Electronic / Mobile Payments Fraud , Fraud Management & Cybercrime

Authorities Detain Suspects in ATM Cash-Out

Could Scheme Be Linked to Earlier $45 Million Heist?
Authorities Detain Suspects in ATM Cash-Out

Romanian authorities' detention this week of 25 suspects believed to be part of an international cybercrime ring could be linked to a $45 million card fraud and ATM cash-out scheme dating back to December 2012, security experts say (see Detangling the $45 Million Cyberheist).

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

The 25 individuals arrested this week could be part of a sophisticated network of cybercriminals that authorities failed to shut down in May 2013 and November 2013, when arrests linked to the $45 million cash-out scheme were first made, experts says.

A Larger Crime Cell?

The Romanian Directorate for Investigating Organized Crime and Terrorism on April 26 alleged that the 25 suspects now in custody are part of a cybercrime cell that has more than 52 members. Multiple news sites, including CIO.com, have reported DIICOT's findings.

The cell, which so far is believed to have stolen more than $15 million, is suspected of hacking into banks in Puerto Rico and Muscat Oman to steal payment card data for the creation of counterfeit cards that were later used for fraudulent ATM withdrawals in various countries, according to DIICOT.

DIICOT notes that prosecutors allege the fraudulent ATM withdrawals were performed in batches on non-business days in multiple countries, including the United States, Japan, Belgium, Canada, Colombia, the Dominican Republic, Egypt, Estonia, Germany, Indonesia, Italy, Latvia, Malaysia, Mexico, Pakistan, Russia, Spain, Sri Lanka, Thailand, Ukraine, the United Arab Emirates and the U.K.

Making the Case

Connecting the dots in intricate cybercrime cases is an ongoing challenge for international law enforcement, says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. If the $15 million and $45 million schemes are connected, Litan says authorities likely have spent the last two years building a stronger case to bring remaining suspects to justice.

"In fairness to law enforcement, they probably did all they could at the time of the November 2013 arrests and didn't lose anything by arresting some of the players," she says.

In fact, Litan says law enforcement likely benefited from arresting suspects in phases. "They could interrogate these individuals and promise them early release or lower penalties if they squealed on their colleagues and bosses," she says. "I imagine they got as far as they could in the case at the time of those [earlier] arrests, and may have been working behind the scenes all this time."

John Buzzard, who heads up FICO's Card Alert Service, notes that cash-out heists often involve a dynamic network of criminals that makes getting to the leaders at the top nearly impossible for law enforcement.

"You may recall that Alberto Yusi Lajud-Peña, the leader of the gang of mules who went out and performed cash-outs in New York City [as part of the $45 million scheme], was murdered," he says. "Alberto Yusi Lajud-Peña may have been the alleged leader for a group of cash-out mules, but he certainly wasn't the mastermind behind the entire operation. There were more important criminals at large at this point, despite the arrests and indictments of the men from Yonkers."

The true masterminds of these operations are usually oceans away, waiting for their cash to be laundered and delivered, Buzzard says.

"I really hope that those arrested in Romania are somehow linked to the original unlimited operation that took place back in 2012 and 2013," he adds. "We will just have to wait to see if law enforcement can confirm that these people are somehow all associated. But my mantra is pretty simple: One criminal behind bars is better than no criminals behind bars."

Link to Earlier Heists?

Like the $15 million scheme outlined by Romanian authorities this week, the $45 million heists in 2012 and 2013 involved the compromise of card data that was later used to create counterfeit cards for massive ATM withdrawals that spanned numerous countries, including the U.S. and other countries also hit in the $15 million scheme.

What made the $45 million heists so devastating, however, is that they involved the compromise of prepaid debit cards. When hackers broke into the processing companies used by the banks that issued the cards, they manipulated the prepaid cash limits. Once counterfeit cards were created for the ATM withdrawals, the mules ultimately had limitless amounts of funds to access.

Cyberthreat intelligence firm iSightPartners on April 28 issued a statement about the possible connection between that $45 million ATM cash-out heists and the 25 suspects recently detained by Romanian authorities.

"In addition to the time frame and list of countries used for withdrawals ... there were indications near the end of December 2013 and early January 2014 that similar cash-out operations were planned," iSightPartner states. "Despite the arrests of some of the group's members in early 2013, this activity suggests that relevant members of the group were still unaccounted for and potentially active."

DIICOT could not be reached for comment.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.