It was a crime that would have made any movie thief proud.
A global gang of cybercriminals stole $45 million from ATMs around in the world in two coordinated attacks that each lasted only a matter of hours, federal prosecutors in Brooklyn said today (May 9).
"The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe," Loretta E. Lynch, United States Attorney for the Eastern District of New York, said in a statement.
Seven men from Yonkers, N.Y., were named in the indictment, along with an eighth man who was apparently the local ringleader but was murdered last month in the Dominican Republic. The seven survivors, mostly in their early 20s, have all been arrested.
The seven men were merely the New York branch of the larger scheme, which involved hacking into the databases of debit-card processors in Oman and the United Arab Emirates and raising the balances on the accounts tied to thousands of cards.
The card data was written onto "cloned" debit cards, which were then distributed to dozens, perhaps hundreds, of "cashers" who made two coordinated mass cash withdrawals in two dozen different countries.
In the first mass withdrawal, which lasted two and half hours on Dec. 22, 2012, more than 4,500 withdrawals were made, totaling $5 million.
Apparently satisfied with their results, the crooks went even bigger on Feb. 19-20, 2013, withdrawing $40 million in 36,000 different transactions over the course of 10 hours.
The New Yorkers' take was about $2.8 million, most of which was deposited into the defendants' bank accounts, but some of which was used to buy expensive German cars and Swiss watches.
The Brooklyn federal prosecutors' statement did not identify any other participants in the global scheme, say where the ultimate ringleaders were based or divulge how the case was cracked.
The statement thanked authorities in Belgium, Canada, the Dominican Republic, Estonia, France, Germany, Italy, Japan, Latvia, Malaysia, Mexico, Romania, Spain, Thailand, the United Arab Emirates and the United Kingdom.
Through his law-enforcement and financial-industry contacts, security blogger Brian Krebs may have gotten wind of the first mass withdrawal before the second one even took place.
In early February, Krebs reported that sources had told him a debit-card-fraud operation involving an Indian bank had netted $11 million in two global mass withdrawals around Christmastime. He also posted a Visa security alert from January referring to a recent mass ATM withdrawal.
There's little the average consumer can do to protect himself against such mass ATM withdrawals, but then again, he probably won't end up feeling it. The real victims are the card processors and their insurance companies, who have to cover the losses.