A Turkish man, Ercan Findikoglu, 34, whose online monikers include “Predator,” “Oreon,” and “Segate,” and who led three massive cyberattacks against international institutions causing over $55 million in losses, pleaded guilty on Tuesday in a Brooklyn federal court.
As Yahoo News reports, the hacker masterminded a slew of attacks targeting automated teller machines. He pleaded guilty to five counts, including a computer invasion conspiracy for leading a massive scheme that snowballed into stealing debit card data and cloning them to make fraudulent ATM withdrawals all over the world.
Ercan Findikoglu extradited to USA to Germany for epic ATM cashout of $40M http://t.co/nCxeGb884w pic.twitter.com/mFAbJm41Sc
— TEAM CYMRU (@teamcymru) June 24, 2015
In 2011 alone, prosecutors said Findikoglu and his cashing crew made about 15,000 counterfeit withdrawals worth $10 million from at least 18 countries. This was an incident in February with an operation targeting cards issued by JP Morgan Chase and Co, and used by the American Red Cross, for disaster relief victims. In 2012, there was the case of cards issued by the National Bank of Ras Al-Khaimah in the United Arab Emirates, which resulted in a $5 million loss.
Prosecutors added that Findikoglu hacked into the computer databases of three payment card processing companies, namely: ElectraCard Services (presently owned by MasterCard Inc), Fidelity Information Services Inc, and enStage, accessing prepaid debit card accounts, overstating balances, and removing limits to allow excessive withdrawals.
Another cyberattack in February, 2013, saw over $40 million fraudulently withdrawn in 24 countries that amounted to over 36,000 transactions. During a particular operation in New York City, the cashing crews pulled out $2.4 million inside an 11-hour timeframe from 3,000 automated teller machines. Findikoglu and other high-ranking members of the organization received compensation in varying forms like electronic currency, wire transfers, and personal cash deliveries.
“By hacking into the computer networks of global financial institutions, the defendant and his co-conspirators were able to wreak havoc with the worldwide financial system by simultaneously withdrawing tens of millions of dollars, ” U.S. Attorney Robert L. Capers said in a statement.
Bryan Sartin, director of the team at Verizon Communications, tells the Infosec Institute that the banking industry is one of the industries most targeted by cyber criminals.
“It just blows you away how sophisticated these folks are in thinking this stuff up.”
The charges against the Turkish mastermind carry a maximum sentence of 50 years. But experts believe that Findikoglu will face lesser punishment at his July 12 sentencing in front of District Judge Kiyo A. Matsumoto because of his plea deal. In the plea deal, both parties agreed that the sentencing guidelines would call for a prison term of between 11-15 years, though the defendant could ask for less jail time. The plea was confirmed by the office of Brooklyn U.S. Attorney Robert Capters and Findikoglu’s defense, headed by Christopher Madiou, who declined further comment.
The Secret Service spent years hunting down the Turkish mastermind, scouring through 26 countries and over 100,000 intercepted emails. In December, 2013, a big break came when Findikoglu traveled to Frankfurt to buy his Russian wife a new vehicle.
— Panteres.com (@PanteresNEWS) June 24, 2015
He checked into a luxury hotel using his real name, logging into an e-mail account that was closely monitored by U.S. authorities. He was arrested by German authorities and fought extradition to the U.S. for 18 months. Secret Service Special Agent-in-Charge David E. Beach said the prosecution of Findikoglu showed that “there is no such thing as anonymity in the cyber world.”
The FBI say over $1.2 billion have been stolen from 7,000 businesses in two years, a common scam being hackers posing as CEOs or company lawyers who tell people they need their financial information right away. After securing the information, the hackers wire the money out of the accounts of their victims into personal coffers.
[Image via Shutterstock/Konstantin Kolosov]