US & Canada

Cybercriminals 'drained ATMs' in $45m world bank heist

This photo obtained on 10 May 10 2013, by the US Attorney’s Office in New York shows defendants Elvis Rafael Rodriguez (left) and Emir Yasser Yeje as they pose on 25 March 2013 with what Federal prosecutors said was stolen money
Image caption Defendants Elvis Rafael Rodriguez (left) and Emir Yasser Yeje

A gang of cybercriminals stole $45m (£29m) by hacking into a database of prepaid debit cards and draining cash machines around the world, US prosecutors say.

Seven people have been charged in New York over the heist, which allegedly stretched across 26 countries.

An eighth suspect is thought to have been murdered in April.

The network used fake cards to target banks in the United Arab Emirates and Oman, court documents said.

Prosecutors said law enforcement agencies in Japan, Canada, the UK, Romania and 12 other countries were involved in the investigation.

Arrests had been made in other countries, they said, although details were not released.

'Laptops not guns'

"The defendants and their co-conspirators participated in a massive 21st Century bank heist that reached across the internet and stretched around the globe," Loretta Lynch, US Attorney for the Eastern District of New York, said in a statement.

"In the place of guns and masks, this cybercrime organisation used laptops and the internet."

Members of the scheme allegedly hacked computer systems to steal data on prepaid debit cards. The cards are pre-loaded with funds rather than being linked to a bank account or a line of credit.

Media playback is unsupported on your device
Media captionLoretta Lynch, US Attorney: "Instead of guns and masks they used laptops and malware"

They cancelled withdrawal limits and distributed information to accomplices referred to as "cashers" around the world.

The cashers then loaded other magnetic stripe cards, such as gift cards or old hotel keys, with the stolen data and used them to withdraw huge sums.

The first alleged raid took place at the Rakbank in the UAE in December. Criminals were able to conduct 4,500 transactions worth $5m across about 20 countries.

Prosecutors believe the group broke into the Bank of Muscat based in Oman in February. In the space of 10 hours, casher cells withdrew $40m in 36,000 transactions from ATMs in 24 countries.

According to the indictment of the New York defendants, they quickly moved to launder their cash, opening a Miami bank account and pouring money into cars, including a Porsche and a Mercedes, and Rolex watches.

Media playback is unsupported on your device
Media captionThe BBC's Rory Cellan-Jones explains how the hackers got the cash

Seven people have been arrested and face charges of conspiracy to commit access device fraud and money laundering.

The accused ringleader of the cell was reportedly murdered in the Dominican Republic just weeks earlier, prosecutors said.

"Our message is clear. Law enforcement should not stand by as cybercriminals target our global financial system for their own ends," Ms Lynch told reporters.

She added that the attack was the "largest theft of this type that we have yet seen".

More on this story