Seven Yonkers residents have been arrested, accused of being part of a sophisticated international cybercrime ring that stole $45 million from thousands of bank automated teller machines within a matter of hours using hacked debit-card data, federal prosecutors said on Thursday.

The members of the global criminal organization hacked into two credit card processors and used stolen data to make more than 40,500 withdrawals in 27 countries, during two separate coordinated incidents in December 2012 and February 2013, the Justice Department said.

The seven in Yonkers and an eighth person, who authorities said was killed last month in the Dominican Republic, allegedly withdrew $2.8 million in thousands of ATM transactions in what prosecutors said was the second-biggest bank robbery in the history of New York City.


Brooklyn U.S. Attorney Loretta Lynch called it "a massive 21st-century bank heist" and compared its size to the Lufthansa heist in the late 1970s immortalized in the film "Goodfellas." Lynch said the fraudsters had moved with astounding speed to loot financial institutions around the world.

"In the place of guns and masks, this cybercrime organization used laptops and the Internet," said Lynch, whose office brought the case.

advertisement | advertise on newsday

"Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours," Lynch said.

It was likely that the headquarters of the global scheme was located outside the United States and that the current charges focused only on the New York-based cell, according to Lynch.

Lynch called it a "virtual criminal flash mob." She said they could use any plastic card to withdraw the cash -- an old hotel key card or an expired credit card -- as long as they had the account data and correct access codes. Investigators were examining whether other cells were operating elsewhere in the United States, she said.


In the December attack, hackers gained access to an Indian credit card processor that handled prepaid MasterCard Inc. debit cards for National Bank of Ras Al Khaimah PSC, or RAKBANK, according to a criminal indictment.

In February, the hackers broke into the system of a U.S.-based credit card processor to steal account numbers for prepaid MasterCard debit cards issued by Bank of Muscat, court papers said. The second operation was far larger than the first attack, eventually totaling $40 million in losses to the Bank of Muscat.

Bank representatives could not be reached for comment.

No individual bank accounts were compromised by the scheme, Lynch said.

advertisement | advertise on newsday

In both cases, the hackers boosted the available balance for each card and eliminated the withdrawal limits, allowing them to take out huge sums of money from ATMs in what prosecutors called an "unlimited operation."

A single account number, for instance, yielded nearly $9 million in profits, including $2.4 million in New York City alone, prosecutors said.

The hackers distributed the account numbers to coordinated "casher" crews stationed across the globe, who siphoned millions of dollars from ATMs within a span of hours in December 2012 and February 2013.


One of the New York defendants was caught in surveillance footage from ATMs in Manhattan during the February operation, prosecutors said.

advertisement | advertise on newsday

After the cards were shut down, "cashers" laundered the proceeds, often by purchasing luxury goods, and sent a portion of the money back to the organization's leaders, according to prosecutors.

Officials said they seized hundreds of thousands of dollars in cash and bank accounts, as well as two Rolex watches and a Mercedes SUV, from the New York defendants.

The seven Yonkers residents arrested were: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin. All are originally from the Dominican Republic.

The eighth defendant charged in the indictment, Alberto Yusi Lajud-Peña, also known as "Prime" and "Albertico," was found dead with a suitcase full of about $100,000 in cash, and the investigation into his death is continuing separately. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.

It wasn't immediately known which lawyers were representing the defendants.

The case demonstrates the major threat that cybercrime poses to banks around the world. Security experts frequently identify electronic fraud as one of the key challenges facing banks today.

"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cybercrimes prosecutor, based in Bethesda, Md.

Avivah Litan, an analyst who covers security issues for Gartner Inc., said similar ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previous, known cases. Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.

"It's a really easy way to turn digits into cash," Litan said.

Some of the fault lies with ubiquitous magnetic stripes on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic stripes, they are still accepted in many places in the world.

In 1978, $5.8 million in cash was stolen from a Lufthansa Airlines vault at Kennedy Airport, a heist masterminded by Jimmy Burke, the inspiration for Robert De Niro's character in "Goodfellas."