Wednesday, July 02, 2008

7-11 ATM Hackers (?) - More details

More details are now available about a trio of hackers who were indicted back in March on charges of stealing more than $5M from customers of ATMs. In a July 1st USA Today story few facts were revealed, but it was enough to spin the story back up in the media. I'm getting enough questions about it, I thought I would try to summarize what we know.

Kevin Poulsen had many details, including an affidavit by FBI cyber-crime agent Albert Murray and an affidavit by Ari Baranoff, a US Secret Service Electronic Crimes Task Force agent working in the Eastern District of New York, in his June 28th WIRED Blog.


Baranoff deposed Olena Rakushchynets, the wife of the primary suspect, Yuriy Rakushchynets, who was arrested February 28, 2008 in their Brooklyn residence.

The search warrant against their residence had revealed that Yuriy participated in several Internet carding forums, and had purchased information used to encode blank ATM cards, which he then used to withdraw cash from ATMs. In February 2008 alone, he withdrew approximately $750,000, and on September 30, 2007 and October 1, 2007, he took out $100,000 in the 48 hour period. They also found $800,000 in cash ($690,000 in bags in their bedroom closet), a $34,000 Mercedes, and, from the pocketbook of Olena, 51 $20 bills in sequential order. Olena also had $99,000 in three separate safe deposit boxes, and had made more than $50,000 in deposits to the Ukranian National Federal Credit Union. (See WIRED's copy of the affadavit.

Yuriy, elsewhere called "Ryabinin", a 32-year-old Ukranian immigrant, Ivan Biltse, elsewhere called "Belyayev", 30, and Angelina Kitaeva, were all named in the indictment which covered activities from October 2007 to March 4, 2008. They were charged with "Conspiracy to Commit Access Device Fraud", and that they

unlawfully, willfully, and knowingly, and with intent to defraud, in an offense affecting interstate commerce, did effect and attempt to effect transactions, with one and more access devices issued to another person and persons, to receive payment and other things of value during a one-year period the aggregate value of which is equal to or greater than $1,000.


The indictment states Forfeiture claims on $2,000,000 in property, including the $800,000 seized from Yuriy on February 29, 2008 and an additional $800,000 seized from Ivan on March 4, 2008. (See WIRED's copy of the indictment.

Ivan Biltse, of Bensonhurst, New York, was originally arraigned on March 6, 2008 after being picked up for stealing $9,624 in 12 withdrawals from a Washington Mutal Bank ATM in Bay Ridge back on October 1. According to the New York Daily News, Ivan and Yuriy (who lived in Kensington) were cousins. (See Two Brooklyn Men ripped off $5M from ATMs around globe.)

The case actually started much earlier than that, when back on October 3, 2007, according to the FBI affadavit, First Bank notified the St. Louis Secret Service office that four "iWire" Prepaid Card accounts had been compromised. On just the dates September 30 and October 1, 2007, these four accounts were used to attempt more than 9,000 withdrawals from ATMs around the world, resulting in a loss of approximately $5 Million.

First Bank provided a list of withdrawal attempts, and several hundred of them came from banks in Brooklyn, including the Washington Mutual location that we already mentioned. Transaction and surveillance video pulled from several ATMs and nearby cameras showed:

a Caucasian male making withdrawals at the times and ATM terminals indicated in the First Bank Withdrawal Information for the Compromised Accounts. In the ATM video, this male is wearing a dark blue or black baseball cap emblazoned with the words "Top Gun" and a star and wings symbol, as well as a tan-colored sweatshirt or jacket with a dark blue or black front panel and dark blue or black trim at the zipper and collar.


Separately, on February 1, 2008, Citibank informed the FBI that a Citibank server(*) that processes ATM withdrawals at 7-11 convenience stores had been breached. A fraud alert system was established to flag all uses of these accounts, and the Citibank Withdrawal Information was used in a similar method. Surveillance video was pulled for many of these transactions, and some of them, including some on February 20, 2008 at the Citibank branch at 502 86th Street in Brooklyn, were made by the same individual, wearing the same "Top Gun" hat and sweatshirt as in the October withdrawals.

(Poulsen mentions that Citibank denies a breach. The USA Today article points out that the ATMs in question were not operated by Citibank, but by two other companies, Houston-based Cardtronics, and Brookfield, Wisconsin-based Fiserv. At this point, I don't think anyone has revealed what server was actually breached.)

This individual was quickly identified as Yuriy Ryabinin / Rakushchynets, and was found to have made $750,000 in fraudulent ATM withdrawals just in the month of February. How? Investigators searched Carding forums for individuals who were trading in First Bank or Citibank ATM information. One of these individuals was listing an ICQ number for contact. The ICQ had been registered earlier by "Yuri" a "29 years old male from brooklyn, USA".

A search for the same ICQ number showed that it belonged to a ham radio operator who signed his posts in Ham Radio websites with the same ICQ number. Some of those posts included photographs of Yuri in Dayton at a convention, wearing the same sweatshirt as the individual in the Washington Mutual and Citibank ATM surveillance videos.

A further search on the Ham Radio call sign that he used in these forums found that the FCC had sent him a letter, mentioning his call sign, regarding some minor administrative violations. The letter was addressed to "Mr. Yuriy Ryabinin, 679 Coney Island Avenue 2, Brooklyn, NY 11218".

A public records search found a Florida driver's license in that name, with a matching photograph. Ryabinin also had a Michigan driver's license under the name "Yuriy Rakushchynets".


Very Nice Work, Special Agent Albert Murray.

It will be interesting to see how much of the rest of the initial $5M in First Bank transactions can be identified.

You know I had to Google around a bit and find his call sign, right?

Yuriy Rakushchynets also had a hotmail account -- n2tta@hotmail.com, which he used to post a query looking for a job "within 2 hours drive of Brooklyn, NY". I have no idea what a "CQ-Contest" is, but Yuri was very active in them apparently, listed as a "fulltime operator" for events like the "CQWW SSB Soapbox", and other places giving his name and his call sign in things like:

Yuri, N2TTA, will be active as NP2/N2TTA between February 12-19th. His activity will include the ARRL DX CW Contest (February 16-17th) as NP2S and as a Single-Op/All-Band entry. Yuri informs OPDX that he will be active on CW and SSB on all bands including 30/17/12 meters.
(link.

Yeah, I guess with a couple mill of other people's money, you can buy some nice radios, eh, Yuri?

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.