I was a bit skeptical about how anyone could easily carry away that amount of cash from an ATM, but it's not so unbelievable:
$9,000,000 / 130 ATMS = $69,230.8 or roughly 692 $100 bills.
The US government requirement for currency paper is: "the thickness of the paper shall be 124 micrometers [...]."[1]
124 micrometers * 692 bills = 0.085808 meters or 3.38 inches thick. Not bad at all.
We don't know what the limit was or even if there was one. I'm sure that's why payroll cards were picked for this particular scheme. I think people are too caught in thinking about how their cards work. The same rules that apply to credit/debit may not apply here.
I was also thinking that transaction limits could be per card per ATM, rather than per account per ATM. They could print out as many cards as they wanted to.
Well, I've done a LOT more than that, and it's still generally $20s, except for certain ATMs in certain casinos. Even in casinos that have ATMs that hold $100s, only a few certain ones generally do. The Wynn is the only casino I know of where all of them have $100s.
And most non-casino ATMs have a per transaction limit of $600-$800, independent of your card's limit. You can do multiple transactions, but you'll get $20s every time. This too varies a bit in Vegas and AC, where you can find much higher limits, but again only in the right ATMs in the right casinos.
Vegas casinos have a rule that they will only trade you up to $500 in $100s for lower denominations per casino per day. It's to prevent laundering. The Feds absolutely hate $100 bills because of that. If the FBI were able to get rid of them, they would in a heart beat.
Since I made most of my money playing online poker and withdrew it that way, I would often spend hours each day walking up and down the strip cashing $20s in for $100s.
I've never understood why $50s weren't used more. It seems like the optimal bill. Spitting out $500 in them isn't objectionable, and I imagine a lot of people withdraw $50 (or would if you made it a quick cash option).
A great many "pro" gamblers believe $50s to be bad luck. Try going to a craps or blackjack table with some of the seasoned vets, and lay down a couple $50s. Several of the other players will leave.
The article does not state that there was any sort of profit sharing involved.
People involved in online fraud rarely collaborate with each other. You never know who's on the other end and your anonymity is your biggest strength. It's more of a marketplace where you buy cards, skimmers, or accounts from vendors and then go out and use them on your own.
Some guy probably sold these cards (or just the data to encode them) at a hefty price with the disclaimer that they had to be used on a certain date and time at any ATM.
I don't think he sold them with a time limit. For a simple reason: the cards had to be refreshed after they had hit their withdrawal limit. This, coupled with the fact that they all happened at the same time, strongly points to realtime complicity on both sides of the transaction, anonymous or not. What compels this guy to refresh these cards? I mean from a game theory point of view it doesn't benefit him at all...assuming both parties are indeed anon.
Maybe he sold the cards as being unlimited money for 30 minutes. It's probably not even difficult to refresh the cards. He was already in their system, he had the account numbers, it could have been scripted. This was a one-shot deal -- the accounts and his hole into WorldPay were probably cut-off the next day. There's little reason for him not hype these cards, sell them for a good price and keep them working.
The benefit to him is his increased reputation. You can't survive in these circles unless people vouch for you. That's why, when you read articles about darkmarket, they talk about reviewers who inspect products from vendors. This guy just sold products that netted $9,000,000. Everyone is going to want to buy from him now.
Don't think that there's nothing in it for the vendor. ATM skimmers sell for $7,000. If he pulls this off again, people may just buy the cards from him for $10,000 each for a 700% return. That's not too shabby for sitting on your ass and not taking the risk of being on the streets.
I just don't believe that this was structured like a traditional gang. This level of organization in online fraud is completely unprecedented. There were more than 6 cities hit in numerous countries, I don't see them recruiting that many random people to participate and having profit sharing since gangs are tight-knit.
It's fascinating. Basically, the cashiers are working on the honor system. They get to keep a percentage (this guy gets 40%), and they send the rest to the "boss" through e-gold. The percentage you get increases as you earn their trust. I guess that this keeps most people honest, as they want to get a higher percentage the next time.
That interview is from May 2006.[1] We don't know if it's one of the cashiers and we don't know how this specific scheme played out.
Yes, you can often hire a cashier. Typically, this guy has some plastic and an encoder, but he doesn't have a steady supply of data to encode the cards. He's working with you because you have data to cards with a high limit and you can verify that they're valid. Most of the time, he's not even on the street. He'll encode them in the car and have someone else run up to the ATMs.
Yes, I wasn't trying to claim that it was one of the cashiers in this particular scheme; I said "one of these" rather than "one of the." However, given the content of the interview and how similarly the aspects of this particular scam match up with the cashier's description, it seems likely that this scam was pulled off in a similar manner.
No, "cashier" is the proper term used by fraudsters. It refers to people who receive and disburse cash, like someone in a retail store. "casher" is a word made-up by an English major.
