Threat Management

Feds: $45M drained from bank accounts in international cyber heist

Eight individuals have been charged for their role in the hacking of two credit card processors, which allowed a global gang of cyber bandits to withdraw tens of millions of dollars from ATMs around the world, federal prosecutors announced Thursday.

According to an indictment unsealed on Thursday, the eight defendants formed the New York-based operation of the international racket.

Seven of the people have been arrested, while the alleged leader of the New York cell, Alberto Lajud-Peña, 23, is believed to have been murdered last month in the Dominican Republic.

The other defendants, all residents of Yonkers, N.Y., are Joan Lara, 22; Chung Yu-Holguin, 22; Jael Collado, 23; Jose Reyes, 24; Elvis Rodriguez, 24; Emir Yeje, 24; and Evan Peña, 35. They are charged with conspiracy to commit access device fraud, which carries a 7 1/2-year maximum sentence, and money laundering conspiracy and money laundering, which each carry a maximum of 10 years.

According to federal prosecutors, the eight defendants and unnamed co-conspirators allegedly withdrew an estimated $2.4 million from nearly 3,000 ATMs in the New York City area from 3 p.m. on Feb 19 through the early morning of Feb. 20. In total, $40 million was stolen worldwide during that period.

Federal prosecutors called the cyber attacks “unlimited operations," meaning intruders hack into the computer systems of credit card processors – in this case reportedly one was located in the United States and the other in India – to compromise prepaid debit card accounts, then raise the limits on the accounts. Prosecutors said they targeted MasterCard prepaid debit cards issued by the Bank of Muscat in Oman.

Using the information they purloined, teams of "carders" and "cashers" then created cloned cards and used them to withdraw the funds.

In a separate occasion on December 2012, the crime outfit allegedly hacked a credit card processor that handles transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah (RAKBANK) PSC in the United Arab Emirates. In that operation, around $5 million was fraudulently withdrawn through more than 4,500 ATM transactions made in 20 countries.

The heists are reminiscent of the 2008 attack on processor RBS WorldPay, now known as WorldPay, in which 1.5 million cardholders were affected.

Loretta Lynch, U.S. attorney for the Eastern District of New York, called the campaign a “massive 21st century bank heist,” where the criminals used “laptops and the internet” instead of “guns and masks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.