Dmitri Ivanov lived in a dark, cold, windowless basement room in Russia with several family members. Dmitri was only 21 years old, dark haired, with a thin small frame and stood about 5 09 00. He was not someone people noticed. Nothing made him physically stand out among other young Russian men. But what he had planned and plotted so meticulously for months would make him known on the other side of the globe in a matter of days. While his family was extremely poor and he came from humble beginnings, Dmitri was smart, very smart — especially when it came to computers. And he had big dreams. So, from his cold, dreary room in Russia, he plotted and schemed, knowing he would need hundreds of people from around the world to help him.
Dmitri did not finish high school, and nothing held his attention for long until he started learning about computers. Libraries in Russia gave the local school children access to computers. Dmitri went to a public school as a boy but did not excel. He frankly thought it was a waste of time and did not see a future in an education. He saw people struggle daily around him despite their education, so he did not focus on schooling. However, as a young teen, he quickly caught on to technology. He was curious about how things worked behind the scenes and he tackled the hardware aspect of computers first. He learned to physically piece them together from bits of other computers. He would find old, worn, discarded computers and use parts from them to build new ones. Then he started learning software programs and taught himself how applications worked. He quickly learned the codes used in programming.
The Internet brought a new world to the Russian's fingertips that otherwise would have been out of his reach. Dmitri started making connections with people in many different countries. He first began by socializing and reaching out to strangers to talk about movies, music, daily life and world events. However, Dmitri quickly became bored with these chat rooms. He discovered a secret cyber-underground of Web sites that only trusted members could access. People were granted access only after being verified several times by a referral. Dmitri felt proud that he had received access to these chat rooms. It made him feel like he was not just a poor, small-town Russian boy with no future. He saw an opportunity and he was going to take it.
The cyber-underground is often used for criminal activity. In this arena, people can talk openly about how to commit crimes, how to avoid getting caught and what to do if that happens. Dmitri had developed into a big player and he began recruiting trusted people in various countries around the world, spanning Russia to Canada to Peru to the United States.
Oleg Alekseev lived in Coral Gables, Florida, with his mother, Judith. Oleg was a college student studying for a business degree. By most standards, he appeared to be an average, run-of-the-mill student. Judith had emigrated from Russia several years ago with Oleg. He spoke with a heavy Russian accent, which separated him from other American boys. As he grew up, Oleg isolated himself because he did not feel included in activities with other teenagers. He started spending time on Web sites that connected him to his heritage; he felt more accepted by other Russians. Soon he started visiting chat rooms and was introduced to Dmitri Ivanov. Through many months of conversations on every imaginable topic, Dmitri and Oleg became very trusting of each other. In fact, Oleg considered Dmitri to be the big brother he never had. While Oleg was trying to become Americanized, Dmitri was trying to get him to hold onto his Russian roots. But unbeknownst to Oleg, Dmitri had other plans for him, too.
Glenn Copeland was a New York go-getter. He was not the kind to let the world pass him by. Glenn did not like to wait for things to happen — he made his own opportunities. While he had a normal childhood by typical standards and was a graduate at an average East Coast college, Copeland did not want the predictable future of going to work for corporate America; that environment moved too slowly for him. He was full of forward-thinking ideas and did not want to work for someone else. But, like others before Glenn, he entered the corporate world anyway. And true to his nature, he was a misfit. There was too much red tape, too many meetings to think about ideas, and this slowed down accomplishing them. He climbed the corporate ladder but still felt that he wasn't following his calling in life. So when he was 35 years old he went out on a limb with a partner and they started their own company. It was a provider of simple and inexpensive ways for businesses to pay their employees via direct deposit instead of with a check. However, the service quickly became outdated, so when Glenn was 40 he started his own company called eTransfer.
Glenn realized that companies had employees who did not have bank accounts or could not cash a paycheck without exorbitant fees, so his new venture began providing prepaid debit cards as an alternative to checks and direct deposit. Besides payroll cards, eTransfer provided the opportunity for employers to give bonuses or other compensation through cards instead of checks. Glenn believed it provided a safer method than checks because check fraud was so prevalent.
eTransfer was based in New York City but had a technology office in Miami. Glenn held several bank accounts in the company's name in multiple states, but used Arch Bank for its processing for the last four years.
