How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards.
The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday.
In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, "cashing crews" in cities in at least 26 countries withdrew more than $40 million in a similar fashion.
Prosecutors have labeled this type of heist an "unlimited operation" because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn't identify the payment processors except to say one was in India and the other in the United States.
The first heist, which occurred on December 22 and targeted debit cards issued by the UAE bank, dispatched carders in about 20 countries that rapidly withdrew funds in more than 4,500 ATM transactions. In New York City alone, prosecutors said, the defendants and their co-conspirators withdrew almost $400,000 in some 750 fraudulent transactions from more than 140 different ATM locations. It took just two hours and 25 minutes for the New York cell to complete, prosecutors said. A second operation commenced on February 19 withdrew about $40 million in 36,000 transactions worldwide. In just 10 hours, the New York group allegedly withdrew about $2.4 million in almost 3,000 ATM transactions.
The operation exploited weaknesses in the way banks and payment processors handle prepaid debit cards, which usually are loaded with a finite amount of funds. These cards are often used by employers in place of paychecks and by charitable organizations to distribute disaster assistance. Once the accounts were hacked and the limits removed from accounts, cards were cloned and sent to cell groups throughout the world to make fraudulent withdrawals. Additional details of the operation are available in a press release outlining the charges.
The defendants—seven who are in custody and one who was reportedly murdered two weeks ago in the Dominican Republic—allegedly used the proceeds to buy expensive watches, cars, and other luxury items. The surviving defendants have been charged variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering. If convicted, they each face a maximum sentence of 10 years in prison for each money-laundering charge and seven and a half years on conspiracy to commit access device fraud.