BROOKLYN, NY – Earlier today, Evan Jose Peña pleaded guilty to participating in two worldwide cyberattacks that inflicted $45 million in losses on the global financial system in a matter of hours. Peña’s plea followed two other guilty pleas in this case entered by defendants Emir Yasser Yeje and Elvis Rafael Rodriguez in October 2013. These three defendants were members of the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then instantly disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe. The New York cell in which Pena, Yeje, and Rodriguez participated withdrew almost $2.8 million in a matter of hours.

The pleas were announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Steven Hughes, Special Agent in Charge, United States Secret Service, New York Field Office.

“These three defendants participated in a criminal flash mob, using data stolen through the most sophisticated hacking techniques to withdraw millions of dollars in mere hours in an unprecedented cyber heist,” stated United States Attorney Lynch. “Their pleas demonstrate that the United States government will not relent in its efforts to investigate and prosecute the perpetrators of these financially devastating cyberattacks.” Ms. Lynch expressed her grateful appreciation to the United States Secret Service, New York Field Office for their work on the investigation.

The “Unlimited Operation ”

As alleged in the indictment and other court filings, the cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as “Unlimited Operations” — through its hacking “operation,” the cybercrime organization can access virtually “unlimited” criminal proceeds.

The “Unlimited Operation” begins when the cybercrime organization hacks into the computer systems of a payment card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts and also manipulates the security protocols that would alert the victim to the attack. The compromised card data is then distributed to cells worldwide who use the data to encode magnetic stripe cards to use at ATMs. These sophisticated techniques enable the participants to withdraw literally unlimited amounts of cash until the operation is finally detected and shut down. “Unlimited Operations” are marked by three key characteristics: (1) the surgical precision of the hackers carrying out the cyberattack, (2) the global nature of the cybercrime organization, and (3) the speed and coordination with which the organization executes its operations on the ground. These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible.

The Defendants’ Roles in the Charged Cyberattacks

Evan Peña, Elvis Rafael Rodriguez, and Emir Yasser Yeje participated in two recent “Unlimited Operations” of staggering size. The first operation, on December 22, 2012, targeted a payment card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. After the hackers penetrated the credit card processor’s computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign. In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK.

The second, and even more damaging, of these Unlimited Operations occurred on the afternoon of February 19 and lasted into the early morning of February 20, 2013. This operation again breached the network of a payment card processor that serviced MasterCard prepaid debit cards, this time issued by Bank Muscat, located in Oman. Again, after the cybercrime organization’s hackers compromised Bank of Muscat prepaid debit card accounts and distributed the data, the organization’s casher cells engaged in a worldwide ATM withdrawal campaign. Over the course of approximately 10 hours, cyber cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.

Peña, Rodriguez, and Yeje operated the New York cell of “cashers,” who encoded magnetic stripe cards, such as gift cards, with the compromised card data. After receiving the compromised account information and personal identification numbers (PINs) for the hacked accounts, the defendants’ cells sprang into action, immediately fanning out across the New York area making thousands of withdrawals from ATMs. During the RAKBANK Unlimited Operation, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City. The Bank Muscat Unlimited Operation was even more devastating. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.

The defendants then passed portions of the proceeds back to the hackers organizing the attack and kept the rest for themselves. Notably, defendants Rodriguez and Yeje laundered hundreds of thousands of dollars in illicit cash proceeds. In one transaction alone, nearly $150,000 in the form of 7,491 $20 bills, was deposited at a bank branch in Miami, Florida, into an account controlled by defendant Alberto Yusi Lajud-Peña, who is now deceased. New York cell members also invested the criminal proceeds in portable luxury goods, such as expensive watches and cars. To date, the United States has seized hundreds of thousands of dollars in cash, bank accounts, and luxury merchandise, including two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 in proceeds of this scheme.

In announcing the pleas, United States Attorney Lynch praised the extraordinary efforts of the Secret Service in responding to these attacks and investigating both the complex network intrusions that occurred overseas and the criminal activity occurring locally, and also expressed gratitude to U.S. Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI) in New York for their assistance in this investigation. Ms. Lynch also thanked MasterCard, RAKBANK, and Bank Muscat for their cooperation with this investigation.

Today’s plea took place before United States District Judge Kiyo A. Matsumoto. When sentenced, the defendants face up to 7.5 years in prison, as well as forfeiture and a fine of up to $250,000.

The government’s case is being prosecuted by Assistant United States Attorneys Cristina Posa, Hilary Jager, David Sarratt, and Brian Morris.

The Defendants

EVAN JOSE PEÑA

Age: 35

ELVIS RAFAEL RODRIGUEZ

Age: 24

EMIR YASSER YEJE

Age: 24