Citibank officials monitoring their network for fraud on Thursday, May 8, noticed suspicious ATM transactions at 8:30 p.m., coming through the five cash machines in the vestibule of a Citibank branch at 65th Street and Madison Avenue in New York City's Upper East Side.

As luck would have it, a bank employee – probably a corporate security official – was already staking out the branch from across the street.

Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.

But the arrests didn't stop the fraud, which sprang from perhaps the most serious computer intrusion into a bank system to date. The FBI has recently made at least six more arrests in New York – bringing the total to 10 – thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing an FBI agent through the streets of New York, trying to mug the agent for ATM-card-programming gear.

Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.

The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."

At the time of the May 8 transactions, Citibank – the largest bank in the U.S. by holdings – had been dealing with a spike in ATM thefts centered on the Upper East Side: Some $180,000 in stolen cash had walked out of ATMs in the upscale neighborhood in the previous three days.

Several of the withdrawals had come through the 65th Street branch, prompting Citibank to put the location under surveillance. When the Citibank official staking out the spot got a call alerting him to a theft in progress, he crossed the street to peer through the vestibule glass, and watched as a man in a baseball cap, jeans and a sports coat put a thick envelope into a briefcase and moved from one ATM to the next.

The official flagged down two nearby NYPD officers who'd already been briefed on the fraud, and the cops arrested 28-year-old Aleksandar Aleksiev. With his consent, they searched his bag and found six ATM-deposit envelopes stuffed with cash, and 12 blank cards with stickers on them and a different PIN code written on each.

The successful stakeout wasn't law enforcement's only lucky break.

In late February, and early March, officials arrested two Brooklyn men and charged them with stealing some $2 million from ATMs from late 2007 until their arrest. When federal agents raided the home of one of the men, 32-year-old Yuriy Ryabinin, they found $800,000 in cash – of which $690,000 was in garbage bags, shopping bags and boxes stashed in the bedroom closet. His co-defendant, 30-year-old Ivan Biltse, had another $800,000 in cash.

Citibank ATM fraud suspect Yuriy Ryabinin in a 2003 photo taken at a ham-radio convention. It appears the two may now be helping the FBI. According to court documents in a related case, two fraudsters began cooperating in March, following their arrest for $2 million in ATM fraud. The informants are not identified by name, but the details and the timing suggest it's Ryabinin and Biltse. (Ryabinin's lawyer declined to comment; Biltse's didn't return a phone call).

The informants filled the FBI in on the operation. Beginning in December, 2007, they began working with a mysterious ringleader in Russia, who provided them with ATM account numbers and PINs. The deal was straightforward: They'd use the information to encode fraudulent ATM cards and withdraw cash, sending 70 percent of the take to the Russian and keeping 25 percent for themselves. Another 5 percent went for expenses.

The duo initially used Western Union money transfers to get cash to their boss in Russia, according to an FBI affidavit. Later, they exploited a relationship with 30-year-old Ilya Boruch, an "exchanger" for the site WebMoney, a PayPal-like internet-payment system.

Exchangers are normally legitimate businesspeople who swap cash for WebMoney's internet currency. But according to the feds, Boruch had gone bad and become a money laundering service for the Citibank ATM heists, transferring hundreds of thousands of dollars to the ringleader in Russia, without reporting the transactions to the government, as required by U.S. law.

Through his business, Bidding Expert, Boruch allegedly funneled as much as $80,000 to $100,000 a week on behalf of the two fraudsters, who delivered the cash to Boruch in person, sometimes by tossing envelopes into an open window in his car.

One of the informants, identified as co-conspirator 1, or CC-1, in court documents, held this instant-messenger exchange with Boruch on Jan. 10, according to the FBI. (Punctuation is added).

__CC-1: __ Need more wm [WebMoney] ...

__Boruch: __ How much?

__CC-1: __ 60 [$60,000]

__Boruch: __Wow. Ok. Listen, is everything ok?

__CC-1: __ So far. Why?

__Boruch: __Well, you need so much wm! It's just kinda strange

__CC-1: __ We're working

__Boruch: __Ok. Drop it off all in 100s ...

__CC-1: __ When can the wm be ready?

__Boruch: __Don't know

__CC-1: __ Approximately

__Boruch: __If you pay an additional 0.5 percent then it'll be ready tomorrow

__CC-1: __ And if not?

__Boruch: __Then I don't know. I can buy it from my people, but they're expensive

Boruch was charged late last month in New York with conspiracy to launder money.

Another break in the case had its roots in a Jan. 30 traffic stop, which unfolded two days before the FBI was told about the Citibank breach.

