The U.S. FBI announced that they have taken down a highly sophisticated hacker ring which stole more than $9 Million last year by hacking into the payroll debit card system operated by the Royal Bank of Scotland Group PLC (NYSE:RBS). The United States Attorney’s Office in Atlanta today announced indictments against seven members of the hacker ring.
The indictment is the culmination of a joint effort between authorities in the United States, Estonia, Russia and other countries. The hackers were based out of Eastern Europe, but the thefts occurred in more than 280 cities around the world, in a day-long payroll debit card withdrawal spree.
The hackers stole more than $9 Million by hacking into the payroll card computer systems at RBS, and changing the card limits of at least 48 payroll debit cards. Then, the ring recruited a number of “cashers” to use the debit cards to withdraw cash at ATMs around the world. The stats are amazing: 48 payroll cards were used at over 2,100 ATMs in at least 280 cities around the world.
That’s an average of over $4,000 per ATM, or over $20,000 per payroll card.
Obviously, the hackers were able to change the authorization limits, balance and velocity flags that typically control how often, and how much funds can be withdrawn per card per day.
It is unclear whether the funds were debited from pooled accounts at RBS or whether the attacks focused on a specific payroll card program of a specific employer, or whether the payroll cards were cards issued by RBS to it’s employees.
Either way, the theft was stunning in its audacity, coordination and planning.
FBI Atlanta Special Agent in Charge Greg Jones said, “Through the diligent efforts of the victim company and multiple law enforcement agencies within the United States and around the world, the leaders of a technically advanced computer hacking group were identified and indicted in Atlanta, sending a clear message to cyber-criminals across the globe. Justice will not stop at international borders but continue with the on-going cooperation between the FBI and other agencies such as the Estonian Central Criminal Police and the Netherlands Police Agency.”