Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global "cashout" conspiracy.

The U.S. hacks have resulted in at least $10 million in losses, according to court records obtained by Threat Level, and are just part of a larger international conspiracy to hack financial institutions in the United States and abroad.

The broadened case highlights the continued vulnerability of U.S. financial networks to cybercrime, despite supposedly tight industry security standards. It comes on the heels of other multimillion-dollar heists that also breached the security protecting ATM codes and account information. In late 2007, criminals used four hacked iWire payroll cards to steal $5 million from ATMs around the world in just two days. Shortly thereafter, a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was cracked, leading crooks to converge on New York to withdraw at least $2 million from Citibank accounts using the stolen ATM data. And a carefully coordinated global heist last November resulted in a one-day haul of $9 million in cash, following a breach at payment processor RBS WorldPay.

Tenenbaum, 29, made headlines a decade ago under his hacker handle "The Analyzer" for penetrating Pentagon computers and other networks. He'd been living in France, and had only been in Canada about five months on a six-month visitor's permit when he was arrested last August in Calgary with three alleged accomplices for allegedly hacking into Direct Cash Management, a Calgary company that distributes prepaid debit and credit cards. A Canadian court granted him CDN $30,000 bail, but before he could be released from jail, U.S. authorities swooped in with a provisional warrant to retain him in custody while they pursued an indictment and extradition.

"I think he's probably been getting away with stuff for 10 years," said Darren Hafner, an acting detective with the Calgary police who investigated Tenenbaum on the Canadian charges. "We haven't seen or heard from him since the Pentagon attack. But these guys tend to get this 'cops can't touch me attitude' and then they get sloppy like any criminal in any type of crime."

Documents in the U.S. case have been sealed, but Threat Level obtained an affidavit detailing the U.S. allegations filed with the Canadian court handling Tenenbaum's extradition case. The affidavit (.pdf) was signed by Hafner and provides insight into the wave of multimillion-dollar hacks that have hit a number of financial institutions in the last year as well as the trail of clues left behind by at least one of the alleged hackers.

According to the affidavit, in October 2007, the United States Secret Service began investigating "an international conspiracy" to hack into computer networks of U.S. financial institutions and other businesses. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.

In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company's database software. The attacker grabbed credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.

In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid debit card processor based in Florida. The intruder again used a SQL injection attack, and losses added up to more than $3 million.

Investigators traced the intrusions to several servers belonging to HopOne Internet in McLean, Virginia, which turned out to be just a routing point for an attack that originated from servers at the Dutch web hosting company LeaseWeb — one of the largest hosting companies in Europe.

On April 7, 2008, the U.S. asked Dutch law-enforcement agents to track "all computer traffic pertaining to three servers hosted by LeaseWeb" and intercept "the content of that traffic" for 30 days, according to the affidavit. The interception request was renewed for another 30 days on May 9.

Among the wiretapped traffic, authorities found communications that allegedly occurred between Tenenbaum — using the e-mail address Analyzer22@hotmail.com — and other known hackers discussing the breaches into the four U.S. institutions "as well as many other U.S. and foreign financial institutions."

In one instant message chat in April 2008, Tenenbaum allegedly discussed trying to hack into Global Cash Card after system administrators at the company apparently locked him out from an initial intrusion.

"Yesterday I rechecked [Global Cash Card]. They are still blocking everything," he allegedly wrote. "So we can't hack them again."

On April 18, 2008, authorities say Tenenbaum gave a co-conspirator the compromised debit and credit card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he'd used to execute the attack. Then, throughout the night of April 20, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work. The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he'd racked up about "350 - 400" in earnings. The affidavit notes that this likely referred to 350,000 to 400,000 dollars or euros.

In an April 20 chat, Tenenbaum allegedly gave an accomplice additional cards, and asked the accomplice to find a "casher" — the underground's term for the low-level worker whose only job is to withdraw the loot.

"I am making a small operation, you have casher?" he allegedly wrote. "I been trying to get a hold of you. I saved for you 25 cards, each one $1,500 limit. Get casher as soon as possible. Ok, I will load them."

According to authorities, after Tenenbaum got into the 1st Source Bank network, he obtained administrator privileges that allowed him to view credit card numbers and ATM output. This latter activity apparently collided with other hackers who were in the system trying to execute shell commands.

