Original image

The Great ATM Heist: How Thieves Stole $45 Million in a Few Hours

Original image

By Peter Weber

Federal prosecutors in New York announced on Thursday that police had arrested seven suspects in one of the biggest bank heists in history — and none of the hundreds of people involved in 27 countries used a gun or bomb threat, or even set foot inside a bank lobby. U.S. Attorney Loretta Lynch compared the sophisticated, "surgical" heist — which netted $45 million in two separate operations — to the casino-theft movie Ocean's Eleven. (Watch an NBC News report on the heist below.)

The network of hackers and street criminals "participated in a massive 21st-century bank heist that reached across the internet and stretched around the globe," Lynch said at a news conference. The plot sounds ready-made for Hollywood. To give a sense of the scope of this operation, here are some key numbers:

$45 million
Amount stolen in a matter of hours in two ATM-withdrawal sprees, on Dec. 22, 2012, and Feb. 19-20, 2013

Total ATM withdrawals

Countries where ATMs were raided in the two operations

Prepaid credit card accounts used in the heist, five in December and 12 in February

$2.8 million
Amount stolen from Manhattan ATMs, including $2.4 million on Feb. 19-20

ATM withdrawals over the 10-hour spree in Manhattan on Feb. 19-20

How did several hundred people manage to pull off a huge bank heist without anyone noticing? The Justice Department says the thieves used what the cyber-criminal underground calls "Unlimited Operations." This is how it works, according to federal prosecutors:

The "Unlimited Operation" begins when the cyber-crime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down.... These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible....

First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds; such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance.... Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world.... These associates operate cells or teams of "cashers," who encode magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe. [DOJ]

The hacker-masterminds watched the ATM withdrawals on their computers, so they wouldn't get cheated out of their share — the eight-member New York cell kept 20 percent of their haul, Lynch said, and sent the rest to the heist organizers. Then the "cashers" laundered the money, in part by buying Rolex watches and luxury cars.

The feds didn't provide much information about the international investigation into the global heist, or say how many people have been arrested in other countries. And they didn't drop any clues as to who organized the operation, other than saying that an email links the New York cell to a money-laundering gang in St. Petersburg, Russia. But the New York group appears to have been caught at least partly through old fashioned police work, mixed with a dash of modern hubris: The thieves were photographed by multiple ATMs, their backpacks getting visibly heavier at each stop, and some posted photos of themselves with wads of cash.

Here's where things get really dramatic: The New York cell was made up of eight Dominican-Americans living in Yonkers. The first member was arrested March 27, trying to flee to the Dominican Republic, and the last two were picked up on Wednesday. The alleged ringleader, Alberto Yusi Lajud-Peña, wasn't arrested because he's dead. The New York Times explains:

Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said. On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. [New York Times]

Yikes, says Tom Levenson at Balloon Juice. "I have no doubt that there are folks involved in this that you really, really don't want to irritate." But while $45 million is a huge haul, this is still the "least surprising story of the year," he argues:

Part of me says that this is something to note because so much of the financial life of individuals and the economy writ large depends on the secure functioning of — and user trust in — global banking systems at every level from the corner ATM to the massive inter-bank clearing mechanisms. The cyber-security people I talk to have to hold their hands over the mouths to stop themselves from blurting "WAKE UP SHEEPLE!!!!!" — as that trust rests on a rickety tangle of hardware and software. So while there's a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed. [Balloon Juice]

In other words, even though no individual's bank account was compromised in this attack, everyone who doesn't keep their savings under the mattress is vulnerable. In this case, the hackers were able to exploit the weak links in the financial system — U.S. and Indian credit card processors, considered less secure than banks, and prepaid cards issued by banks in the Persian Gulf, where customers are generally allowed to put much larger amounts on prepaid cards and the banks don't monitor the cards as closely. "Hackers only need to find one vulnerability to cause millions of dollars of damage," former cyber-crimes prosecutor Mark Rasch tells Reuters.

Of course, the question everyone wants answered, says Balloon Juice's Levenson, is "what role George Clooney will play?"

