$45M drained from bank accounts in international carding heist

Eight individuals have been charged for their role in the hacking of two credit card processors which allowed a global gang to withdraw tens of millions of dollars from ATMs around the world.

According to an indictment unsealed by US Federal prosecutors, the eight defendants formed the New York-based operation of the international racket.

Seven of the gang have been arrested, while the alleged leader of the New York cell, Alberto Lajud-Peña, 23, is believed to have been murdered last month in the Dominican Republic.

The defendants are charged with conspiracy to commit access device fraud, which carries a 7 1/2-year maximum sentence, and money laundering conspiracy and money laundering, which each carry a maximum of 10 years.

According to federal prosecutors, the eight defendants and unnamed co-conspirators allegedly withdrew an estimated $US 2.4 million from nearly 3000 ATMs in the New York City area from 3pm on 19 February through the early morning of 20 February.

In total, $US40 million was stolen worldwide during that period.

Federal prosecutors called the cyber attacks “unlimited operations," meaning intruders hack into the computer systems of credit card processors – in this case reportedly one was located in the United States and the other in India – to compromise prepaid debit card accounts, then raise the limits on the accounts.

Prosecutors said they targeted MasterCard prepaid debit cards issued by the Bank of Muscat in Oman.

Using the information they purloined, teams of "carders" and "cashers" then created cloned cards and used them to withdraw the funds.

In a separate occasion on December 2012, the crime outfit allegedly hacked a credit card processor that handles transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah (RAKBANK) PSC in the United Arab Emirates.

In that operation, around $US5 million was fraudulently withdrawn through more than 4500 ATM transactions made in 20 countries.

The heists are reminiscent of the 2008 attack on processor RBS WorldPay, now known as WorldPay, in which 1.5 million cardholders were affected.

Loretta Lynch, US attorney for the Eastern District of New York, called the campaign a “massive 21st century bank heist,” where the criminals used “laptops and the internet” instead of “guns and masks”.

This article originally appeared at scmagazineus.com