One of the most successful cyber-crime campaigns in history has seen a global ring steal $45m (£29m) from two Middle-Eastern banks after hacking into credit card processing companies and withdrawing cash from ATMs in 27 countries around the world.

Global Bank ATM Cyber Heist Earns Criminals $45m in Hours
Elvis Rafael Rodriguez, left, and Emir Yasser Yeje, two of those charged in Brooklyn on Thursday, posed in March with approximately $40,000 in cash that the authorities say they were laundering. (Credit: Reuters)

Hackers accessed two credit card control companies before increasing the balance and withdrawal limit on MasterCard debit cards issued by the Bank of Muscat in Oman and National Bank of Ras Al-Khaimah (also known as RakBank) in the United Arab Emirates.

The account details were then sent to gangs of "cashers" in dozens of countries who then encoded the information on magnetic-stripe cards, enabling to use them to withdraw millions of dollars in a matter of hours.

The incident only came to light on Thursday, when US federal prosecutors in Brooklyn unsealed an indictment charging eight men in relation to the New York aspect of the global heist - including their suspected ringleader, who was found dead in the Dominican Republic last month.

High-value targets

The first attack took place last December when the hackers, who were not named in the indictment, accessed an unnamed Indian credit card processing company which handles Visa and Mastercard prepaid debit cards.

Such companies are seen as high-value targets for cyber criminals due to a combination of perceived weaker security measures being in place and the huge amount of data stored.

The hackers obtained the details of just five accounts from RakBank and raised the withdrawal limit on all accounts. "Even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution," the indictment states.

The use of prepaid cards rather than credit cards was also key, as it meant alarms would not be raised as the accounts would not be drained completely.

With the withdrawal limits eliminated, the hackers sent the details to "cashers" in 20 countries. On 21 December the crews made 4,5000 ATM withdrawals, stealing $5 million.

$1m an hour

However this was only a prelude to the main heist, which took place on 19 February. This time the hackers accessed a US-based credit card processing company, and stole the details of a dozen accounts, again raising the withdrawal limit.

Cyber Theft $45M ATM Scam
Images taken from the phone of a suspect, who was one of the eight individuals charged with using data obtained by hacking into two credit card processors in a cybercrime scheme, are presented at a news conference in New York, May 9, 2013 (Credit: Reuters)

This time the scale of the operation was more impressive. In a single 10 hour period, beginning at 10am (GMT) 36,000 ATM transactions were made by the crews of "cashers" across 24 countries, netting $40m in stolen cash.

In New York alone a group of just eight "cashers" made 2,904 withdrawals claiming a total of $2.4m. However it was Japan where the group had most success, netting $10m in the 10-hour spree thanks to some banks in that country allowing individual transactions of up to $10,000 at a time.

Cyber experts said they believed the heist to be the work of several hundred people. The US Justice Department has accused eight men of forming the New York-based cell and has arrested seven. Six have pleaded not guilty and only one has posted bail.

Ringleaders

The heads of the operation are believed to be located outside of the United States. US law enforcers investigating the eight defendants told Reuters they discovered an email exchange associated with a money laundering scheme based in Russia.

Roughly 20% of the stolen money was kept by the "cashers", while the rest was sent back to the heist's organisers. US authorities seized hundreds of thousands of dollars while investigating the defendants as well as a Mercedes SUV and two Rolex watches.

Cyber bank theft spans 27 countries
A woman looks at a map showing where eight members belonging to a New York-based cell of a global cyber criminal organization withdrew money from ATM machines, during a news conference in New York, May 9, 2013. (Credit: Reuters)

The Bank of Muscat disclosed in February it will take an impairment charge of up to 15m rials (£25m), more than half of the 25m rials net profit posted by the bank at the end of its first financial quarter in March.

Frederick Rivera, an attorney with Perkins Coie, said banks may not be able to recover losses and could be left "holding the bag" if it is found their security protocols were not up to the standards set in their insurance contracts.

A worldwide investigation to uncover the ring has now been launched, with US authorities working with counterparts in 16 different countries, including the United Kingdom and France.