The biggest heist, in which the $40 million was withdrawn, targeted cards issued by Bank Muscat in Oman
A Turkish hacker who US prosecutors say masterminded a series of cyber-attacks that enabled $55 million to be syphoned from automated teller machines around the world pleaded guilty on Tuesday.
Ercan Findikoglu, 34, pleaded guilty in federal court in Brooklyn, New York, to five counts including computer intrusion conspiracy for leading a scheme that resulted in stolen debit card data being distributed and used to make fraudulent ATM withdrawals worldwide.
Prosecutors have called the scheme one of the most successful and coordinated bank heists in history, enabling in one particular attack in 2013 the withdrawal of $40 million from ATMs in 24 countries in a matter of about 10 hours.
Findikoglu, who authorities say was a leader in the scheme and was known online as "Segate" and "Predator," was extradited in June 2015 from Germany, where he was arrested in December 2013.
The plea was confirmed by the office of Brooklyn US Attorney Robert Capters and by Christopher Madiou, Findikoglu's lawyer. He declined further comment.
Prosecutors said from 2010 to 2013, hackers including Findikoglu gained access to the networks of prepaid debit card payment processors Fidelity National Information Services Inc , ElectraCard Services, now owned by MasterCard Inc , and enStage.
Once in, the hackers caused the prepaid cards' account balances to be dramatically increased to allow large excess withdrawals, prosecutors said.
A group managed by Findikoglu then disseminated the stolen debit card information to "cashing crews" around the world who in turn conducted tens of thousands of fraudulent ATM withdrawals.
In exchange, Findikoglu and other high-ranking members of the scheme received proceeds in various forms, including by wire transfer, electronic currency or personal deliveries of cash, prosecutors said.
The biggest heist, in which the $40 million was withdrawn, targeted cards issued by Bank Muscat in Oman and involved thieves in February 2013 executing 36,000 transactions, prosecutors said.
A separate February 2011 operation targeting cards issued by JPMorgan Chase & Co and used by the American Red Cross to provide relief to disaster victims saw $10 million withdrawn globally, prosecutors said.
In another in December 2012, cards issued by National Bank of Ras Al-Khaimah in the UAE were compromised, resulting in $5 million in losses, court documents said.
A New York cashing crew alone withdrew $2.8 million in the 2012 and 2013 operations, authorities said. Thirteen of the crew's members have pleaded guilty.