HIGHLY SKILLED HACKERS

Cyber experts said they believe the operation likely required the work of several hundred people, at least several of whom were highly skilled hackers capable of devising ways to penetrate well-protected financial systems.

"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.

Loretta Lynch, United States Attorney for the Eastern District of New York, speaks at a news conference in New York, May 9, 2013. [Phtoo/Agencies]

The group may have targeted Middle Eastern banks because they tend to allow customers to put much larger sums on cards and do not monitor them as closely as banks in other regions, said Shane Shook, global vice president of consulting for the security firm Cylance Inc.

"It's a target-rich environment in terms of soft electronic security," said Shook, an Arabic speaker who has spent more than a decade investigating cyber crimes.

The case is similar to one in 2009 that targeted the prepaid debit-card unit of Royal Bank of Scotland, which lost more than $9 million in less than 12 hours, said Jason Weinstein, a former federal prosecutor who supervised the Justice Department's handling of that case.

That case was considered a watershed moment in cyber crime prosecutions at the time. "This dwarfs that case," he said.

It is not clear if banks can seek to recover losses from card processors, legal experts said. Contracts usually have specific language governing the security protocols that must be in place, said Frederick Rivera, an attorney with Perkins Coie who specializes in financial services litigation.

If the processors failed to follow those requirements, they could be liable for the losses. If they had adequate security, however, the banks "could be left holding the bag," Rivera said.

The banks might also be able to seek reimbursement under their insurance policies, many of which now have cyber crime provisions, or from the processors' insurance carriers.

Weinstein also said that the processors could face regulatory scrutiny over whether they provided proper security.

The eight defendants - all US citizens and residents of Yonkers, New York - were charged with withdrawing cash from the ATMs and transporting money, not hacking into the credit card processing firms or managing the operation.

The seven arrested are: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin (known as "Chino El Abusador"). All except for Rodriguez were arraigned on Thursday and pleaded not guilty. Rodriguez's attorney was unavailable. Only Pena has been released on bail.

The defendant who reportedly had been killed was Alberto Yusi Lajud-Peña, also known as "Prime" and "Albertico." Lynch said it was unclear whether the murder was related to this case.

Prosecutors said cashers often laundered their proceeds by purchasing luxury goods, and sending a portion of the money back to the organization's leaders.

Lynch said the New York gang kept roughly 20 percent of their takes, and sent the rest to the organizers. Authorities said they seized hundreds of thousands of dollars in cash and bank accounts, as well as two Rolex watches and a Mercedes SUV, from the defendants.

Investigators said that they found an email exchange with an account associated with a criminal money laundering operation in St. Petersburg, Russia, describing wire transfers.

An investigation is ongoing to see if other cells are operating in the country, Lynch said, adding that US law enforcement had worked with counterparts in Japan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia to uncover the ring.

No individual bank accounts were compromised by the scheme, Lynch said.