In the largest and surely most extraordinary ATM fraud in history, US prosecutors have revealed details of a vast global conspiracy in which thieves were able to exploit out of date card technology to empty cash machines in 27 countries of $45 million (£29 million).
The facts of the case revealed by the authorities in a news conference are so daunting that the established lexicon of cybercrime starts to fail trying to describe it.
The first attack occurred on 22 December last year when criminals compromised an Indian database for pre-paid MasterCard debit cards of a bank in the United Arab Emirates.
This allowed the gang – described as a “virtual criminal flash mob” - to clone magnetic stripe cards so that gang affiliates were able to withdraw around $5 million (£3.2 million) from ATMs across 20 countries in a matter of hours.
A second attack occurred on 19 February 2013 against a US payment processer handling the same UAE bank, which resulted in the loss of a staggering $40 million from ATMs in 20 countries via 36,000 different transactions over a period of hours.
Who carried out the thefts is unclear but the number of participants has been estimated at many hundreds across more than two dozen countries. This is the first unprecedented fact of the case; its size.
A second is the ease with which the criminals were able to target magnetic stripe data to clone bank cards on an industrial scale in a way that would be far more difficult had the banks involved adopted chip-based technology. Why? Chip technology is much harder to clone on this scale.
A hugely significant aspect of the crimes is the way large number of criminals not previously known to one another appear to have colluded across many borders to commit the crimes.
That the losses were from accounts issued by banks and not from individual account holders will be small consolation.
Seven people accused of being involved in one part of the theft – stealing $2.4 million from hundreds of New York ATMs during the US attack in February - have been arrested in the US while an eighth defendant was reported to have been murdered in the Dominican Republic two weeks ago.
“The defendants and their co-conspirators participated in a massive 21st Century bank heist that reached across the internet and stretched around the globe," said Loretta Lynch, US Attorney for the Eastern District of New York.
“In the place of guns and masks, this cybercrime organisation used laptops and the Internet," she added, neatly summarising the way that conventional bank robberies now seem almost quaint by comparison.
The weakness of payment processors as a launchpad for this kind of attack is not new.
One of the most infamous attacks of recent years was the that on RBS subsidiary WorldPay in 2008 by a Russian gang. The similarities with the latest attacks are eery, including the way that stolen data was used to clone cards then used for large number of ATM withdrawals.
The main difference is simply scale; the 2008 attack resulted in losses of $9 million. The perpetrators were arrested by the Russian FSB in 2010 after pleas from the FBI.
"A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips," said Kaspersky Lab's Costin Raiu.
"I believe it makes sense for the banks to invest in upgrading the cards in the US and worldwide," he said.
Find your next job with techworld jobs