A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

Yuriy Ryabinin in a 2003 photo taken at a ham radio convention. Credit card and ATM PIN numbers show up often enough in underground trading, but they're invariably linked to social engineering tricks like phishing attacks, "shoulder surfing" and fake PIN pads affixed to gas station pay-at-the-pump terminals.

But if federal prosecutors are correct, the Citibank intrusion is an indication that even savvy consumers who guard their ATM cards and PIN codes can fall prey to the growing global cyber-crime trade.

"That's really the gold, the debit cards and the PINs," says Clements.

Citibank denied to Wired.com's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.

Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant "received over the internet information related to Citibank customers, which information had previously been stolen from Citibank," according to an indictment (.pdf) in the case.

Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin's wife is charged with obstruction of justice in the investigation.

In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 – just two days – the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to Murray's affidavit, resulting in a staggering $5 million in losses.

Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.

At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.

Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man – right down to the tan jacket with dark-blue trim.

When they raided Ryabinin's home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin's wife told investigators that she witnessed her husband "leave the couple's house with bundles of credit cards in rubber bands and return with large sums of cash," a Secret Service affidavit (.pdf) reads.

Notwithstanding the court documents, Citibank said in an e-mailed statement that it was not the source of the breach. "There is no evidence that Citi servers were compromised in connection with this fraud," the company wrote.

Asked about Citibank's denial, a spokeswoman for the United States Attorneys Office for the Southern District of New York, which filed one of the criminal complaints in the case, said the office would not comment beyond what was in court documents.

Citibank added that it does not hold customers responsible for fraudulent withdrawals, but would not disclose how many customers were affected. Spokesman Robert Julavits did say in an e-mail that "Citibank has complied with all applicable notification requirements." Under New York's Information Security Breach And Notification Act, companies must generally warn consumers of data breaches in the "most expedient time possible."

The timing of the caper – which prosecutors say began in October – overlaps Citibank's previously-unexplained lowering of ATM withdrawal limits in New York last December.

Citibank was taciturn at the time, when New Yorkers began noticing that their ATM withdrawal limits had been slashed in half. The bank told the New York Daily News that the move was a response to "isolated fraudulent activity" in New York.

In an earlier incident in 2006, Citibank put transaction holds on some Citi-branded MasterCard debit cards. In that case, the action was later linked to a breach at office-supply retailer OfficeMax. That intrusion remains unsolved.

In the new case, the FBI affidavit says that Citibank knew by February 1 which accounts were leaked, but it left those accounts open while the fraud unfolded.

"Citibank identified all of the account numbers involved in ATM withdrawals during the period that the server was compromised … and established a fraud alert system that notifies Citibank each time one of the compromised Citibank account numbers is used," the affidavit reads.

That language suggests that the attackers may not have had access to stored account numbers and PINs, but instead were tapping into transactions in real time to vacuum up PIN codes as they flew past.

Update: If you've received a notice from Citibank about your ATM card being compromised – either now, or in recent years – or have observed fraudulent cash withdrawals, I'd like to hear from you.

See Also: