Starting in around 2007 until about 2013, the global financial market was hit by a series of what we would call unlimited attacks. Basically, it meant that cyber criminals would hack into the card processors so that basically there was no withdrawal limit. So, we would go look at all of these different IPS and try to see if any of them actually went back to a real address or a real human being. And a lot of it is just waiting and hoping that they make a mistake because eventually everybody makes a mistake. Even the best criminals make a mistake.

Narrator

It has been called the 21st-century bank heist. It came away with 45 million dollars by making withdrawals from ATM machines using prepaid debit cards. By hacking into payment systems and eliminating withdrawal limits, cards could be used to take out hundreds of thousands of dollars at a time.

Every digital indignity to which we are routinely subjected is anonymous and, to begin with, this was no exception. But (suspension) this international cyber-criminal gang came to the attention of a young United States federal prosecutor. For security reasons few identifying details of witnesses and defendants have been changed, but there is no doubt that this is true story, the story that Cristina Posa tells to Segreta

Cristina Posa

I was a baby prosecutor. I had just started in the federal prosecutor’s office in Brooklyn and was one of my very first cases. It happened in October of 2007, and I started in the office in September 2007. So, I was generally just doing run of the mill drug cases, weapons possession cases, pretty straightforward cases. That day I was on duty and a Secret Service officer came to visit me in my office.

Narrator

The US Secret Service is well-known for being responsible for protecting the president and other high-profile figures, but it also specializes in cyber and electronic crimes.

Cristina Posa

So this agent came in and he said there was this cyberattack. It seems like it hit a number of banks, you know, hundreds of thousands of dollars of withdrawals were made overnight, including all over Brooklyn in my office was based in Brooklyn. That was part of my jurisdiction. And he had records of ATM withdrawals, hundreds of thousands of dollars’ worth of ATM withdrawals made in a pretty tight area in Brooklyn, all using the same, I believe, 4 debit card numbers, which is very unusual, because usually a debit card, a prepaid card will maybe have $500, maybe $1,000, not that level of money.

Narrator

New York is a big city and finding a handful of thieves is not an easy task. Some low-tech bank videotapes gave a lead. It meant looking at hours of recordings.

Cristina Posa

And we had to do that very quickly because the videotape gets, you know, rewritten the security cameras. So, it was my role to give him a subpoena so that he could go to the banks and get these videotapes. We started looking at them and we kept seeing the same guy over and over and over. We didn’t know who he was, but he wasn’t very well disguised. And he was wearing this t shirt and it had the word Nesher on it N E S H.E.R. I said, what’s what is Nesher? What does that mean? And the agent was actually born in Russia, but had spent a lot of time in America, was a U.S. citizen, a U.S. military veteran, really great guy. But he knew the Russian community very well, including this part of Brooklyn called Brighton Beach, where there are a lot of Russian delis and, you know, food establishments. And he said, Oh, that’s nice. You’re fine foods. You know, it’s a famous deli in Brighton Beach. We said, well, let’s go talk to Nesher and see if they know this guy. So, he was not really a criminal mastermind, to be honest, because we went there, we showed the photo of this individual and they recognized who he was immediately.

So that was sort of the first break in the case. And you know, on TV, sometimes it’s a lot harder. But this was pretty easy.

Narrator

One outfit can make your day.

Cristina Posa

You know, we were waiting for the images to come back from the subpoena from the banks. The Secret Service agents showed up at my office one day, normally because he was U.S. Secret Service. You know, they’re famous for always being very well dressed. They always wear a suit, super professional. He this day was wearing a white tracksuit like with like, you know, USSR in Cyrillic – CCCP – on his chest. I was like, What? What are you doing? His name is Eugene. And what did you what are you doing with this? Why are you in the office looking like this? And he said, Oh, it’s my Brooklyn tuxedo. And that was sort of the nickname for Tracksuits at the time, which were popular in a lot of, you know, criminal ethnic communities like the Italian mob and Russian organized crime. They all kind of had their version of it. I said, well, what are you doing with it? He’s like, oh, I’m going to go undercover today and I’m going to I’m going to go and show this photo around and see if we can recognize the guy. So, he actually, you know, one of the ways that he was able to build this trust was to sort of show up looking like a local, even though to me he still looked like a cop and he sounded like a cop. But I guess when he was speaking Russian, he could fit in a little bit better.

Narrator

Then the agents paid a visit to the house of the man with the Nesher t-shirt

Cristina Posa

And alone and behold, he was in bed with his girlfriend and several plastic bags full of $100,000 in cash. Because when you do these types of operations, the big problem is that it’s all cash. It all comes out usually in the United States, at least at the time, in $20 bills. So, what are you going to do with all this cash? You can’t really bring a huge, garbage bag full of cash to the bank. The bank is going to look at you and wonder, you know, what are you up to? So, you have to figure out a way to kind of move that money slowly over time.

