Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay. They allegedly used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours.

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as "Hacker 3" were indicted by a federal grand jury in what's being described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."

The hack involved reverse-engineering PINs for payroll debit card accounts – the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.

The case is being prosecuted by the U.S. Attorney's office for the Northern District of Georgia, in Atlanta.

RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a multitude of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), gift cards, customer-loyalty cards, prepaid cards, credit card and ATM-processing services. The processor discovered last November 10 that it had been hacked and that the intruders had accessed account details for 100 payroll cards. The hackers also obtained Social Security numbers of about 1.1 million account holders.

Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment (.pdf) charges that the four hackers "compromised the data encryption" that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards, as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.

According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit more than 2,000 ATMs in less than 12 hours, netting about $9.5 million. Three Estonian defendants charged for their role in cashing – Ronald Tso, Evelin Tsoi and Mihhail Jevgenov – allegedly were responsible for withdrawing about $289,000 from ATMs in Tallinn, Estonia.

The cashers kept 30 to 50 percent of the loot before transmitting the remainder back to the hackers in Eastern Europe through Western Union and Web Money, a Russia-based digital currency service. The hackers, still in RBS's network, were able to observe the withdrawals of funds from ATMs as they occurred in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals.

Once the mission was completed, the hackers tried to erase their tracks on the RBS network.

Tsurikov was arrested earlier this year in Estonia and is being held there pending extradition to the United States. The Justice Department will not comment at this time on the status of Pleshchuk and Covelin, a spokesman told Threat Level.

Tsurikov, Pleshchuk, Covelin and "Hacker 3" face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.

Covelin was also indicted in September in New York as part of a gang that authorities dubbed the Western Express Cybercrime Group. That group, operating between 2001 and 2007, trafficked in at least 95,000 known stolen credit card numbers.

The group worked with a New York-based company called Western Express International, which authorities allege was used to coordinate and facilitate the illegal activities and launder the ring's ill-gotten gains.

See Also: