Feds Take Down Cyber Crime Ring that Allegedly Raided $45M

Federal prosecutors charged eight individuals on Thursday with participating in a sophisticated campaign of cyber attacks on the global financial system that caused $45 million in losses.

In one operation detailed by the indictment, the cyber heist paved the way for $2.4 million in fraudulent withdrawals in New York City alone in less than nine hours.

The roundup highlights the government’s latest attempt to combat cyber crime, which causes $110 billion in global direct costs each year, according to a 2012 study from Symantec’s (NASDAQ:SYMC) Norton division.

Prosecutors say the crime ring used sophisticated intrusion techniques, known as “Unlimited Operations,” to penetrate the systems of global financial institutions and steal prepaid debit card data and eliminate withdrawal limits. The sensitive data was then spread around the world and used in making massive amounts of fraudulent ATM withdrawals, official allege.

“The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organization used laptops and the Internet,” Loretta Lynch, the U.S. Attorney in Brooklyn, said in a statement. “Law enforcement is committed to moving just as swiftly to solve these cybercrimes and bring their perpetrators to justice.”

Prosecutors said seven of the eight defendants have been arrested: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin. All seven are residents of Yonkers and were detained over the past six weeks.

Alberto Yusi Lajud-Peña, the eighth individual charged in the indictment, is reported to have been murdered on April 27 in the Dominican Republic, officials said.

The defendants were charged with conspiracy to commit access device fraud, money-laundering conspiracy and money laundering. If convicted, the defendants face a maximum sentence of 10 years of prison time each on money-laundering charges and 7.5 years on the conspiracy to commit access device fraud charges, restitution and up to $250,000 in fines.

The indictment underscores the mounting threat of sophisticated cyber-crime rings.

“Unlimited Operations” feature precise cyber attacks, global cyber crime organizations and coordination on the ground. Casher cells launder the proceeds, sometimes by acquiring luxury goods, and then send the money back up to the top of the crime ring.

“These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible,” prosecutors said.

“The Secret Service and its law enforcement partners have adapted to these technological advancements and utilized cutting edge investigative techniques to thwart this cybercriminal activity,” said Steven Hughes, the special agent in charge for the Secret Service’s New York field office.

According to the indictment, the individuals carried out a pair of cyber heists between October 2012 and April 2013.

The first operation targeted a credit-card processor that processed transactions for prepaid MasterCard (NYSE:MA) debit cards issued by the National Bank of Ras Al-Khaimah PSC, a bank based in the United Arab Emirates. After penetrating the computer network, the crime ring allegedly made more than 4,500 ATM transactions in about 20 countries around the world, resulting in $4 million in losses.

Prosecutors say that in New York City alone, about 750 fraudulent transactions were made in just two hours and 25 minutes, totaling almost $400,000 at over 140 different ATMs.

According to the indictment, the second operation began on February 19 and involved hacking into a network of MasterCard prepaid debit cards issued by the Bank of Muscat, which is located in Oman. In just 10 hours, the cell executed about 36,000 transactions in 24 countries, withdrawing $40 million from ATMs, officials said.

In the New York City area, this second operation resulted in about $2.4 million in fraudulent withdrawals in just an 8.5-hour window span, prosecutors allege.