On October 2, a normal Tuesday morning, the manager of the electronic banking department at Arch Bank, Nathan Wertz, was notified of an unusually large overdraft in the checking account of eTransfer. The account was overdrawn by $5.2 million from transactions that were processed over the weekend. Considering that the most eTransfer ever processed nightly was around $20,000, Nathan knew something was wrong and began looking into the situation.
At the time I was working as an investigator at Arch Bank. I was in my office when my boss came over to say that something was brewing in electronic banking and there was an overdraft of more than $5 million. Normally, I did not handle electronic banking investigations or overdrawn accounts, but the amount certainly was an attention-getter. For a bank of our size, it was an astronomical amount. I was told that I needed to attend a meeting being held soon in a nearby boardroom. After learning the basics of what had occurred from Nathan, I contacted my colleague at the Secret Service, Special Agent Dave Barker. I gave him the information I had at the time, and he told me to update him when I had more to report.
An unusually large number of people attended the initial meeting. In addition to Nathan, his manager (an executive of the bank), our corporate lawyer, the head of the technology department and several of his staff members, the manager of compliance and the manager of the risk department attended. On the phone were two anti-fraud specialists from MasterCard International, our processor.
Nathan began the meeting with the initial information he had uncovered. He had an internal report showing that four prepaid debit card numbers issued by eTransfer had been used repeatedly during the last couple of days. The statistics seemed too unbelievable to be real. Due to the size of the loss, everyone assumed there was a weird computer glitch. The report showed that the four card numbers were duplicated and disbursed to a network of perpetrators who initiated approximately 9,500 transactions in 8 to 10 hours late Saturday evening through Sunday morning.
Cash withdrawals had been made at multiple ATMs around the world. There was an average of 1,800 transactions to each of the four accounts ranging from $200 to $2,400. Most of the transactions were processed internationally; approximately 30 percent occurred in the United States.
We began a complete forensic investigation into Arch Bank's and eTrans-fer's systems, and MasterCard. Separate teams of IT experts reviewed them to find a point of compromise and to pinpoint the date the attack started. Glenn Copeland agreed to fully cooperate with our IT specialists to isolate the security breach.
Hours turned into days for everyone involved. We ultimately determined that the only compromise had occurred on eTransfer's end. Arch Bank and MasterCard were completely untouched. We also figured out that eTransfer's system was invaded a few days before the withdrawals began, using malware. Keylogging software was then installed a couple days later to capture the credentials of the system administrator. When transactions were sent to eTransfer for approval, the malware instructed the security system to ignore the account balance fields and the PIN fields; therefore, transactions were being improperly authorized.
We later learned that the crooks had been lurking in the eTransfer system since June, apparently waiting for the perfect time to strike. If Glenn had run a program to sweep his system for malware, the hackers would have been discovered in time to prevent the fraud. In the beginning, they were able to capture the administrator login and password, learning from monitoring his activity that he worked every day. Then they were able to penetrate his corporate e-mail activity. From that information, they discovered he was going on vacation starting October 1. They saw their window and went to work getting past the encrypted data, printing cards and formulating a plan of attack. They had the perfect storm of opportunity that they had been waiting for.
We pulled the usage reports and tried many ways to analyze the data to find the common denominator. We finally settled on lumping the cities together and sorting by ATM location. From there we tried to map the distance and travel time between them. At that point, we sorted by bank, so that we could contact it with one request for multiple transactions. For example, we pulled each Bank of America item on Long Island, New York, and then requested pictures and video surveillance from those transactions. We continued this by state, by bank and by city. The Secret Service helped tremendously in this endeavor and most banks responded to our request fairly promptly. As we started receiving pictures, we spotted the same individuals at different machines. In some photos, we saw the suspects with buckets of money, passing them off to other people outside the camera's range. Realizing we had too many transactions at too many ATMs across the country, we decided to focus on heavy concentrations of cash withdrawals and on locations where we had clear images of the suspects. The Secret Service then ran the pictures through their databases, sent them to other law enforcement agencies and circulated them among agents to see if anyone was identified.