Two Westchester County police pulled a car over for speeding on the Saw Mill River Parkway in Dobbs Ferry, New York. The driver, 21-year-old Nue Quni, was driving on a suspended license, so the officers decided to have the vehicle impounded. While they waited for the tow truck, they conducted a routine "inventory search" of the car.

Inside, police found $3,000 in cash, a laptop computer, a mag-stripe writer – which is used to reprogram cards – and 102 blank, white plastic cards. They also recovered receipts showing cash withdrawals from ATMs in Manhattan and the Bronx, and more showing wire transfers.

Facing federal access-device-fraud charges, the passenger in the car, 22-year-old Luma Bitti, began cooperating with the FBI. She explained that she was hired over the internet in December to program cards with the stolen information, then withdraw money from ATMs and wire it to other people. With Bitti's consent, an FBI agent took over her IM and e-mail accounts, and began corresponding with the person who hired her.

The FBI arranged in April to meet the man in Manhattan, supposedly to provide him with a mag-stripe writer. An FBI agent, still posing as a fraudster, showed up at the meeting with a mag-stripe writer in hand.

But the man, who is not identified in court documents, double-crossed the undercover agent, and sent two proxies in his place: 21-year-old Andrey Baranets and one Aleksandr Desevoh, according to an FBI affidavit. When the agent refused to hand over the mag-stripe writer, Desevoh took a swing at the agent, who ducked the blow and ran away.

The two men gave chase through the streets of Manhattan, before they were grabbed by other FBI agents who'd been watching the scene. Desevoh "forcibly resisted arrest," according to court records. Both men are now charged with access-device fraud and assaulting an FBI agent.

While the FBI chases, and is chased by, Eastern European cyberthieves in New York, Citibank is issuing new ATM cards to customers they believe were impacted by the hack attack. Meanwhile, there's evidence that the fraud is not confined to the Big Apple. Rahul Kumar, a transportation consultant in San Diego, says someone took $3,000 from three of his Citibank accounts on June 15, while his ATM card was safely in his wallet. "I spent the entire day Tuesday making five or six phone calls," says Kumar. "I spent hours on the phone, calling an attorney, calling the police."

Citibank emphasizes that customers aren't responsible for fraudulent withdrawals. But the bank won't say how many consumers had their information stolen in the attack. Court documents suggest the breach is limited to those who made withdrawals during the period that the server was actively compromised. But the bank won't reveal what that period was.

Also unclear is who was responsible for the server that was attacked, and why PIN codes, which are supposed to be transmitted only in encrypted form, were vulnerable. An FBI affidavit in the case blames a Citibank-owned server responsible for processing transactions from 7-Eleven convenience stores. But Citibank blames an unnamed "third party" transaction processing firm.

While all 5,500 7-Eleven ATMs are branded with Citibank's logo – and are free to Citibank customers – those machines were purchased in July of last year by a Houston-based company called Cardtronics, the largest nonbank operator of cash machines in the United States.

According to Cardtronics' last annual report, it launched its own in-house transaction-processing operation in Frisco, Texas, in late 2006, and had switched over some 13,000 ATMs to the system by the end of last year. But on 3,500 of those 7-Eleven machines, ATM transactions are still processed by another company, called Fiserv.

A Fiserv spokeswoman says the company's servers were not the source of the breach.

"The original intrusion occurred on servers that were neither owned nor operated by Fiserv," writes Melanie Tolley, vice president of communications, in an e-mail. "As a result of the intrusion, legitimate parties' information was captured through the use of malicious software, and that information was subsequently used to commit the crimes for which persons have now been indicted."

Tolley adds that Fiserv was questioned about the breach, and is cooperating fully. "We cannot speak for other parties involved in this incident, but we believe this matter was investigated and resolved in a timely fashion," she writes.

If Fiserv is innocent, that seems to leave Cardtronics holding the bag. The remaining 2,000 of the 7-Eleven ATMs not served by Fiserv are advanced models called Vcom machines, manufactured by NCR. According to Cardtronics' filings with the Securities and Exchange Commission, transactions on those machines were still being processed by 7-Eleven's own in-house transaction processing system, until Cardtronics migrated them to its system last February. 7-Eleven did not immediately return a phone call Tuesday. Cardtronics has failed to return repeated phone calls about the breach.

\—

*Top photo: At the Citibank branch at 65th Street and Madison Avenue in New York City, a bank official caught a man in the act of **allegedly *looting customer accounts last month.

Bryan Derballa/Wired.com

See Also: