed in the bank account of a fake company, the Venetian Development Construction Service Corp., which was registered at an unmarked, two-story brick building in Brooklyn. The sole name on the construction company's account was that of one of the money mules. Eventually some of the money wound up in accounts in Singapore and Cyprus and some walked out the bank's door in the pockets of mules. TD Ameritrade spokeswoman Kim Hillyer said the company has reimbursed customers who lost money
Just like in the illegal drug trade, the ring leaders overseas reaped the big profits but relied on the mules to do the risky, dirty work.
For each shell account, a mule had to walk into a bank, in full view of surveillance cameras and leave copies of personal identification documents. The ring leaders hid behind computer screens overseas.
Operation Trident Breach found many mules are Eastern Europeans who came to the U.S. on student visas.