Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days. After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.
The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com.
In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.
The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”
At the time, there were 5,500 Citibank-branded ATMs at 7-Eleven stores around the country. According to SEC documents, 7-Eleven ran its own transaction-processing server to handle 2,000 of them: advanced models called Vcom machines, manufactured by NCR. The 7-Eleven Vcoms support special functions like bill payment, check cashing and money-order purchases. For two weeks in September 2007, anyone who typed a PIN in one of these was exposed.
Court records from the New York–area Citibank cases show how that single breach from Russia trickled over the internet and down to the streets of New York.
The first break in the case had its roots in a Jan. 30, 2008, traffic stop. Westchester County police pulled a car over for speeding on the Saw Mill River Parkway in Dobbs Ferry, New York. The driver, 21-year-old Nue Quni, was driving on a suspended license, so the officers decided to have the vehicle impounded. While they waited for the tow truck, they conducted a routine “inventory search” of the car.
Inside, police found $3,000 in cash, a laptop computer, a magstripe writer — which is used to reprogram cards — and 102 blank, white plastic cards. They also recovered receipts showing cash withdrawals from ATMs in Manhattan and the Bronx, and more showing wire transfers.
Facing federal access-device-fraud charges, the passenger in the car, 22-year-old Luma Bitti, began cooperating with the FBI. She explained that she was hired over the internet in December 2007 to program cards with the stolen information, then withdraw money from ATMs and wire it to other people. With Bitti’s consent, an FBI agent took over her IM and e-mail accounts, and began corresponding with the person who hired her.
The FBI arranged in April 2008 to meet the man in Manhattan, supposedly to provide him with a magstripe writer. An FBI agent, still posing as a fraudster, showed up at the meeting with a magstripe writer in hand.
But the man, who is identified in one court record by the initials “DK”, double-crossed the undercover agent, and sent two proxies in his place: 21-year-old Andrey Baranets and one Aleksandr Desevoh, according to an FBI affidavit. When the agent refused to hand over the magstripe writer, Desevoh took a swing at the agent, who ducked the blow and ran away.
The two men gave chase through the streets of Manhattan, before they were grabbed by other FBI agents who’d been watching the scene. In pleading guilty last February, Desevoh said DK had told him to “take this device using force.”
Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.
In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis–based First Bank, in the fall of 2007. On Sept. 30 and Oct. 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.
At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.
When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash — including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.
Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.
Two of the ATM scammers arrested by the FBI filled in the bureau on the details of the operation, explaining how, beginning in December 2007, they began working with a ringleader in Russia, who provided them with ATM account numbers and PINs. The deal was straightforward: They’d use the information to encode fraudulent ATM cards and withdraw cash, sending 70 percent of the take to the Russian and keeping 25 percent for themselves. Another 5 percent went for expenses.
The duo initially used Western Union money transfers to get cash to their boss in Russia, according to an FBI affidavit. Later, they exploited a relationship with 30-year-old Ilya Boruch, an “exchanger” for the siteWebMoney, a PayPal-like internet-payment system.
Exchangers are normally legitimate businesspeople who swap cash for WebMoney’s internet currency. But according to the feds, Boruch had gone bad and become a money-laundering service for the Citibank ATM heists, transferring hundreds of thousands of dollars to the ringleader in Russia, without reporting the transactions to the government, as required by U.S. law.
Through his business, Bidding Expert, Boruch allegedly funneled as much as $80,000 to $100,000 a week on behalf of the two fraudsters, who delivered the cash to Boruch in person, sometimes by tossing envelopes into an open window in his car.
One of the FBI informants, identified as co-conspirator 1, or CC-1, in court documents, held this instant-message exchange with Boruch on Jan. 10, 2008, according to the FBI. (Punctuation is added).
CC-1: Need more wm [WebMoney] …
Boruch: How much?
CC-1: 60 [$60,000]
Boruch: Wow. OK. Listen, is everything OK?
CC-1: So far. Why?
Boruch: Well, you need so much wm! It’s just kinda strange
CC-1: We’re working
Boruch: OK. Drop it off all in 100s …
CC-1: When can the wm be ready?
Boruch: Don’t know
Boruch: If you pay an additional 0.5 percent then it’ll be ready tomorrow
CC-1: And if not?
Boruch: Then I don’t know. I can buy it from my people, but they’re expensive
Boruch was charged last year with conspiracy to launder money.
The final known arrests in New York came on May 8 of last year. Citibank noticed that a large number of the fraudulent withdrawals were coming through its 65th Street branch, prompting them to put the location under surveillance. When the Citibank official staking out the spot got a call alerting him to a theft in progress, he crossed the street to peer through the vestibule glass, and watched as a man in a baseball cap, jeans and a sports coat put a thick envelope into a briefcase and moved from one ATM to the next.
The official flagged down two nearby NYPD officers who’d already been briefed on the fraud, and the cops arrested 28-year-old Aleksandar Aleksiev. With his consent, they searched his bag and found six ATM-deposit envelopes stuffed with cash, and 12 blank cards with stickers on them and a different PIN code written on each.