NBC News explains the robbery:

Sources: The Associated PressBalloon JuiceGothamistJustice DepartmentThe New York Times,Reuters

More from The Week...

Owning Pets may be Good for your Heart


All the Films you Should See in May and June


What Two Dead Stars Reveal About Earth's Origins

Original image
Hulton Archive/Getty Images
6 Radiant Facts About Irène Joliot-Curie
Original image
Hulton Archive/Getty Images

Though her accomplishments are often overshadowed by those of her parents, the elder daughter of Marie and Pierre Curie was a brilliant researcher in her own right.


A black and white photo of Irene and Marie Curie in the laboratory in 1925.
Irène and Marie in the laboratory, 1925.
Wellcome Images, Wikimedia Commons // CC BY 4.0

Irène’s birth in Paris in 1897 launched what would become a world-changing scientific dynasty. A restless Marie rejoined her loving husband in the laboratory shortly after the baby’s arrival. Over the next 10 years, the Curies discovered radium and polonium, founded the science of radioactivity, welcomed a second daughter, Eve, and won a Nobel Prize in Physics. The Curies expected their daughters to excel in their education and their work. And excel they did; by 1925, Irène had a doctorate in chemistry and was working in her mother’s laboratory.


Like her mother, Irène fell in love in the lab—both with her work and with another scientist. Frédéric Joliot joined the Curie team as an assistant. He and Irène quickly bonded over shared interests in sports, the arts, and human rights. The two began collaborating on research and soon married, equitably combining their names and signing their work Irène and Frédéric Joliot-Curie.


Black and white photo of Irène and Fréderic Joliot-Curie working side by side in their laboratory.
Bibliothèque Nationale de France, Wikimedia Commons // Public Domain

Their passion for exploration drove them ever onward into exciting new territory. A decade of experimentation yielded advances in several disciplines. They learned how the thyroid gland absorbs radioiodine and how the body metabolizes radioactive phosphates. They found ways to coax radioactive isotopes from ordinarily non-radioactive materials—a discovery that would eventually enable both nuclear power and atomic weaponry, and one that earned them the Nobel Prize in Chemistry in 1935.


The humanist principles that initially drew Irène and Frédéric together only deepened as they grew older. Both were proud members of the Socialist Party and the Comité de Vigilance des Intellectuels Antifascistes (Vigilance Committee of Anti-Fascist Intellectuals). They took great pains to keep atomic research out of Nazi hands, sealing and hiding their research as Germany occupied their country, Irène also served as undersecretary of state for scientific research of the Popular Front government.


Irène eventually scaled back her time in the lab to raise her children Hélène and Pierre. But she never slowed down, nor did she stop fighting for equality and freedom for all. Especially active in women’s rights groups, she became a member of the Comité National de l'Union des Femmes Françaises and the World Peace Council.


Irène’s extraordinary life was a mirror of her mother’s. Tragically, her death was, too. Years of watching radiation poisoning and cancer taking their toll on Marie never dissuaded Irène from her work. In 1956, dying of leukemia, she entered the Curie Hospital, where she followed her mother’s luminous footsteps into the great beyond.

Original image
Live Smarter
You Can Now Order Food Through Facebook
Original image

After a bit of controversy over its way of aggregating news feeds and some questionable content censoring policies, it’s nice to have Facebook roll out a feature everyone can agree on: allowing you to order food without leaving the social media site.

According to a press release, Facebook says that the company decided to begin offering food delivery options after realizing that many of its users come to the social media hub to rate and discuss local eateries. Rather than hop from Facebook to the restaurant or a delivery service, you’ll be able to stay within the app and select from a menu of food choices. Just click “Order Food” from the Explore menu on a desktop interface or under the “More” option on Android or iOS devices. There, you’ll be presented with options that will accept takeout or delivery orders, as well as businesses participating with services like or EatStreet.

If you need to sign up and create an account with or Jimmy John’s, for example, you can do that without leaving Facebook. The feature is expected to be available nationally, effective immediately.

[h/t Forbes]


More from mental floss studios