From a computer terminal in his apartment in St. Petersburg, Russia, a Russian software engineer broke into a Citibank computer system in New York and with several accomplices stole more than $10 million by wiring it to accounts around the world, according to court documents and the U.S. attorney’s office.
Citibank said all but $400,000 of the stolen funds have been recovered. Six hacking suspects have been arrested, including the engineer, Vladimir Levin, who is being held in Britain and is fighting extradition to the United States.
The incident underscores the vulnerability of financial institutions as they come to increasingly rely on electronic transactions. But computer security experts say what is even more notable about the case is that it became public.
“Can it happen? Yes. Does it happen? Yes,” said Eugene Schultz, a computer security expert at SRI International. “But we don’t hear about it because financial institutions are afraid of adverse publicity.” The Citibank case became public as a result of the extradition effort.
Schultz estimates that nearly three dozen cases of computer intruders stealing sums of more than $1 million occur each year in Europe and the United States.
Banks are racing to enable customers to transfer money, pay bills and perform other transactions electronically. But as they seek to promote electronic services--and cut the high costs of running branch offices--they face risks.
The Citibank system that hackers in Russia broke into about a year ago allows corporate customers to electronically transfer money to accounts at other banks. Citibank spokeswoman Amy Dates said the bank’s security system detected the fraudulent transactions, but not in time to notify the banks to which the initial $400,000 had been transferred.
Subsequent transactions were monitored as the FBI sought to trace them back to the perpetrators. Dates said the bank has upgraded it security since discovering the intrusions in June, 1994.
FBI agent Steven Garfinkel says in the court papers that hackers made about 40 transfers totaling more than $10 million between June and October. The money was shifted from Citibank to accounts in Finland, Russia, Germany, the Netherlands, the United States, Israel and Switzerland, Garfinkel said.
At least one of the hackers, who was arrested about a year ago in San Francisco while opening accounts to receive the stolen money, is helping investigators, according to an FBI affidavit unsealed in New York on Friday.
U.S. authorities say that Levin, working from his job as head systems operator at a Russian software company, AO Saturn, figured out how to get around Citibank’s security system. Russian telephone company employees traced the transfers to a telephone at AO Saturn. The U.S. Justice Department wants to charge Levin with conspiracy and fraud.
The Associated Press contributed to this report.