14 DAY TRIAL // Evidence is piling up against "the Analyzer," an Israeli hacker who was arrested in Canada in September 2008 for hacking into a Canadian credit and debit card issuer and siphoning cash out of the compromised accounts. According to an affidavit (PDF) obtained by Wired, authorities in the U.S. also linked him to several data breach incidents at financial institutions across the country, his actions causing losses of 10 million dollars.
The Analyzer, real name Ehud Tenenbaum, is an Israeli hacker who achieved international fame in 1998, when he was identified as the leader of a gang that hacked into computer systems belonging to the Pentagon, NASA, the U.S. Air Force and Navy, the Israeli Parliament, the Presidency, Hamas, the MIT, as well as other U.S. and Israeli universities.
For these actions, Tenenbaum got six months of suspended prison in Israel, was forced to six months of community service and received a fine of $18,000. Subsequently, he was hired by a local company as a security consultant, then moved to France for several years, and entered Canada on a six-month visitor's visa, in March 2008.
The 29-year-old hacker set up shop in Montreal, where he started a security consultancy company called Internet Labs Secure. He was arrested by the Canadian authorities in September 2008, along with his fiancee Priscilla Mastrangelo, his business partner Sypros Xenoulis, and one Jean Francois Ralph, on charges of conspiracy to commit and committing access device fraud.
According to the investigators, Tenebaum hacked into the computer network of the Direct Cash Management in Calgary, Alberta, and artificially inflated the accounts of pre-paid debit cards acquired by his accomplices. The gang then withdrew around $1.7 million from ATMs across Canada and the U.S., using the cards.
Tenebaum's accomplices got out on bail, however the U.S. authorities submitted a provisional warrant to their Canadian counterparts to extend his custody. According to the brief warrant, they were building a strong case against the hacker and were going to pursue extradition. No other details have been disclosed and the case has been sealed in the U.S.
However, Wired got its hands on an affidavit submitted with the Canadian court handling the hacker's case, signed by Darren Hafner, a detective with the Calgary police. The document reflects the extent of Tenebaum's cybercriminal activities and names several U.S. financial institutions targeted by him.
The U.S. secret service has linked the Israeli hacker to data breaches that occurred during January 2008 at OmniAmerican Credit Union of Fort Worth, Texas, and the other against Global Cash Card in Irvine, California. Other two similar incidents dated May 2008 that affected Symmetrex, a Florida-based transaction processor, and 1st Source Bank in Indiana were also attributed to him.
According to the authorities, these attacks were part of a larger global operation. Tenebaum was hacking into the networks obtaining unauthorized access to their ATM databases, from where he extracted credit card information and made changes to bank accounts. The details were then passed on to accomplices in foreign countries that created fake cards that were subsequently used by "money mules" to withdraw cash from ATMs.
The investigators intercepted traffic, including instant messaging conversations between Tenebaum and his fellow hackers, from a server hosted at HopOne Internet Corp in McLean, Virginia, that had been used in their operations. The chat sessions revealed that ATMs had been hit in Russia, Turkey, the United States, Canada, Sweden, Bulgaria, and Germany and that "the Analyzer" was receiving 10-20% of the illegal revenue. In one such particular discussion, he also bragged about hacking into the servers of Alpha Bank, the largest bank in Greece.
The Windows Live ID used in the MSN Messenger conversations was [email protected]. According to logs obtained by the authorities, this e-mail address was accessed from IP addresses assigned to the Montreal office of Internet Labs Secure, Inc., Tenebaum's company. His real name and birth date were also used to create the address. Furthermore, the network of Global Cash Card was accessed from the same IP address, the investigators claim.
It is quite intriguing that a hacker of Tenebaum's caliber would not take the most basic measures in order to cover his tracks. Darren Hafner thinks this is explained through the arrogance that he built up in time. "I think he's probably been getting away with stuff for 10 years. We haven't seen or heard from him since the Pentagon attack. But these guys tend to get this 'cops can't touch me attitude' and then they get sloppy like any criminal in any type of crime," the detective comments for Wired.
The affidavit mentions a total of $10 million in losses, but the damages reported by the affected U.S. financial institutions only add up to about $4 million. It's not clear where the rest come from, but in another IM session the hacker allegedly told one of his foreign accomplices that he had earned between "350 - 400" (thousands of dollars or euros) in less than 24 hours from the Symmetrex hack.
If found guilty of all charges, Tenebaum risks a very lengthy prison sentence, but he is not the most proficient fraudster out there. A November 2008 data breach at the RBS WorldPay payment processor revealed probably the most complex credit card fraud operation ever instrumented - $9 million were cashed out from 130 ATMs, located in 49 cities across the globe, during a 30-minute window, using only 100 compromised cards that had their limit raised by the hackers.