How an International Hacker Squad Made Off With $45 Million

One of history’s most sophisticated bank heists happened just a few months ago, but for this one, no getaway car was required. We’re deep into the digital age now, so it’s no longer a surprise when criminals raid bank accounts using nothing but computer keyboards and hacking software. What’s different about this one is the scale. On the day of the robbery, nerd-thugs around the world walked up to ATMS, pulled out special debit cards and withdrew a whopping $45 million. It was a massive 21st-century crime and a significant lesson for financial institutions about the importance of tight security.

The operation unfolded on two different days, December 12, 2012 and February 19, 2013. These two coordinated attacks used operatives spread out over 27 countries on five continents to steal money from over 5,000 ATMs. How were these roughly 81,000 transactions possible? How did they do it?

First, a handful of computer whizzes took a LAN party smoke break and, donning their virtual brass knuckles, hacked into financial databases in the United Arab Emirates and Oman. They raised the withdrawal limits and manufactured new access codes for 12 prepaid debit card accounts. The info was then passed on to a global crew who copied it onto cards that featured magnetic strips, thereby creating homemade ATM cards. Some of these improvised debit cards were even made from old hotel room keys, according to Time Magazine.

For the next stage, street operatives in over two dozen countries began to make withdrawals from these accounts, using the cards. Because of the extremely nerdy nature of the heist, it wasn’t quite as cool as what John Connor managed to pull off in T2, and if any motorcycle chases did happen, they happened several hours later, on Xbox. Over two days, the criminal collective pulled out the maximum amount with each ATM withdrawal, raking in a massive pile of unmarked cash.

The biggest hit was in Japan, where the street team made off with approximately $10 million. Another team used 2,904 ATMs in New York City to withdraw $2.4 million in two hours. It was by far a smaller take than what the Japan crew wrangled, but according to prosecutors it was still “one of the largest heists in New York City history.”

It was an expertly coordinated robbery, but not one with a happy ending for the New York crew. The thieves were photographed withdrawing cash from ATMs and stuffing it into backpacks. Eight men were indicted for the New York robbery on May 9.

While many members of the international crew have yet to be captured, the investigation continues, and although the heist was uncovered, the financial world remains uneasy about the security loopholes highlighted by the complex theft. Preventative measures like those pointed out by the Internet security firm 41st Parameter might have stopped the heist before it started. For example, it’s a good idea to gather intelligence about single devices that access multiple accounts and to identify activities related to theft preparation.

The operation was bound to be discovered at some point, because for the plan to work, hundreds of people had to keep a secret. But the fact that the crew still pulled it off as successfully as they did is a frightening prospect. Ones and zeros are a lot quieter than pickaxes and dynamite, and that means that the stakes are higher. We can only hope that this latest heist forces banks to reexamine their security protocols. If they don’t do it soon, America may want to think about stashing its loot in a huge subterranean coffee can beneath a bed somewhere in Kansas.

Does it worry you that cyber-crime seems to be getting easier for modern crooks? Or do you have faith that authorities can keep up with hackers in the long run? What can we do?