Russian hacker sells home and cars to pay RBS

Money, keyboard
Image caption The hackers withdrew huge amounts of cash from ATMs in 280 cities

A Russian hacker who breached the security of RBS' WorldPay service and stole $9m (£6m) has had his property sold to compensate the bank.

Viktor Pleshchuk's two flats and two cars, a BMW and a Lada, were auctioned off in Saint Petersburg on Monday.

According to a Russian news portal RIA Novosti, the sale raised 10m roubles (£200,000).

It reported that the money had been transferred to RBS, something the bank was unable to confirm.

Mr Pleshchuk and seven other Eastern European hackers managed to get their hands on the personal data of thousands of RBS customers in 2008.

They used the information to create fake debit cards and withdraw huge amounts of cash from ATMs in as many as 280 cities around the world.

The money was taken from 2,100 bank cash machines within 12 hours in the US, Russia, Estonia, Italy, Hong Kong, Japan and Canada.

Sophisticated plan

Kaspersky Labs chief security expert Alex Gostev said that the actual hacking was not the most complicated task the criminals had to deal with.

"The most interesting part was the final stage of the attack - the organisation of mass withdrawals all over the world," he said.

"They had to find more than 150 people in [numerous] cities, give each one of them the instructions and the fake cards, organise synchronised withdrawal - all of this shows that it was a group of highly skilled professionals".

Once arrested, Mr Pleshchuk pleaded guilty.

In 2009, he and the rest of the hackers were also pursued by authorities in the US.

The eight were charged in the state of Georgia, where the Atlanta-based card-processing company, RBS WorldPay, was targeted.

In September 2010, Mr Pleshcuk received a six-year suspended sentence and an order to pay $8.9m (£6m) in restitution.

He managed to avoid jail by pledging to sell his property and compensate the bank for the damage caused.

Online bank fraud

Brian Krebs, an American journalist specialising in cybercrime and computer security, recently tracked an ATM heist that was eerily similar to the RBS attack.

He explained that the attackers managed to get into the US-based FIS - Fidelity National Information Services - one of the world's largest processors of prepaid debit cards. They then planted a remote access trojan virus and used the data that they obtained to top up the reloadable prepaid debit cards they had compromised.

After that, they cloned the stolen debit cards, sent copies of them to co-conspirators in more than six countries, and raided the bank's accounts.

Mr Krebs said the FIS incident was very much like the RBS case, "clearly organised and professional".

"When the funds on the cards reached close to zero, the hackers used their remote access to top up the cards again," he told BBC News.

"They did this over and over and stole [millions] in less than 24 hours. These guys had access, they had a plan, and they had the means, and they executed it brilliantly."

Joseph Menn, a Financial Times reporter who covers technology-related privacy and security issues, said that similar attacks are still netting criminals millions.

"The FBI said last week it is investigating online bank fraud crimes with losses totalling $85 million," said Mr Menn.

"The problem is that the technology used to commit such crimes is increasingly available and the penalties, as we have seen with the Pleshchuk case, are extremely light even in the rare event of an arrest, due largely to corruption.

"From a cost-benefit perspective, there is no reason for criminal enterprises not to double their bets on international bank crimes, so the problem will continue to get worse.

More on this story