NEW YORK -- It was a huge bank heist -- but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault.
Yet, in two precision operations that involved operatives in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of ATMs in a matter of hours. In New York City alone, a team of eight people struck 2,904 machines over 10 hours Feb. 19, withdrawing $2.4 million.
The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.
The first to be caught was a street crew operating in New York -- their pictures captured as they traveled the city, withdrawing money and stuffing backpacks with cash.
On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight members of the New York crew -- including their suspected ringleader, who was found dead April 27 in the Dominican Republic -- offering a glimpse into what authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered. It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery that inspired the movie "Goodfellas."
Beyond the sheer amount of money involved, law enforcement officials said, the robbery underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.
"In the place of guns and masks, this cybercrime organization used laptops and the Internet," said Loretta E. Lynch, the U.S. attorney in Brooklyn.
The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of "cashing crews," and have the money laundered in end purchases of luxury items such as Rolex watches and expensive cars.
In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.
The hackers -- who are not named in the indictment -- proceeded to raise the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.
By eliminating the withdrawal limits, "even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution," the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.
With five account numbers in hand, the hackers distributed the information to individuals in 20 countries, who then encoded the information on magnetic stripe cards. On Dec. 21, the "cashing crews" made 4,500 ATM transactions worldwide, stealing $5 million, according to the indictment.
After pulling off the December theft, the organization grew more bold, and struck again two months later -- this time nabbing $40 million.
While the New York crew had a productive spree, the crews in Japan seem to have been the most successful, stealing around $10 million, probably because some banks in Japan allow withdrawals of as much as $10,000 from a single bank machine.