Narrator

The thief, a foot soldier in the larger organization, tells investigators about his manager, who also lived in the Brooklyn Russian community, and how he provided him with stolen debit card numbers.

Cristina Posa

He had a whole system for basically creating credit cards, blank plastic, a credit card reader at home so that he could encode the cards with this stuff and then go to all these different ATM machines all over New York. And, you know, they would call it banging them out, like trying to get as much cash out as possible.

So that’s sort of how the case started. This combination of, you know, pretty low tech, like hitting the street detective work is really kind of what got us to the first stage of the investigation.

Narrator

The next step was to reach into the deeper, more anonymous levels. Would it be possible to find traces of the organization’s activities on the web?

Cristina Posa

Yeah, we were able to see that certain other IP addresses. We’re frequently using that very common IP addresses and we kind of wanted to be able to see all the traffic that was going back and forth between those servers. And at the time, this is 2007 and it was common to use in terms of telephones as an investigative technique in the US, it’s called a pen register trap and trace device. Imagine a phone wiretap, but you don’t actually get the calls. All you see are the phone numbers that are calling back and forth and for how long they’re speaking. It’s sort of similar to that You can do that with all sorts of electronic communications. And in this case, it was a server. So, we were able to say, okay, for this IP address, we want to see all the IP addresses that are communicating with that server when they’re communicating. And then the next step would be to identify those IP addresses. But at the time in my district, nobody had ever tried to use that investigative technique on an IP address. It was still much more frequent to use it on a phone or maybe an email.

Narrator

All this was really new then. It was a new way for the FBI to carry out investigations.

Cristina Posa

So, I went to speak to my supervisor. The agents say this is something that’s done. Can we do this? And the supervisor said, I’m not sure if we’ve ever actually done it, But, you know, let’s look at the statute and the statute. The law under U.S. law basically says that you can use this if it’s, quote, routing, or dialing information. So, the agent and I went to the judge kind of Friday, late afternoon. The judge was getting ready to leave for the weekend and we brought this to him. It’s something he’d never seen before. But he also looked at the statute and he said, okay, that sounds right. That sounds legal.

Narrator

In this way they were able to get the order, access the server, and track the flow of communications, not only in the US, but internationally.

Cristina Posa

We saw that a lot of communications with that server were emanating from a server in the Netherlands called Lisa Web, which is, you know, again, a legitimate, you know, web hosting company. At least it was at the time. So, you know, it wasn’t like a dark Web type thing. You know, they were using legitimate means of communication to commit illegitimate activity, but we didn’t really know what was being communicated. We could just see and have a sense of who and where these communications were happening. So, then the next step for us was to make a legal request to the Netherlands.

Narrator

In order to gain the cooperation of authorities in other countries, it is necessary to make what is called a mutual legal assistance treaty request. The request was granted, and the Netherlands cooperated in tracking the gang’s communications. Investigators were able to see the surgical precision with which the hackers broke into the financial systems and how they decided which ATMs to target in their sudden, coordinated attacks and how much to withdraw.

Cristina Posa

And that kind of blew the whole case open because then we could see what was actually happening in the communications that were happening. And they were so obvious about what they were talking about. I mean, they were talking about, you know, we didn’t know who was at the time, you know, but they all had different nicknames. But they were, you know, sending screenshots like, oh, I’m in this bank server., here’s a screenshot, you know, oh, look at these idiots from the Security Department. They’re trying to figure out what’s going on. And they were actually reading the e-mails and the communications of the I.T. security departments of these victim banks and victim credit card processors and sending screenshots to each other. They were plotting these operations all over the world. I mean, we knew about this one that had happened that hit, you know, a number of ATMs in New York. But there were other ones ongoing and. they all kind of knew each other. You know, they were talking about, okay, we’re going to distribute these ATM cards at, let’s say, 10 p.m. on a Friday night. They would usually try to do it on a Friday when the bank would be closed over the weekend. So, they wouldn’t find out until Monday. Okay. At 11 p.m., we’re going to send you the PIN numbers, go out and start hitting the banks. Everybody now at this time and we could see all of this stuff, you know, unfolding. So, it was pretty amazing that we got this kind of level of evidence and we saw them do other criminal activities. You know, it was a lot of showing off.

Narrator

But who are these people? Investigators know the gang’s IP addresses and their nicknames, but how do they take the investigation further?

Cristina Posa

And at the same time, we did some online research as to what this person you know, if it was the, co instigator, the person, you know, who we thought maybe it could be, you know, he was very active on social media. He was on Facebook. He had pictures with his, you know, lovely girlfriend going on yachts in the Mediterranean with his friends. So, you know, we sent those photos to the French, and we said, hey, can you go sit on this guy’s house and see if it’s that guy? Again, a very low-tech way of solving a very high-tech crime. And they did. And he was it was that guy.

