Photographer: Simon Dawson/Bloomberg, Illustration by Tom Hall/Bloomberg Business

How the U.S. Finally Tracked Down a Hacker Kingpin

Updated on

For the U.S., the extradition of Ercan Findikoglu shows the value of patience when it comes to pursuing suspected hacker kingpins.

Findikoglu, 33, was delivered Tuesday to American soil and pleaded not guilty Wednesday in federal court in Brooklyn to charges that he masterminded a scheme to siphon millions of dollars from automated teller machines. The case marks a success for a strategy quietly honed over a decade by the U.S. Secret Service to target alleged leaders of global cybercrime.

Some 300 hacking leaders -- mostly Russian speakers, like Findikoglu -- have been identified after years of investigations that include sifting through terabytes of digital evidence, placing wiretaps and flipping lower-level criminals. The agency claims several dozen top-tier arrests, leaving hundreds to go and demonstrating the difficulty of the challenge.

“The strategy that we deploy is to work our way throughout an organization and get to the highest levels,” said Ari Baranoff, assistant special agent in charge of the Secret Service’s criminal investigative division. “Once we identify them we have to capture them, and that entire process can take years.”

While the Secret Service is best known for protecting the president -- a duty that has brought unwelcome attention for lapses in recent months -- its criminal investigative division has primary responsibility for preventing financial crimes, including hacking for profit.

Hiding Tracks

Other agencies, such as the Federal Bureau of Investigation, take the lead in national security probes like the attack on the Office of Personnel Management believed to have been carried out by hackers linked to the Chinese government.

Criminal hacking masterminds are skilled at hiding their tracks and are often protected by overseas governments, according to U.S. officials.

Findikoglu eluded capture for five years before being caught in Germany in December 2013 -- and then fought extradition to the U.S. for another 18 months.

A Turkish citizen, Findikoglu allegedly organized criminal operations using hacked debit cards to make ATMs spew money, including one operation in February 2013 that stole $40 million within 10 hours in New York City and locations in 23 other countries, according to a ruling by the Federal Constitutional Court of Germany based on information from U.S. authorities.

ATM Withdrawals

A federal grand jury indictment unsealed Wednesday cited three such assaults on ATMs that allegedly resulted in a total of $55 million in illegal withdrawals.

In the 2013 operation, hackers broke into the computers of credit card processors and compromised prepaid debit cards by removing withdrawal limits and account balances. The account numbers were given to hacker cells and encoded onto other cards to make the ATM withdrawals.

Members of the New York cell were caught within months and prosecuted by a team led by Loretta Lynch, former U.S. Attorney for the Eastern District of New York who is now attorney general. One member, Jose Familia Reyes, withdrew at least $40,000, according to a Justice Department indictment.

Reyes pleaded guilty to conspiracy to commit access device fraud and is scheduled to be sentenced on July 10, said Nellin McIntosh, spokeswoman for the Eastern District. The office declined to comment about Findikoglu’s case, McIntosh said.

New Car

Findikoglu’s operation may have been responsible for stealing more than $100 million between 2007 and 2013 in 14 ATM attacks. The Secret Service spent years scouring 26 countries, dozens of computers and more than 100,000 intercepted e-mails to build its evidence against Findikoglu. Agents finally got the break they were waiting for when he traveled to Frankfurt to buy his Russian wife a new car. He checked into a luxury hotel using his real name, logged into an e-mail account under surveillance by the U.S. and was arrested by German authorities.

His lawyer in Frankfurt, Oliver Wallasch, declined to comment. Wallasch told Der Spiegel in August that Findikoglu was afraid he couldn’t get a fair trial in the U.S. Wallasch declined, however, to comment about the allegations against his client.

Prosecutors said Findicoglu could face as long as 35 years in prison if convicted. His U.S. defense lawyer, Christopher Madiou, declined to comment after Wednesday’s arraignment.

Russian-speaking hackers are considered to be among the most sophisticated criminals in the world and are believed to be behind the theft of 56 million credit card numbers from Home Depot Inc. and 40 million numbers from Target Corp. They made an estimated $2.5 billion during the second half of 2013 and the first half of 2014, up from $1.9 billion in 2012, according to Moscow-based cybersecurity company Group-IB.

High-Value Targets

“In terms of the Russian speaking high-value targets, we’ve narrowed it down to just a few hundred individuals,” Baranoff said. “We know many of them by their alias and several by their true identity.”

Hacking has prospered in Russia and Eastern Europe among a young population skilled in computer science with limited job opportunities and an environment rife with corruption, said James Lewis, a senior fellow with the Washington think tank Center for Strategic and International Studies.

“It’s a combination of smart people, no jobs and a criminal culture,” Lewis said.

They found online crime would pay as long as they didn’t attack companies at home and they shared some information when called upon by the government, said Tom Kellermann, chief cybersecurity officer for Trend Micro Inc. “They are perceived to be national assets,” he said. “They all speak Russian but they’re not all Russian.”

Criminal Syndicates

The Secret Service has focused on understanding how criminal syndicates operate and identifying which kingpins were theoretically the most difficult to replace, said William Noonan, deputy special agent in charge of the criminal division.

“We can’t get all of them,” said Jenny Durkan, former U.S. attorney for the Western District of Washington. “Russia is not going to extradite the criminals and it’s not going to stop the activity.”

Prosecutions take years to build a case and cost millions of dollars, all while hackers carry out daily assaults on companies and consumers, said John Dickson, a principal with the software security company Denim Group Ltd. in San Antonio.

Good hackers also get smarter about covering their tracks, said Dickson, a former U.S. Air Force officer who conducted computer security investigations.

Maldives Resort

The Secret Service nabbed one alleged hacking kingpin, Roman Seleznev, a Russian accused of being one of the world’s most prolific traffickers in stolen credit cards, only when he ventured out to a luxurious resort in the Maldives in the Indian Ocean last July.

He pleaded not guilty and is in jail in Seattle, awaiting trial in November. Seleznev’s lawyer, federal public defender Russell Leonard, didn’t return phone calls seeking comment.

“Every single one of them has to think they might be the one we do get,” said Durkan, who led the initial prosecution of Seleznev and is now a partner at the Quinn Emanuel Urquhart & Sullivan LLP.

Climbing through criminal enterprises to the top, the Secret Service has made 5,940 arrests of Russian speakers and others linked to about $1.5 billion in fraud over the past five years.

It may be a coincidence or a validation of the U.S. strategy of going after masterminds, but since Findikoglu’s arrest, there hasn’t been another ATM unlimited cash-out operation.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE