You guessed it... the promise of more money in the future. You could walk away with just one fistful of cash, or you could return it to me, and I'd give you another re-upped card. You win, I win.
Think about the math, as well. They took $9m from ATMs.. how many people could they possibly have been using? Even with 1,000 "cashers" (highly unlikely), thats $9,000 each... far more than just 1 run to the ATM.
What they most likely did, or at least what I would do, is get a map of ATMs, find the points which yield the least weighted distance to the most ATMs (an NP problem, but very much worth it in this case), and set-up a "re-up" station there. Instruct your cashers to return their used card to these stations, along with the bundle of cash (or maybe x% of it), and you'll give them another card. Good worker ants.
However, something seems off here. $9m from 130 ATMs, that's $70,000 per ATM. With a max of at most $1,000 per transaction, thats 70 hits per ATM. In 30 minutes. So you mean to tell me each of 130 ATMs was hit for $1000 every 30 seconds?
Something is off about that. I think they're underreporting the number of ATMs or inflating the amount stolen.
No, it couldn't have been the promise of more money. This scheme was a first, it'd be impossible to know the outcome of the next card. There were 49+ cities involved, you'd need a call center to coordinate that. This organization, which would cross multiple countries, timezones, and languages, would be much more elaborate than the mafia. It's very unlikely.
Also, cashing out ATMs is very hard work. You need to use a skimmer to capture someone else's card then copy it to your blank plastic. It won't work if there's an electronic chip in it, like many countries (mostly in Europe) already have. Then you have to work within the usual transaction/account limits. You'd be lucky to get $2,000 off of one card. Basically, the next card seems like nothing when you have a fist worth $70,000.
I think the key to all of this is in the payroll card. It might not be bound to the traditional credit/debit card limits. Perhaps it's throttled at a central point and the guy who already has access to the RBS WorldPay systems was able to lift it.
The scheme was simple. The group hacked the pay system, and were able to deposit fake money into real accounts. Additionally, they had stolen whatever information was needed to access these accounts via an ATM card.
There's no need to use a skimmer to capture someone's card, or anything like that. If you have the account information (likely encrypted), you can simply print it onto the magstrip of an ATM card. It's very simple. They had access to accounts, and they had control to put imaginary funds into those accounts, which could be withdrawn.
The real problem they faced was that once they executed this, it'd be noticed by the bank and/or payroll company once they realized things weren't square, that is, once they realized money was coming from thin air.
I think you're greatly exaggerating the scale of this. If I said I could give you an unlimited ATM card, and all you had to do was get on a plane to another city, would you do it? It didn't have to be multiple languages.
The point is, the hackers knew they struck gold, and they organized a mass ATM hit. If you know the hackers, and hell, they could even show you once or twice, then you'd be willing to scrap together a team to help out.
I think trading cash for another ATM isn't that bad of deal. You'd essentially get paid per card used with no end in sight. You get a card, you extract all money, you return money (keep some for yourself) and get a new card. At the end of 30 minutes, you have more money for yourself than what any 1 card would have given you.
At any rate, when you invent money out of thin air, there are plenty of ways to make it so everybody wins.
I referred to skimmers to point out that the types of cards that came before and after this scheme pale in comparison. There wasn't any skimming involved here.
I outlined how I think it happened in a couple of other posts.[1][2] It wasn't organized drug-gang style where you have people go out and come back to you with money because there's no such structure in online fraud. 99% of the time, online, accounts are sold and whatever happens after is at the buyer's discretion. In my experience, there's never a high-level of collaboration. You can't form teams just by asking people if they want to steal money with you.
Think about the math, as well. They took $9m from ATMs.. how many people could they possibly have been using? Even with 1,000 "cashers" (highly unlikely), thats $9,000 each... far more than just 1 run to the ATM.
What they most likely did, or at least what I would do, is get a map of ATMs, find the points which yield the least weighted distance to the most ATMs (an NP problem, but very much worth it in this case), and set-up a "re-up" station there. Instruct your cashers to return their used card to these stations, along with the bundle of cash (or maybe x% of it), and you'll give them another card. Good worker ants.
However, something seems off here. $9m from 130 ATMs, that's $70,000 per ATM. With a max of at most $1,000 per transaction, thats 70 hits per ATM. In 30 minutes. So you mean to tell me each of 130 ATMs was hit for $1000 every 30 seconds?
Something is off about that. I think they're underreporting the number of ATMs or inflating the amount stolen.