The next bank heist movie just got a lot less interesting. Prosecutors in Brooklyn revealed on Thursday afternoon that eight men successfully organized and executed an elaborate heist of $2.4 million on February 19 by hacking into the databases of two payment-processing companies and, after raising the withdrawal limit on several accounts, visited ATMs spread throughout Manhattan to cash out, wielding prefabricated swipe cards coded with the hacked account numbers. According to a map drawn up by the prosecutors, the hackers focused on ATMs easily accessible by the Broadway-Seventh Avenue red subway line:
They withdrew and made off with the money in just 10 hours.
It gets worse! The New York plot was only a single episode in a much larger heist, spread across more than twenty countries, of $40 million, which was captured within the same timeframe:
After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City alone, a team of eight people made 2,904 withdrawals, stealing $2.4 million.
These kinds of heists, involving ATM protocols instead of guns, appear to be increasingly common. In October 2012 federal officials discovered that a security loophole had let a team of thieves steal $1 million from the global bank Citigroup, simply using ATMs. And in January of the same year, a South African bank had $6.7 million stolen after thieves obtained the login credentials of its bank staff and used ATMs to withdraw large sums of cash.