Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges.
The defendants -- Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets, aka Yuriy Ryabinin -- are among 10 suspects charged earlier this year in connection with a breach of a server that processes ATM transactions from 7-Eleven convenience stores. Those ATMs are branded Citibank, but they're owned by Houston-based Cardtronics.
Court records indicate a Russian hacker cracked the ATM server in late 2007, and monitored transactions from 7-Eleven cash machines long enough to capture thousands of account numbers and PINs. The Russian then farmed out the stolen data to mules in the United States, who burned the account numbers onto blank mag-stripe cards and withdrew cash from Citibank ATMs in the New York area for at least five months, sending 70 percent of the take back to Russia.
Yuriy RakushchynetsCitibank reported the breach to the FBI in February. In a separate investigation, U.S. Secret Service agents had already identified Rakushchynets as a member of the computer underground, and they tied him to the Citibank heist after comparing ATM surveillance photos to pictures of Rakushchynets posted on ham radio websites.
In January, two other alleged cashers -- Nue Quni and Luma Bitti -- were arrested after a lucky traffic stop caught them with blank cards and a mag-stripe writer in their car. Bitti cooperated in the investigation and led the FBI to two more suspects, Andrey Baranets and Aleksandr Desevoh, who were arrested in New York after meeting with -- and attempting to mug -- an undercover FBI agent.
On May 8, Aleksandar Aleksiev, another alleged mule, was picked up in a stakeout while withdrawing money at a Citibank branch on New York's Upper East Side, where some $180,000 had been stolen through the branch's ATMs in the previous three days.
Another man, Ilya Boruch, has been charged with money laundering for allegedly helping transfer some of the proceeds of the heist to Russia through WebMoney, a PayPal-like internet-payment system. And Rakushchynets's wife has been charged with obstruction of justice.
Citibank hasn't commented on the breach, except to say that customers aren't held responsible for fraudulent withdrawals, and that its own servers weren't compromised. Cardtronics also hasn't commented, but insisted in a July press release that its systems meet the PCI Data Security Standard, which sets requirements for credit and debit cards processing systems.
But Bob Russo, general manager of the PCI Security Standards Council, says he's skeptical that Cardtronics was in compliance, assuming the company was the source of the data spill. "To the best of our knowledge at this point, the standard is solid," Russo said in an interview in July. "And there really should be no way that this is possible if they were following the standard."
Cardtronics did not return a call for comment Wednesday.
In addition to looting Citibank accounts, Rakushchynets was accused of participating in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 -- just two days -- the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to an FBI affidavit, resulting in a staggering $5 million in losses.
Rakushchynets pleaded guilty on September 17 to four charges: access device fraud, and conspiracies to commit access device fraud, bank fraud and money laundering. Kitvea pleaded guilty to conspiracy and access device fraud on September 2. Biltse pleaded guilty on October 21 to access device fraud, three counts of conspiracy, passport fraud and one charge of gaining residency status in the United States with a sham marriage.
Rakushchynets and Biltse agreed to forfeit the cash found stashed in their homes at their arrest: $838,000 for Rakushchynets; $912,500 for Biltse.
*Top photo: At the Citibank branch at 65th Street and Madison Avenue in New York City, a bank official caught a man in the act of **allegedly *looting customer accounts in May.
Bryan Derballa/Wired.com
See Also:
- Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts
- ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach
- Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
- Citibank Replaces Some ATM Cards After Online PIN Heist -- Update
- Citibank Hack Blamed for Alleged ATM Crime Spree
