NEW YORK — A four-count federal indictment was unsealed in Brooklyn May 9 charging eight defendants with participating in two worldwide cyberattacks that inflicted $45 million in losses on the global financial system in a matter of hours. The indictment is the result of an extensive investigation led by the U.S. Secret Service (USSS) and U.S. Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI).
These defendants allegedly formed the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe. The eight indicted defendants and their co-conspirators targeted New York City and withdrew approximately $2.8 million in a matter of hours. The defendants are charged variously with conspiracy to commit access device fraud, money laundering conspiracy and money laundering.
Seven of the eight defendants have been arrested on the charges in the indictment. The arrested defendants are: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin, all residents of Yonkers, N.Y.
Rodriguez was arrested on a criminal complaint March 27 when he attempted to flee the United States for the Dominican Republic. Peña was arrested on a criminal complaint in Yonkers April 3. Lara, Reyes, and Yeje surrendered to law enforcement authorities April 15. Collado and Yu-Holguin were arrested the afternoon of May 8.
The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña, aka Prime and Albertico. Lajud-Peña is reported to have been murdered April 27 in the Dominican Republic.
"The arrests today reflect the government's joint efforts to bring a global cybercrime enterprise to justice," said James T. Hayes Jr., special agent in charge of HSI New York. "HSI is proud to be part of a proactive federal law enforcement initiative that uses its collective resources to pull the plug on those who attempt to use the Internet to commit bank robbery."
"New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes and provided new opportunities for the criminal element to threaten the world's financial systems," said Steven Hughes, special agent in charge of the USSS New York Field Office. "However, as demonstrated by the charges and arrests announced today, the Secret Service and its law enforcement partners have adapted to these technological advancements and utilized cutting edge investigative techniques to thwart this cybercriminal activity. I want to take this opportunity to commend the dedicated men and women of the Secret Service and HSI for their extraordinary efforts in this investigation. This case is an excellent example of the impact that can be made when the law enforcement community works together."
"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe," said U.S. Attorney Loretta E. Lynch, Eastern District of New York. "In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours. Law enforcement is committed to moving just as swiftly to solve these cybercrimes and bring their perpetrators to justice."
The 'Unlimited Operation'
As alleged in the indictment and other court filings, the cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as Unlimited Operations – through its hacking 'operation,' the cybercrime organization can access virtually 'unlimited' criminal proceeds.
The Unlimited Operation begins when the cybercrime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts and essentially eliminates the withdrawal limits and account balances of those accounts.
The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down. Unlimited Operations are marked by three key characteristics:
- The surgical precision of the hackers carrying out the cyberattack;
- The global nature of the cybercrime organization; and
- The speed and coordination with which the organization executes its operations on the ground.
These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible. As alleged in court filings, Unlimited Operations are executed in the following manner:
- First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds – such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance. The cybercriminals breach the debit card accounts' security protocols, then dramatically increase the balances and effectively eliminate the withdrawal limits on the accounts. The elimination of withdrawal limits enables the participants to withdraw unlimited amounts of cash until the operation is shut down.
- Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world – the two cyberattacks charged in this case allegedly involved 26 countries. These associates operate cells or teams of cashers, who encode magnetic stripe cards – such as gift cards – with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe. Meanwhile, the cybercrime organization maintains access to the computer networks of the credit card processors they have hacked in order to monitor the withdrawals. At the end of an operation – when the cards are finally shut down – the casher cells launder the proceeds, often investing the operation's proceeds in luxury goods, and kick money back up to the cybercrime organization's leaders.
The charged 'Unlimited Operation' cyberattacks
According to the government's filings, between approximately October 2012 and April 2013, the defendants and their co-conspirators conducted two Unlimited Operations. The first operation Dec. 22, 2012, targeted a credit card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as Rakbank, in the United Arab Emirates.
After the hackers penetrated the credit card processor's computer network, compromised the Rakbank prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign.
In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised Rakbank account data, resulting in approximately $5 million in losses to the credit card processor and Rakbank. In the New York City area alone, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000 at over 140 different ATM locations throughout the city.
As alleged in the indictment and other court filings, the second of these Unlimited Operations occurred on the afternoon of Feb. 19 and lasted into the early morning of Feb. 20. This operation again breached the network of a credit card processor that serviced MasterCard prepaid debit cards, this time issued by the Bank of Muscat, located in Oman. Again, after the cybercrime organization's hackers compromised Bank of Muscat prepaid debit card accounts and distributed the data, the organization's casher cells engaged in a worldwide ATM withdrawal campaign. This attack was particularly devastating: Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs. From 3 p.m. Feb. 19 through 1:26 a.m. Feb. 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.
As charged in the indictment and other filings, Lajud-Peña was the leader of the New York cell of this organization. In the wake of the charged Unlimited Operations, he and defendants Rodriguez and Yeje laundered hundreds of thousands of dollars in illicit cash proceeds. In one transaction alone, nearly $150,000 – in the form of 7,491 $20 bills – was deposited at a bank branch in Miami into an account controlled by Lajud-Peña.
Cell members also invested the criminal proceeds in portable luxury goods, such as expensive watches and cars. To date, the U.S. government has seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 in proceeds of this scheme.
In announcing the charges, U.S. Attorney Lynch praised the extraordinary efforts of the Secret Service in responding so rapidly to these attacks and investigating both the complex network intrusions that occurred overseas and the criminal activity occurring locally. Ms. Lynch also thanked HSI for its invaluable role in recent arrest and seizure operations, as well as MasterCard, Rakbank and the Bank of Muscat for their cooperation with this investigation.
U.S. Attorney Lynch expressed gratitude for the timely and extensive assistance of law enforcement authorities in Japan, Canada, Germany and Romania. She also thanked authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand and Malaysia for their cooperation in this investigation.
If convicted, the defendants face a maximum sentence of 120 months in federal prison on each of the money laundering charges. They also face up to 90 months on the conspiracy to commit access device fraud charge, restitution and up to $250,000 in fines.
In addition, all property involved in the money laundering offenses and all proceeds of the conspiracy to commit access device fraud are subject to forfeiture.
The government's case is being prosecuted by Assistant United States Attorneys Cristina M. Posa, Hilary Jager, Brian Morris and Kevin Trowel, all of the Eastern District of New York.