Also, correcting people for minor mistakes on forums is very annoying.
You guessed it... the promise of more money in the future. You could walk away with just one fistful of cash, or you could return it to me, and I'd give you another re-upped card. You win, I win.
Think about the math, as well. They took $9m from ATMs.. how many people could they possibly have been using? Even with 1,000 "cashers" (highly unlikely), thats $9,000 each... far more than just 1 run to the ATM.
What they most likely did, or at least what I would do, is get a map of ATMs, find the points which yield the least weighted distance to the most ATMs (an NP problem, but very much worth it in this case), and set-up a "re-up" station there. Instruct your cashers to return their used card to these stations, along with the bundle of cash (or maybe x% of it), and you'll give them another card. Good worker ants.
However, something seems off here. $9m from 130 ATMs, that's $70,000 per ATM. With a max of at most $1,000 per transaction, thats 70 hits per ATM. In 30 minutes. So you mean to tell me each of 130 ATMs was hit for $1000 every 30 seconds?
Something is off about that. I think they're underreporting the number of ATMs or inflating the amount stolen.
No, it couldn't have been the promise of more money. This scheme was a first, it'd be impossible to know the outcome of the next card. There were 49+ cities involved, you'd need a call center to coordinate that. This organization, which would cross multiple countries, timezones, and languages, would be much more elaborate than the mafia. It's very unlikely.
Also, cashing out ATMs is very hard work. You need to use a skimmer to capture someone else's card then copy it to your blank plastic. It won't work if there's an electronic chip in it, like many countries (mostly in Europe) already have. Then you have to work within the usual transaction/account limits. You'd be lucky to get $2,000 off of one card. Basically, the next card seems like nothing when you have a fist worth $70,000.
I think the key to all of this is in the payroll card. It might not be bound to the traditional credit/debit card limits. Perhaps it's throttled at a central point and the guy who already has access to the RBS WorldPay systems was able to lift it.
The scheme was simple. The group hacked the pay system, and were able to deposit fake money into real accounts. Additionally, they had stolen whatever information was needed to access these accounts via an ATM card.
There's no need to use a skimmer to capture someone's card, or anything like that. If you have the account information (likely encrypted), you can simply print it onto the magstrip of an ATM card. It's very simple. They had access to accounts, and they had control to put imaginary funds into those accounts, which could be withdrawn.
The real problem they faced was that once they executed this, it'd be noticed by the bank and/or payroll company once they realized things weren't square, that is, once they realized money was coming from thin air.
I think you're greatly exaggerating the scale of this. If I said I could give you an unlimited ATM card, and all you had to do was get on a plane to another city, would you do it? It didn't have to be multiple languages.
The point is, the hackers knew they struck gold, and they organized a mass ATM hit. If you know the hackers, and hell, they could even show you once or twice, then you'd be willing to scrap together a team to help out.
I think trading cash for another ATM isn't that bad of deal. You'd essentially get paid per card used with no end in sight. You get a card, you extract all money, you return money (keep some for yourself) and get a new card. At the end of 30 minutes, you have more money for yourself than what any 1 card would have given you.
At any rate, when you invent money out of thin air, there are plenty of ways to make it so everybody wins.
I referred to skimmers to point out that the types of cards that came before and after this scheme pale in comparison. There wasn't any skimming involved here.
I outlined how I think it happened in a couple of other posts.[1][2] It wasn't organized drug-gang style where you have people go out and come back to you with money because there's no such structure in online fraud. 99% of the time, online, accounts are sold and whatever happens after is at the buyer's discretion. In my experience, there's never a high-level of collaboration. You can't form teams just by asking people if they want to steal money with you.
The masterminds knew exactly how much each casher would be withdrawing. They might've also friends with the cashers. Also, if you were a casher, wouldn't you want the opportunity to participate in the next big scheme? But you wouldn't get that chance if you betrayed them.
Given their tight time-window they probably couldn't hang around until the ATM was free. I wonder how many people got to stand in line behind someone who was repeatedly withdrawing large amounts of cash?
(I suppose it was probably done at night when things were quiet; makes you think what you would have done though!)
It seems lax transactional guarantees bit banks in the rear. I am not sure how difficult it would be to avoid parallel use of cards at different ATMs (especially given the inter-bank nature of ATMs), but it was not done, and this weakness was taken advantage of.
The latency to query a central database should be under 100 mS from anywhere in the country. There's no reason it couldn't be done properly today. But ATM systems were architected in the late 70s and they depend on a network of regional data centers that reconcile nightly.
I agree. Simply disabling an account that was used at more than one ATM within a certain timeframe, based on geographic area, would have limited the damage. Similar to how cell phone cloning is detectable.
