Imagine a massive bank heist. Ski masks, assault rifles, getaway cars, hi-tech tools, maybe a good thumping to elicit a vault combination. Is that what you are picturing?
If so, forget this image. A unique combination of cyber sophistication and low-tech cash grabbing created a formula that worried officials are calling an “Unlimited Operation”—a new form of group theft designed to extract millions in minutes sans shoot-em-ups.
Earlier this year, USD 45 million in cash—among the largest heists on record—was stolen in two days from two banks without any of the more than 100 thieves involved stepping inside them. In May, eight members of the group’s New York cell were arrested as part of the heist that US District Attorney Loretta Lynch labeled “a virtual criminal flash mob”.
It works as such. First, hackers spend months gaining access to card information and associated PINs numbers. Once inside, they remove withdrawal limits, creating unlimited value on the cards. Then, the hackers send the card information to “cashers” in as many as 26 countries, including Canada, Egypt, Japan, Mexico, and Ukraine. These low-level operatives create dummy cards out of anything with a magnetic strip, using a device called a “skimmer”. Altered Visas and MasterCards then extract from the false limits.
“The folks who did this understood the credit card companies’ detection software at a high level and came up with an attack pattern that was difficult to recognize,” says Bill Stewart, a senior vice president at Booz Allen Hamilton (employer of famed whistleblower Ed Snowden).
On operation day, cashers darted between ATMs with the highest withdrawal limits (some in Japan were spitting out USD 10,000 at a time) and began stuffing cash into backpacks. The hackers watched in real time from an unknown hub.
On December 22, 2012, the Unlimited Operation nabbed more than USD 5 million in cash from cards connected to Rakbank, based in the UAE. The eight New York cashers walked away with USD 400,000 in 25 minutes.
On February 19, they looted USD 40 million from Oman’s Bank Muscat, with another USD 2.4 million coming from New York alone. Cash slowly flowed to the leaders, with cashers taking cuts along the way.
“This is relatively unique and reveals a degree of sophistication on the adversary’s part,” says Stewart. “It was a multipronged thing: there’s planning, there’s a strategy behind it.”
Speed and dispersion proved the best tools. MasterCard and Visa’s automated security could not detect withdrawals happening almost simultaneously in hundreds of ATMs around the world. No single casher caused a red flag; their net haul, however, did.
The dimensions of the organization—such as how many cashers operate around the globe and who directs them—remain unknown. Stewart referred to the New York cell as more of a community than an organization. “It’s just the tip of the iceberg.”
If true, the hyperconnected criminals who lie below will continue to work without a trace.