CLOSE
Original image
ThinkStock

The Great ATM Heist: How Thieves Stole $45 Million in a Few Hours

Original image
ThinkStock

By Peter Weber

Federal prosecutors in New York announced on Thursday that police had arrested seven suspects in one of the biggest bank heists in history — and none of the hundreds of people involved in 27 countries used a gun or bomb threat, or even set foot inside a bank lobby. U.S. Attorney Loretta Lynch compared the sophisticated, "surgical" heist — which netted $45 million in two separate operations — to the casino-theft movie Ocean's Eleven. (Watch an NBC News report on the heist below.)

The network of hackers and street criminals "participated in a massive 21st-century bank heist that reached across the internet and stretched around the globe," Lynch said at a news conference. The plot sounds ready-made for Hollywood. To give a sense of the scope of this operation, here are some key numbers:

$45 million
Amount stolen in a matter of hours in two ATM-withdrawal sprees, on Dec. 22, 2012, and Feb. 19-20, 2013

40,500
Total ATM withdrawals

27
Countries where ATMs were raided in the two operations

17
Prepaid credit card accounts used in the heist, five in December and 12 in February

$2.8 million
Amount stolen from Manhattan ATMs, including $2.4 million on Feb. 19-20

2,904
ATM withdrawals over the 10-hour spree in Manhattan on Feb. 19-20

How did several hundred people manage to pull off a huge bank heist without anyone noticing? The Justice Department says the thieves used what the cyber-criminal underground calls "Unlimited Operations." This is how it works, according to federal prosecutors:

The "Unlimited Operation" begins when the cyber-crime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down.... These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible....

First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds; such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance.... Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world.... These associates operate cells or teams of "cashers," who encode magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe. [DOJ]

The hacker-masterminds watched the ATM withdrawals on their computers, so they wouldn't get cheated out of their share — the eight-member New York cell kept 20 percent of their haul, Lynch said, and sent the rest to the heist organizers. Then the "cashers" laundered the money, in part by buying Rolex watches and luxury cars.

The feds didn't provide much information about the international investigation into the global heist, or say how many people have been arrested in other countries. And they didn't drop any clues as to who organized the operation, other than saying that an email links the New York cell to a money-laundering gang in St. Petersburg, Russia. But the New York group appears to have been caught at least partly through old fashioned police work, mixed with a dash of modern hubris: The thieves were photographed by multiple ATMs, their backpacks getting visibly heavier at each stop, and some posted photos of themselves with wads of cash.

Here's where things get really dramatic: The New York cell was made up of eight Dominican-Americans living in Yonkers. The first member was arrested March 27, trying to flee to the Dominican Republic, and the last two were picked up on Wednesday. The alleged ringleader, Alberto Yusi Lajud-Peña, wasn't arrested because he's dead. The New York Times explains:

Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said. On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. [New York Times]

Yikes, says Tom Levenson at Balloon Juice. "I have no doubt that there are folks involved in this that you really, really don't want to irritate." But while $45 million is a huge haul, this is still the "least surprising story of the year," he argues:

Part of me says that this is something to note because so much of the financial life of individuals and the economy writ large depends on the secure functioning of — and user trust in — global banking systems at every level from the corner ATM to the massive inter-bank clearing mechanisms. The cyber-security people I talk to have to hold their hands over the mouths to stop themselves from blurting "WAKE UP SHEEPLE!!!!!" — as that trust rests on a rickety tangle of hardware and software. So while there's a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed. [Balloon Juice]

In other words, even though no individual's bank account was compromised in this attack, everyone who doesn't keep their savings under the mattress is vulnerable. In this case, the hackers were able to exploit the weak links in the financial system — U.S. and Indian credit card processors, considered less secure than banks, and prepaid cards issued by banks in the Persian Gulf, where customers are generally allowed to put much larger amounts on prepaid cards and the banks don't monitor the cards as closely. "Hackers only need to find one vulnerability to cause millions of dollars of damage," former cyber-crimes prosecutor Mark Rasch tells Reuters.

Of course, the question everyone wants answered, says Balloon Juice's Levenson, is "what role George Clooney will play?"

NBC News explains the robbery:

Sources: The Associated PressBalloon JuiceGothamistJustice DepartmentThe New York Times,Reuters

More from The Week...

Owning Pets may be Good for your Heart

*

All the Films you Should See in May and June

*

What Two Dead Stars Reveal About Earth's Origins

Original image
iStock
arrow
Big Questions
What's the Difference Between Vanilla and French Vanilla Ice Cream?
Original image
iStock

While you’re browsing the ice cream aisle, you may find yourself wondering, “What’s so French about French vanilla?” The name may sound a little fancier than just plain ol’ “vanilla,” but it has nothing to do with the origin of the vanilla itself. (Vanilla is a tropical plant that grows near the equator.)

The difference comes down to eggs, as The Kitchn explains. You may have already noticed that French vanilla ice cream tends to have a slightly yellow coloring, while plain vanilla ice cream is more white. That’s because the base of French vanilla ice cream has egg yolks added to it.

The eggs give French vanilla ice cream both a smoother consistency and that subtle yellow color. The taste is a little richer and a little more complex than a regular vanilla, which is made with just milk and cream and is sometimes called “Philadelphia-style vanilla” ice cream.

In an interview with NPR’s All Things Considered in 2010—when Baskin-Robbins decided to eliminate French Vanilla from its ice cream lineup—ice cream industry consultant Bruce Tharp noted that French vanilla ice cream may date back to at least colonial times, when Thomas Jefferson and George Washington both used ice cream recipes that included egg yolks.

Jefferson likely acquired his taste for ice cream during the time he spent in France, and served it to his White House guests several times. His family’s ice cream recipe—which calls for six egg yolks per quart of cream—seems to have originated with his French butler.

But everyone already knew to trust the French with their dairy products, right?

Have you got a Big Question you'd like us to answer? If so, let us know by emailing us at bigquestions@mentalfloss.com.

Original image
iStock
arrow
science
Belly Flop Physics 101: The Science Behind the Sting
Original image
iStock

Belly flops are the least-dignified—yet most painful—way of making a serious splash at the pool. Rarely do they result in serious physical injury, but if you’re wondering why an elegant swan dive feels better for your body than falling stomach-first into the water, you can learn the laws of physics that turn your soft torso a tender pink by watching the SciShow’s video below.

SECTIONS

More from mental floss studios