Is there a film producer out there? This week’s cybercriminal story that tops them all includes a team of at least 100 criminals working in worldwide unison, timing their thieving to the same 30 minute time period and making off with an estimated $9 million in unmarked cash!

Consumer action: If you are paid via an account that includes debit card services and your employer uses RBS Worldpay services, monitor your bank account daily for any unusual activity. Notify your bank and your employer’s payroll department immediately if you suspect your account is being illegally accessed.

The story breaks down as follows: After a global payroll company’s database was hacked in a data breach, criminals had the ability to create or clone debit cards used by some corporations as a method of distributing salaries. Instead of simply direct deposit to a standard bank account, this service included a debit card attached to those accounts for the employee’s benefit. The criminals figured out how to create or duplicate these cards and use them to withdraw money from ATM machines on the global network.

Where it gets more interesting is in the details of how the money was removed from the machines.

First, no limit on amount they could withdraw. I have a daily limit of how much I can remove from my own bank account via ATM. Typically that amount is about $500. Supposedly these limits are for my benefit to prevent someone with illegal access to my account from removing the full balance. These criminals figured out how to remove the limits.  

Second, use a coordinated team of individuals to steal. How much money can you carry without being noticed? And how to steal as much as possible before the bank system notices and shuts your method down. OK, somehow these criminals recruited at least 100 people working around the world in 49 countries.

Third, time your stealing to occur simultaneously. Were they all texting messages to work this out? Somehow all the ATM thefts occurred within the same 30 minute period. I would guess that there might be a time lag in how the machines individually upload data on withdrawals to the larger network. Perhaps the crooks know that it is around 30 minutes. I’m just guessing though.

I’m trying to work out how they hauled off that amount of money though. If you were at an ATM and the person next to you was removing an estimated $90,000, wouldn’t you notice a lot of cash being stuffed into a briefcase or backpack? If the machines were in the US where the machines typically contain only $20 bills, you’d have to remove around 4,500 pieces of paper. Just the logistics of getting that much from a single machine renders me speechless. Who knew a machine held that much?

So for 100 people working in unison in a 30 minute period, they hauled off an estimated $9 million in unmarked currency and disappeared into the crowd. The FBI is amazed at the crime. Still, with bank surveillance videos and the need to crack just one participant in a distributed network of thieves, the FBI is confident they will find these crooks and bring them to justice.  See the FBI’s “Wanted” poster.