After reviewing pictures of the suspects making ATM withdrawals near Tallahassee, Florida, the Secret Service noticed one young male who looked like he was college age. The withdrawals were made at an ATM on a college campus. The Secret Service took copies of his pictures to the local banks, including one on-campus branch for students. One of the tellers said, "I know him. He's a student and comes in here often." She could not remember his name, so the agents asked her to call them if he came in again. The very next day, the suspect in the picture went into the bank. Not only did the teller instantly recognize him from the picture, but he was wearing the exact same clothing as he was in the picture. What were the odds?
The teller called the Secret Service agents as soon as the young man entered the bank, and the agents promptly responded. At the bank, they reviewed video surveillance of the suspect and confirmed that it was the same person in their pictures. After obtaining his identifying information, they went to the college campus administration office to confirm that he was a student. The college administrator gave the agents his home address, which was where they found him doing homework — just like any normal college kid. They asked if they could talk with him about something that occurred at the college. Within two weeks he was the first suspect arrested. Who was it? Oleg Alekseev. A search of his home found $57,627 in cash, which was seized by the Secret Service. We still do not know exactly how much he withdrew, because Oleg himself did not know the total.
The Secret Service said Oleg was cooperative, but not immediately. Once Oleg realized there was no doubt that he was on the video, he became more compliant. He explained that he had become friends with someone from Russia named Dmitri Ivanov over the Internet and that the scheme was Dmitri's idea. He told them about months and months of e-mail conversations with Dmitri spent gaining each other's trust and bonding about their Russian roots and desire to get ahead in life. Dmitri had shared his love of computers with Oleg, and described the conditions of his life in Russia, among other things. Oleg told the agents that he still communicated with Dmitri but had not met him. The Secret Service agents asked him if he had saved any of the e-mails so they could look at them, and he said yes but that they were in Russian. The agents called back to headquarters to say they needed forensic specialists to retrieve the computer; they knew not to take it anywhere or even unplug it before it was properly preserved for evidence.
When the Secret Service IT personnel dug around in his computer, they obtained hundreds of e-mails, including deleted ones, that showed the communications between Oleg and Dmitri. Dmitri was very careful to not give out identifying information, so we did not have a reliable way to track him. We knew from the conversations with Oleg that the suspects at ATMs were only mules; they were not the masterminds. Oleg was convinced that because he and Dmitri had become so close and because he looked to Dmitri as a brother, that once the agents contacted Dmitri, he would help Oleg out of trouble. But as it would turn out later, Dmitri was just fine leaving Oleg and the others to take the fall.
Oleg told the agents that he kept half of the withdrawals and sent the other half to Dmitri in Russia. Through Oleg, we learned that the counterfeit cardstock used in the debit cards was created by an external source that Dmitri found online. While a legitimate prepaid debit card would have colorful corporate logos, 16-digit account numbers and so forth, the counterfeits were plain white cards that lacked insignias. We learned that they were ordered by the thousands very cheaply and shipped globally. Distribution centers waited for directions regarding what to encode and then shipped the cards to a contact that had multiple addresses. This person then distributed the cards to the mules to begin withdrawing funds.
The scheme to get the money back to Russia was interesting but not overly complex. After withdrawing the cash, the mules went to any Bank of America branch and deposited the cash into a previously designated business account. As far as Oleg knew, everyone had been given the same account number. Whatever amount of cash they deposited had to end in 30 cents. For example, if Oleg had withdrawn $20,000 using his fraudulent eTransfer debit card, he would keep half and deposit $10,000.30 into the Bank of America account. The 30-cent deposit indicated to the business account holder that he was to wire the funds to Russia. The business owner was also Russian and had become friends with Dmitri online. The owner had an import/export business, so it was the perfect cover for funds being deposited across the country, as well as for large amounts of money being wired out of the country. The business owner had not met Dmitri nor asked him a lot of questions. He also kept a portion of the funds before wiring them to Russia.
The Secret Service did not have enough evidence to track down Dmitri, so they asked Oleg to continue communicating with him to gather more information. Oleg agreed to cooperate in exchange for possible leniency in his own criminal case.