"Is HUGE," he allegedly wrote an accomplice. "I saw ATM outputs, tons of cards. I am admin there, and I already cracked some of the domain."

His accomplice replied that there were already people inside the network and asked Tenenbaum to get out. Tenenbaum replied, "Dude, like I told ya. It's [Microsoft] Windows network. I am happy I could help you to get shell there. Now it's your guys' job."

About a month later, Tenenbaum allegedly disclosed that he'd hacked Alpha Bank in Greece, the country's second largest commercial bank, where he said friends of his worked.

Despite Tenenbaum's earlier notoriety as "The Analyzer," he apparently made no attempt to hide his real identity, using an e-mail address with a name that was previously tied to him, as well as an IP address that was easily connected to him.

"He's a really intelligent guy, but I think he's just got this cocky attitude that 'no one can get me,'" Hafner told Threat Level. As a result, he says, Tenenbaum made a lot of telling missteps.

According to the affidavit, the subscriber information for the Hotmail account that was used to discuss the hacks was registered under Tenenbaum's real name and birth date. Hafner also told Threat Level that Tenenbaum was caught on an ATM surveillance camera withdrawing funds from one of the compromised Canadian accounts.

Tenenbaum was director of a computer security company that he ran out of Montreal called Internet Labs Secure. U.S. authorities found that someone using an IP address registered to his company accessed the Hotmail account, and also used it to access the Global Cash Card network to check the balances of compromised cards and attempt to increase the limits on the accounts. Someone used a second IP address associated with Tenenbaum to access Global Cash Card and "download a file containing all of that compromised computer's data," according to the affidavit.

Global Cash Card did not respond to calls for comment from Threat Level. A spokesman for Symmetrex, which was owned at the time of the hack by Britain-based Altair Financial Services, had no knowledge of the breach, but said Symmetrex processes about 500,000 debit transactions a month for prepaid payroll and gift cards and claimed the company was compliant with the PCI security standards that financial institutions say protect them from such intrusions. It's not known if either company notified customers whose information was breached. There does not appear to be any public announcement about either intrusion.

Symmetrex is the third card-processing company known to have been hacked within the course of a year. Last December, RBS Worldpay, a U.S. payment processing division owned by the Royal Bank of Scotland, announced that it had been hacked in November, and that information on 1.5 million cardholders was compromised. Earlier this year, Heartland Payment Systems announced that it also had been hacked some time last year. Heartland has never released numbers indicating the number of cards compromised in its breach. The company claimed that it was also PCI-compliant at the time of its breach.

The other two institutions Tenenbaum allegedly hacked last year did warn customers their information was breached. OmniAmerican told customers in January 2008 that an international gang of cyber criminals hacked its network and stole scores of account numbers. The intruders modified PINs for the accounts and passed them to accomplices who withdrew cash from ATMs in Russia, Ukraine and elsewhere. According to letters (.pdf) it sent customers and the New Hampshire attorney general, the company discovered fraudulent account activity on Jan. 18, 2008 and notified customers six days later. According to a news story the bank reissued some 40,000 debit cards. The chief security officer at McAfee characterized the hack as sophisticated and the work of an "elite" hacker, "not a kid."

Similarly on May 29, 2008, 1st Source Bank sent a letter to Maine's attorney general disclosing that it discovered a network security breach on May 12. According to the letter, the intruder gained access to debit card information (.pdf) and to a database containing the name, address, date of birth and Social Security Number of account holders.

The affidavit detailing the charges against Tenenbaum says investigators have attributed $10 million in losses to the hacking spree, though it attributes only $1 million in losses to the OmniAmerican and Global Cash Card hacks, and $3 million to the 1st Source Bank and Symmetrex hacks. It's not clear where the remaining $6 million in alleged losses come from, and the U.S. Attorney's office in the Eastern District of New York, where Tenenbaum is being charged, was unable to account for the discrepancy in the totals.

Tenenbaum's attorney in Canada did not respond to calls for comment.

Photo: Ehud Tenenbaum, then 18, sits in his father's car outside a police station near Tel

Aviv, Israel, in 1998. Nati Harnik/AP PHOTO

See also: