The indictment accused the eight men of hacking into a computer system at the U.S.- based payment-processing arm of the Royal Bank of Scotland Group and then allegedly cloning prepaid ATM cards that authorities said thieves used to draw cash from over 2,000 ATMs in 280 cities around the world within a couple of hours.
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person identified only as "Hacker 3" were charged in a federal grand jury indictment for hacking into a computer network operated by the Atlanta-based credit card processing company.
The 16-count indictment charges Tsurikov, Pleshchuk, Covelin and Hacker 3 with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft. The indictment states the accused group used sophisticated hacking techniques to compromise the data encryption used by RBS WorldPay to protect customer data on payroll debit cards.
Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, all of Tallinn, Estonia, were indicted for access device fraud.
The indictment brings to light the growing international nature of both hacking and ATM-based crime as well as the relative lack of a strong global response to prevent it. Security experts expect that as the credit card industry and retailers continue to tighten their own security, the focus will continue to shift to compromising payment networks and the primary hacking conspiracies will continue to be hatched overseas.
"Unfortunately, you have significant populations of younger people in both Eastern Europe and Asia who have often had good technical educations but who cannot easily find jobs," observed one expert who declined to be identified, not having been cleared to speak to the media. "With time on their hands and a willingness to keep picking the locks, eventually they will get in," the expert added.
Others drew attention to the coordinated nature of the robbery itself. While thieves previously would generally seek to compromise credit, debit or ATM card numbers in order to sell them, these thieves not only allegedly stole the card data and made the cards but also allegedly coordinated the near simultaneous robberies of financial institutions through their ATMs.
It is this coordinated sort of looting that experts predict will get harder and harder to prevent unless the industry and governments around the world coordinate their responses to these crimes.
The RBS WorldPay case provides both an example what can be done when such coordination takes place and how comparatively rare it is, some experts said, even as authorities directly responsible for the indictments celebrated the cooperation that brought them about.
"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," said Acting United States Attorney Sally Quillian Yates of the case when the indictment was announced. "Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world. This success would not have been possible without the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide."
In Washington, Assistant Attorney General of the Criminal Division Lanny A. Breuer said, "The charges brought against this highly sophisticated international hacking ring were possible only because of unprecedented international cooperation with our law enforcement partners, particularly between the United States and Estonia. Through our close cooperation, both nations have demonstrated our commitment to identifying sophisticated attacks on U.S. financial networks that are directed and operated from overseas and our commitment to bringing the perpetrators to justice."
At least three of the eight men named in the indictment are from Estonia. FBI Atlanta Special Agent in Charge Greg Jones said, "Through the diligent efforts of the victim company and multiple law enforcement agencies within the United States and around the world, the leaders of a technically advanced computer hacking group were identified and indicted in Atlanta, sending a clear message to cyber-criminals across the globe. Justice will not stop at international borders but continue with the on going cooperation between the FBI and other agencies, such as the Estonian Central Criminal Police and the Netherlands Police Agency."
But the ATM Industry Association, a trade association representing ATM deployers, manufactures and networks around the world have urged greater cooperation and increased penalties for ATM skimming and other ATM crimes. Skimming is the use of devices at ATMs to capture users' card and PIN numbers to use to defraud them later.
In a recent position paper on skimming drew attention to the steadily increasing global nature of the crime.
"The involvement of organized crime groups in skimming, and other types of card fraud, is well-established and pervasive. The U.K. Home Office, in a report, 'Organized crime: revenues, economic and social costs, and criminal assets available for seizure', estimates that organized crime is involved in 85% of the illicit market for identity theft and 85% of the illicit market for counterfeit plastic card fraud," the association said, adding, "proceeds from skimming crimes are a major revenue source for globalized crime syndicates."
The association urged lawmakers around the world to strengthen laws and penalties against skimming and ATM crime.