Hackers in Eastern Europe who used computer viruses to steal usernames and passwords teamed up with foreign students who opened bank accounts in the U.S. to snatch at least $3 million from American bank accounts, authorities said Thursday in announcing charges against more than 80 people.
In court papers unsealed in U.S. District Court in Manhattan, 37 people were charged with conspiracy to commit bank fraud, money-laundering, false identification use and passport fraud for their roles in the invasion of dozens of victims' accounts, U.S. Attorney Preet Bharara said. Fifty-five have been charged in state court in Manhattan.
"The modern, high-tech bank heist does not require a gun, a mask, a note or a getaway car," Bharara said at a news conference. "It requires only the Internet and ingenuity. And it can be accomplished in the blink of an eye with just a click of the mouse and at a distance of thousands of miles."
He said the victims included five banks and dozens of individuals with accounts throughout the country.
Nine New York-area people and one person in the Pittsburgh area were arrested early Thursday, said FBI Assistant Director Janice K. Fedarcyk, head of the New York office. Others had already been arrested and at least 17 were fugitives, she added.
In a series of criminal complaints filed in the case, the FBI said the scheme originated with information gleaned from computers through the use of a virus that could access the bank accounts of small and midsized businesses and municipal entities in the U.S.
Bahara said the hackers used a virus — or malware — called a Zeus Trojan to get access to the victims' bank accounts.
"Malware would get lodged on someone's computer when a benign-seeming e-mail that was in fact not benign was opened," Bharara said. "And then that software would keep track of keystrokes on the part of the computer user so when that computer user logged in to his or her bank account, that information would be retained and then transmitted and so people could access the bank account information."
The scheme relied on individuals who were known as "money mules" in the U.S. to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.
American banks say there's no reason to worry. They urge customers to update their computers and use antivirus software. But cybersecurity experts say that may not be enough.
"I have seen systems compromised that were fully patched and were running current antivirus software," said Daniel Schwalbe, assistant director of security services at the University of Washington's office of the chief information security officer.
He says he believes these kinds of hacker attacks are a greater danger now than a couple of years ago, and one of the most persistent threats is Zeus Trojan.
"It's sort of made a name for itself because there's something called the Zeus kit, which you can actually buy off the black market, and it's highly customizable," he said. "Depending on what information you would like your Trojan to steal, you can just turn on and off options and deploy it and it'll steal that particular information."
New York District Attorney Cyrus Vance Jr., a state prosecutor, said people from the Russian Federation, Ukraine, Kazakhstan and Belarus who had obtained student visas to come to the United States were recruited through social networking sites and newspaper advertisements to open hundreds of U.S. bank accounts for fraudulent purposes.
He said the money stolen from the victims would be deposited into the bank accounts and then transferred in smaller amounts elsewhere. Authorities said those who set up the bank accounts would keep 8 to 10 percent for themselves before sending the rest to others involved in the scheme.
"This advanced cybercrime ring is a disturbing example of organized crime in the 21st century — high-tech and widespread," Vance said.
Gregory Antenson, commanding officer of the city police department's Financial Crimes Task Force, said the police department's detectives literally walked into the international probe that was already under way when they showed up at a Bronx bank in February to investigate a suspicious $44,000 withdrawal.
NPR's Martin Kaste contributed to this report, which also contains material from The Associated Press