A Pakistani man who participated in two multimillion-dollar ATM heists targeting debit card processors was sentenced in Brooklyn federal court on Friday to 18 months in prison.
Imran Elahi pleaded guilty last year to access device fraud and conspiracy, largely for his involvement in two precision strikes: a $9 million heist in 2008 involving RBS WorldPay and a $14 million hack in 2011 against Fidelity Information Services.
The cybercrimes were strikingly similar to the $45 million global ATM heist that Brooklyn federal prosecutors revealed last month, when U.S. Attorney Loretta Lynch charged eight defendants with using stolen debit cards at thousands of automated teller machines worldwide over a period of hours in a coordinated attack.
That effort involved MasterCard Inc prepaid debit cards issued by Bank Muscat of Oman and National Bank of Ras Al Khaimah PSC, or Rakbank, of the United Arab Emirates.
In court on Friday, prosecutors praised Elahi for immediately waiving extradition upon his arrest in the Netherlands last May and agreeing to cooperate with the government.
Elahi's case was sealed until recently, and details of his cooperation remain under wraps.
Lynch's office has not indicated whether there is any connection between Elahi's assistance and the case in May. The ringleaders of the Middle East heist, and the country in which they are based, have not been charged or publicly identified by authorities.
Assistant U.S. Attorney Cristina Posa said Elahi had provided "significant assistance" to investigators. When asked by U.S. District Judge John Gleeson what sentence seemed appropriate, she said, "If he was to go home to his family this weekend, I wouldn't be bothered by it."
In so-called "unlimited operation" heists, like those Elahi admitted to joining, hackers gain access to the computer systems of payment processors that handled prepaid debit cards for various financial institutions and dramatically increase the available balance and withdrawal limits on a handful of cards.
Co-conspirators in countries around the world then fan out to ATMs and take out money using the stolen debit card numbers in a coordinated global operation.
The operations can net cybercrime rings enormous sums of money in short amounts of time. In the case revealed in May, "casher crews" were able to withdraw $40 million in just over 10 hours.
Authorities said Elahi was responsible for disseminating the debit card numbers to casher crews in Mexico and elsewhere. Between 2005 and 2012, Elahi's activities earned him roughly $250,000 to $300,000.
All told, Elahi's actions victimized more than 350 financial institutions, according to the government.
In sentencing Elahi, Gleeson noted his remorse and the aid he provided to the government. With time served and good behavior, Elahi could be released almost immediately and sent back to Pakistan to rejoin his family.