The Secret Service installed a myriad of tracking software on Oleg's computer, but wanted it to look like Oleg was still just chatting with Dmitri. They had to make conversations appear normal while trying to push a little harder for identifying information. They also had to ensure that Oleg did not tip off Dmitri about the surveillance because they were communicating in Russian. However, by this time Oleg had become very cooperative and wanted to reduce his trouble. He finally realized that Dmitri was not coming to his rescue.
The agents we were working with suggested topics of conversation for Oleg to engage Dmitri in, and they had him ask about other schemes in which Dmitri may have been involved. They tried to collect enough details about his life to find him, prosecute him for this case and prevent him from committing similar ones in the future. Oleg and Dmitri stayed in contact for months. At one point, agents had narrowed down Dmitri's location to one area in Russia and were working with the Russian equivalent of the Secret Service — the Federal Security Service of the Russian Federation — to gather more evidence.
I had to e-mail the Russian agent numerous times to explain the case, details and loss. Honestly, I had not heard of the Russian agency before, so I looked it up online to see if it was legitimate. The Secret Service agent I was collaborating with assured me that they were the good guys. The Secret Service also met with them in Russia to try to bring about the prosecution of Dmitri. The Russian Federation requested formal written letters from Arch Bank to explain the cause, the loss and why they should get involved. Ultimately, they said that although they wanted to prosecute Dmitri, he had a connection to the government, and they could not proceed. They did not explain the situation to us, and it seemed like something out of an old movie. We had hit a wall.
In August, only 10 months after the crime began, Oleg pleaded guilty to fraudulent use of an access device. He was sentenced to 12 months of incarceration, five years of probation and to pay restitution of $20,000. To date, he has paid about $13,000.
In the 12-month investigation of this crime, it was impossible to track how much time bank personnel, law enforcement, vendors and lawyers across the country and around the world put into the case. The civil side alone cost several hundred thousand dollars in forensics and attorney fees. There were civil and criminal suits. Glenn Copeland was forced to file for bankruptcy to shield himself and his company from further financial costs. He had to lay off several of his employees due to his financial loss, and eTransfer suffered reputational damage in the industry. Arch Bank filed suit against him and eTransfer. It is still too early to determine any outcome in civil court. There was no criminal wrongdoing on the part of Glenn or anyone at eTransfer. They were also seen by the law as victims.
Several hundred people perpetrated this fraud, and we were unable to catch most of them. However, the Secret Service had their first arrest within two weeks, which was amazingly quick work. I cannot say enough positive things about the professionalism and responsiveness of the Secret Service in this situation. The agents obtained pictures of suspects from various banks in the United States and Canada and sent them to various law enforcement agencies to identify other culprits. From the pictures they were able to identify and arrest 12 additional suspects, who either pleaded guilty or were found guilty at trial. But the alleged ring leader, Dmitri Iva-nov, is still free. We certainly made our best case to the Federal Security Service of the Russian Federation, but as of this writing, Dmitri is still being protected. Of our initial loss of $5.2 million (not including the additional fees) we have recovered only about $300,000. We do not expect much more restitution than we have already received. Regrettably, in all too many situations like this one, crime pays.
Note
Lessons Learned
I learned that when it comes to technology, nothing is safe. I also learned that through the products and services banks offer, the financial institution can become the victim along with the customer. Although our bank systems were not hacked or even compromised, because our customer was, it placed the burden on us as the processor. We also learned the value of having multiple layers of experts review not only new contracts with customers, vendors and other processors but also review renewed contracts for loopholes. And I was reminded again of the value of networking and knowing the right connections with law enforcement to get a case moving quickly. We also learned the very hard lesson that justice in the United States is not always the same as justice around the world.
Chris A. McCulloch, CFE, is a corporate security manager for a midwest bank and has been in fraud investigations since 1997. She is an expert in internal and external fraud prevention and investigations. She has worked in the banking industry since 1986 and has been a board member of the Midwest Financial Fraud Investigators for ten years. Chris has been interviewed as an expert for various media, including TV, newspapers and the Code Red! radio show. She received an FBI commendation in June 2009.