Federal prosecutors unsealed charges Thursday against an alleged cybertheft ring accused of stealing $45 million from banks around the globe and using the loot for Rolex watches, luxury cars and other booty.
The charges were announced in Brooklyn, N.Y., by U.S. Attorney Loretta Lynch.
The eight defendants charged Thursday withdrew $2.8 million from New York banks in two separate attacks this past December and February, Lynch said. Each attack was pulled off in a matter of hours.
While the eight were taking the money from the New York banks, additional co-conspirators made more than $42 million in withdrawals at other banks across the world.
Authorities are still searching for other members of the global crime ring, Lynch said.
The ring used prepaid MasterCard debit cards that were issued by the National Bank of Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank of Muscat, located in Oman.
The thieves hacked into the banks' systems to drastically increase the amount available on the cards, and then used the information about the cards to withdraw money at banks around the world.
Bill Stewart, a senior vice president at Booz Allen, said that while these hackers might have been sophisticated, using common criminals to withdraw cash from ATM machines shows that some cybercrime is still surprisingly low tech.
"The run of the mill criminals are more common [in cybercrime] than you think," said Stewart, an expert on cybercrime who works with financial firms.
He said the fact that the hacked banks were in the Middle East shows that cybersecurity in the global financial system is only as strong as the weakest link.
"There are still many institutions these days are not practicing good security hygiene," he said. "So these kinds of attacks work."
The eight suspects allegedly made nearly 3,800 separate transactions to withdraw the $2.8 million. That makes it the second largest theft on record in New York City, surpassed only by the 1978 Lufthansa heist made famous in the movie "Goodfellas."
While $45 million is one of the largest global bank robberies on record, it is not the largest. In July 2007, the media reported that guards at a private bank in Baghdad made off with at least $282 million in U.S. currency that was being stored there.
During the first attack in December 2012, the New York group allegedly withdrew $400,000 in 750 separate ATM transactions at more than 140 different locations in New York City in less than three hours.
Then in February, the perps withdrew $2.4 million in 3,000 ATM withdrawals made in just over 10 hours. Lynch described the group as a "virtual criminal flash mob, going from machine to machine drawing as much money as they can before these accounts are shut down."
They deposited some of the cash into bank accounts, in one case putting almost $150,000 in $20 bills into one account. They also bought expensive cars, watches and other luxury items.
Federal authorities said they have seized bank accounts, hundreds of thousands of dollars in cash, two Rolex watches and a Mercedes SUV. They are in the process of taking possession of a Porsche.
According to a statement from Lynch's office, one of the eight defendants, Alberto Yusi Lajud-Peña, described in the indictment as the leader of the group, was murdered in the Dominican Republic on April 27. The others were arrested over a six-week period that began March 27 and ended Tuesday.
Lynch, the prosecutor, said her office worked with law enforcement authorities in 16 countries -- including Japan, Canada, Germany and Romania -- as part of the investigation.
"The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe," said Lynch. "In the place of guns and masks, this cybercrime organization used laptops and the Internet."
MasterCard ( issued a statement saying that it cooperated with the investigation and that its systems were not involved or compromised during these cyberattacks. )
Stewart said the arrests and criminal charges are a victory for law enforcement, but "the flip side is that even though we've identified some of the perpetrators, we're still out more than $40 million, and we'll never see most of that."
While hacking attacks often steal personal information that can then be used in identity theft schemes, hacking theft from banks and credit card companies by organized crime is also a growing problem. Two years ago, Citigroup ( admitted that more than $2.7 million was stolen from 3,400 accounts during a )hacking attack.