Narrator

This is what international collaboration can do. It also sometimes happens, as in 2018, that the FBI can warn banks of impending, highly choreographed, global fraud schemes known as an “ATM cash-outs” by which thieves, working simultaneously on a large scale, seek to steal millions of dollars using cloned ATM cards.

Cristina Posa

What was amazing to me was that it was really like the United Nations of crime, like countries that may be politically never cooperate with each other. The criminals are more than happy to cooperate with each other. [11.6s], you might have an Iranian and an Israeli. And just imagine all the different, you know, countries Americans, Latin Americans, they all kind of came together in this wonderful United Nations of crime, but they needed to do it. And it’s also a good way to spread the risk, because when they would do these unlimited attacks, they wanted to have different teams of people all over the world so that if some got arrested, others could keep going. They could take advantage of the time differences. They would even they were getting so good by the end that they would do a lot of research on local practices. So, for example, in one of the later attacks around 2012, they sent a big team of people to Japan because they found out that in Japan you could take out like up to $10,000 in a single withdrawal. So, they knew they could get the most money. So, they would train people in Romania, send them to Japan. You know, they would target certain countries based on those things. I really firmly believe that criminals are so good at cooperating internationally that governments have to be just that good.

Narrator

Meanwhile, in the middle of those long days working on the investigation, Cristina had a relaxing evening at home, in front of the TV. She was watching the Charlie Rose show and he was interviewing President Obama.

Cristina Posa

He was talking about the importance of cyber security and then he just sort of set off the cuff.  And I was watching TV, not expecting to hear this. It’s like, you know, cyber security, you know, in that Obama very slow way of talking, you know, cybersecurity. Look, it’s a big problem for us. And well, look, we’ve got these yokels up in New York and they’re stealing $40 million in 24 hours. We got to get a handle on this problem or something along those lines. So, it was pretty exciting for us to see that, like our case that we’ve been toiling over for so long, you know, reach that level. But then, of course, we really felt the pressure like, okay, the game is on. Like if the president is watching this, we’ve got to get these hackers like these. You know, this has got to stop. We can’t just keep letting this happen. So, it was it was exciting. But it also gave us incentive to work even harder to wrap it up.

Narrator

This combination of then-cutting-edge, digital investigative techniques and old-fashioned, gumshoe detective work with a presidential confidence boost finally brought the mastermind to book.

Cristina Posa

He was arrested, I believe, in 2013 in Germany. He was a Turkish individual and Turkey does not extradite their own citizens. So, we had to just basically wait for him to travel. Using different investigative techniques, we were able to kind of track his location. It wasn’t like a location tracker, just, you know, communication tools that he was using. Again, his IP addresses. And again, he got lazy, and he used a hotel free wi fi in Germany rather than just using a proxy server or mobile device. And when we saw that we were able because we had good relationships with the German law enforcement, to notify them that we had a suspicion that he was at this hotel. And we waited for one more confirmation from the same IP address that we got, and they went, you know, to investigate the hotel and they saw him, and they were finally able to pick him up. But, you know, he he knew not to travel to the U.S. You know, he was speaking with other people. And we had his communication saying like, don’t be stupid, don’t go to the U.S. They’re going to they’re going to pick you up. At one point, he was even talking about me. He had like found my name online and he was like, oh, this person is prosecuting all of our friends. We got to be careful. Whatever you do, don’t go to New York. Which kind of made me a little bit nervous, to be honest.

All these hackers, they have all this money, and they want to travel and they want to enjoy it. You know, they don’t want to spend their whole lives sitting in their home countries, so they go on vacation. And in this case, he just he just he used a free hotel wi-fi like you might you know, he may have never been arrested if he hadn’t made that one foolish mistake. So, again, it’s like you’re investigating the most serious, you know, sophisticated people and just hoping they make a mistake.

Narrator

This is the story of how prosecutors and federal investigators in Brooklyn were able to lift the veil of anonymity on an outlandishly successful chapter in the history of financial cybercrime and how they were finally able to bring to justice the global gang of hackers responsible for a series of breathtaking, multimillion dollar “unlimited operations” able to generate millions in cash from thin air.

The story of the investigations of Cristina Posa and her team demonstrate how a combination of fresh creative minds, international cooperation, high- and low-tech investigative techniques, hours of patient work and interpersonal skills can put a stop to a gang of highly professional criminals stealing millions of dollars in countries around the world.

Cristina Posa is a graduate of Harvard Law School and spent much of her career as a US federal prosecutor specializing in cybercrime and international criminal justice cooperation, first at the US Attorney’s Office in Brooklyn and then at the US Embassy in Rome. Since leaving government service in 2020, she has worked in a legal capacity specializing in international investigations and online trust and safety at Amazon and Meta, but in this podcast, she is speaking in her personal capacity only.

In the next episode we will hear the story of a huge undertaking involving billions of dollars, a scandal with serious loss of reputation that was stopped moments before it pushed an entire country over the brink of disaster.