Every good heist movie comes with at least one major twist. The recent $40-million theft orchestrated in over 20 countries and pulled off via a team of hackers and street criminals does not disappoint in this regard.
The heist, pulled off in February, worked so well that it took a bit of time for most people to notice their missing funds. And like many morality plays, for one of its criminal masterminds, 23-year-old Alberto Lajud-Peña, it came to a fittingly ironic end: Two months after he and dozens of other individuals pulled off one of the largest bank robberies in history, Pena was shot by members of his own heist ring while playing dominoes in his house in the Dominican Republic.
The carefully planned, multi-level crime took months to set up and one day to carry out, at ATMs across the world, including dozens in Manhattan. The plan was simple and the method was brilliant: The thieves targeted a prepaid credit card distributor from India, serving accounts from banks in the United Arab Emirates and Oman, two of the richest countries in the world, where a prepaid Mastercard stockpiled with tens of thousands of dollars. Hacking into the Indian servers, considered less secure than those of American credit card companies, the thieves simply raised the withdrawal amount on 12 fully stocked UAE bank cards—then duplicated the magnetic strip for those cards to dozens of counterfeit cards so that they could share the wealth.
After the computer team had worked its magic, the thieves on the ground set in. In a 10-hour ATM spree, they hit 2,904 machines across New York City, as well as dozens of other cities around the world. The men and women on the street withdrew amounts of $2,000 to $3,000 dollars at a time, until they had gradually racked up a $45 million payout—with $2.8 million in Manhattan, making it the second-largest theft in the city's history.
Like any great criminal ring, this one seems to have been beset with clashes and occasional bouts of stupidity. The criminals funneled the money into easily traceable hard items like Rolex watches and flashy sports cars, and they took pictures of themselves posing with piles of cash. They also argued over how to divide the money, with the hackers watching every transaction in real time to make sure no one took more than his or her share.
Elvis Rafael Rodriguez, left, and Emir Yasser Yeje, right, pose with cash from the payout.
Photo via the New York Times
But this particular crime ring is also surprisingly atypical—at least in terms of how we think of cybercrime. For one thing, these criminals were far from the white-collar "cyberterrorist" we typically associate with hacking. These criminals were not the typical white male nerd frequently associated with the spirit of cyber-anarchy. They were a diverse, wide-ranging system of teams working around the world. In Germany, one of the two arrested subjects was a 56-year-old woman. Among the eight on-the-ground suspects arrested yesterday in New York, many were Yonkers residents originally from the Dominican Republic, recruited from their neighborhood because they all knew each other.
In the U.S., bank security fraud totals around $1 billion a year, a figure that continues to rise as cybercriminals evolve their methods and learn their way around banking security systems. While the FBI has sought ways to track the workings of crime rings in real time, cybersecurity continues to be a game of catch-as-catch-can, as federal authorities struggle to stay ahead of hackers, who struggle to stay a step ahead of security developers, who struggle to stay ahead of hackers.
Like another astonishing heist in February—the $50 million Brussels diamond theft—this heist depended on an extraordinary mix of careful planning, surveillance, timing, and luck. The simplicity of the plan, combined with its global reach, may herald a new era for global cybercrime.
Then again, those involved in the U.S. criminal cell seem to have all the earmarks of classic criminal failure: too much cockiness after the job, greed and in-fighting, and carelessness about displaying the results of their crime.
This heist may have been one of the most well-executed in history, but for Lajud-Peña, found dead next to a tossed-aside envelope full of money, the aftermath was as predictable as a Hollywood ending—proving that even in the world of cybercrime, the more things change, the more some things remain timeless.
Photo by Aja Romano via the United States attorney's office, Eastern District of New York