Federal authorities said they uncovered an advanced bank heist that defrauded Citigroup of more than $1 million by exploiting a security loophole in the way it handles electronic payments.

The scam worked by simultaneously withdrawing funds from cash advance kiosks maintained in at least 11 casinos located in California and Nevada, according to an indictment unsealed late last week in federal court in San Diego. Alleged ringleader Ara Keshishyan recruited at least 13 people to make transactions from different kiosks in each location. To exploit the weakness, the multiple advance requests had to be near identical and had to be made in the same 60-second window, FBI officials said in a press release.

"In order to obtain the case, the conspirators exploited a loophole in Citi's account security protocols, which caused Citi's account reconciliation systems to treat identical, near-simultaneous withdrawals as duplicates of a single withdrawal from an individual Citi Checking account," prosecutors alleged in the indictment. "In exploiting this loophole, the conspirators withdrew identical sums of money in succession from a single Citi checking account all within a specific time window. This allowed the conspirators to fraudulently withdraw several times the amount of money deposited into each account."

The defendants obtained more than $1 million from Citigroup, prosecutors said. To conceal the scam, they kept withdrawal below $10,000 to avoid federal transaction reporting requirements. The kiosks were operated by Global Cash Access, a Las Vegas-based financial transaction services company. They allow casino patrons to get cash that's held in personal banking accounts. The Citigroup loophole has been closed, The Press-Enterprise reported.

Prosecutors said Keshishyan caused sums of $10,000 or less to be deposited into various Citi checking accounts. The conspirators he allegedly hired would then use Citi ATM cards to obtain cash amounts from the kiosks that collectively exceeded the account balances. The defendants allegedly used the stolen funds to gamble at the casinos, allowing them to receive free rooms and other perks in return for high-roller status.

All 14 defendants were charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements. The maximum penalty if convicted on those charges is five years in prison and a $250,000 fine. Keshishyan has also been charged with 14 counts of bank fraud, each of which is punishable by up to 30 years in prison and a $1 million fine. Prosecutors are also seeking forfeiture of money and property belonging to the defendants.

It's unknown if any of the defendants have issued a plea in the case.