Skip to content ↓ | Skip to navigation ↓

A hacker has pleaded guilty to a series of targeted ATM attacks that resulted in $55 million worth of damages to the global financial sector.

On Tuesday, Ercan Findikoglu, 34, a Turkish citizen, pleaded guilty in a Brooklyn courthouse to charges of computer intrusion conspiracy, access device fraud conspiracy, and completing transactions via the use of unauthorized access devices, reports the Washington Times.

Ercan “Segate” Findikoglu
Ercan “Segate” Findikoglu (Source: Krebs on Security)

Court documents reveal that Findikoglu, who went by the names “Segate,” “Predator,” and “Oreon” online, masterminded targeted attacks against at least three payment processors, through which they stole various Visa and MasterCard cardholders’ information and significantly increased the withdrawal limits on those customers’ prepaid debit cards.

Together, the criminal ring then abused those stolen PIN numbers to conduct a series of targeted ATM withdrawals around the world.

In one attack, a network of “cashing crews” under Findikoglu’s management made 15,000 ATM withdrawals in over 18 countries using the compromised payment card details back in February 2011. The withdrawal campaign lasted only two days, but it netted the criminals $14 million.

Another attack also occurred over a two-day period, this time in February 2013. In that instance, the group took out $40 million via 36,000 ATM transactions in 24 different countries.

“[The gang] participated in a massive 21st century bank heist that reached across the internet and stretched around the globe,” United States Attorney Lynch said at the time of his arrest. “In the place of guns and masks, this cybercrime organisation used laptops and the Internet. Moving as swiftly as data over the Internet, the organisation worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours.”

Findikoglu was ultimately arrested at the Frankfurt Airport in December 2013. Germany’s federal court initially blocked the criminal’s extradition to the United States for about one year due to lower court’s failure to obtain assurances from the United States that Findikoglu would not receive a disproportionate sentence. But by the summer of 2015, the German court had changed its mind and had signed off on the hacker’s extradition.

Shortly after his arrest, Findikoglu faced as many as 250 years in U.S. prison. He now faces a maximum sentence of just 57.5 years, notes Softpedia.