‘The Analyzer’ Pleads Guilty in $10 Million Bank-Hacking Case
By Kim Zetter • Wired.com
Ehud Tenenbaum, aka “The Analyzer,” quietly pleaded guilty in New York last week to a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks.
The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. But before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States.
Prosecutors alleged in an extradition affidavit that Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. But he was only charged with one count of conspiracy to commit access-device fraud and one count of access-device fraud.
Tenenbaum is set to be sentenced Nov. 19, and he faces a maximum of 15 years in prison. Prosecutors declined to comment on the case or describe the details of his plea agreement. The second count in the indictment, charging conspiracy, appears to have been dropped.
The Analyzer’s mother, Malka Tenenbaum, told Threat Level from Israel that she had no idea her son had pleaded guilty. “I don’t know what to think,” she said. “I hope that all is OK.”
The hacker’s attorneys did not respond to a call for comment.
Authorities have previously said the scheme Tenenbaum allegedly masterminded resulted in at least $10 million in losses, according to court records obtained by Threat Level, and were just part of a larger international conspiracy to hack financial institutions in the United States and abroad.
The guilty plea brings to a close a long chapter in hacker history.
Tenenbaum, 29, made headlines a decade ago under his hacker handle “The Analyzer,” when he was arrested in 1998 at the age of 19, along with several other Israelis and two California teens in one of the first high-profile hacker cases that made international news.
The teens were accused of penetrating Pentagon computers and other networks. Israel’s then-prime minister Benjamin Netanyahu had called Tenenbaum “damn good” after learning of his deeds, but also “very dangerous, too.”
Israeli law enforcement opted to prosecute Tenenbaum instead of extraditing him to the United States to face charges. He was eventually sentenced in 2001 to six months of community service in Israel. By then, he was working as a computer-security consultant.
Malka Tenenbaum told Threat Level in a previous conversation that she believed the United States was harboring a decade-old grudge against her son, and was pursuing him now because authorities here weren’t able to prosecute him previously.
Tenenbaum had been living in France recently, and had only been in Canada about five months on a six-month visitor’s permit when police in Calgary arrested him last August. He and three alleged accomplices were charged with hacking into Direct Cash Management, a Calgary company that distributes prepaid debit and credit cards. A Canadian court set bail at CN$30,000 ($27,600), but before he could be released from jail, U.S. authorities swooped in with a provisional warrant to retain him in custody while they pursued an indictment and extradition.
“I think he’s probably been getting away with stuff for 10 years,” Darren Hafner, an acting detective with the Calgary police, said at the time. “We haven’t seen or heard from him since the Pentagon attack. But these guys tend to get this ‘cops can’t touch me attitude’ and then they get sloppy like any criminal in any type of crime.”
Documents in the U.S. case were sealed, but Threat Level obtained an affidavit filed with the Canadian court detailing the U.S. allegations.
According to the affidavit, in October 2007, the U.S. Secret Service began investigating “an international conspiracy” to hack into computer networks of U.S. financial institutions and other businesses. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.
In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company’s database software. The attacker grabbed credit- and debit-card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.
In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid-debit-card processor based in Florida. The intruder again used a SQL injection attack, and losses added up to more than $3 million.
Investigators traced the intrusions to several servers belonging to HopOne Internet in McLean, Virginia, which turned out to be just a routing point for an attack that originated from servers at the Dutch web hosting company LeaseWeb — one of the largest hosting companies in Europe.
U.S. officials asked Dutch law-enforcement agents On April 7, 2008, to track “all computer traffic pertaining to three servers hosted by LeaseWeb” and intercept “the content of that traffic” for 30 days, according to the affidavit. The interception request was renewed for another 30 days on May 9.
Among the wiretapped traffic, authorities found communications that allegedly occurred between Tenenbaum — using the e-mail address Analyzer22@hotmail.com — and other known hackers discussing the breaches into the four U.S. institutions, “as well as many other U.S. and foreign financial institutions.”
In one instant message chat in April 2008, Tenenbaum allegedly discussed trying to hack into Global Cash Card. after system administrators at the company apparently locked him out from an initial intrusion.
“Yesterday I rechecked [Global Cash Card]. They are still blocking everything,” he allegedly wrote. “So we can’t hack them again.”
Authorities say Tenenbaum on April 18, 2008, gave a co-conspirator the compromised debit- and credit-card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he’d used to execute the attack. Then, throughout the night of April 20, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work.
The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he’d racked up about “350 - 400″ in earnings. The affidavit notes that this likely referred to thousands of dollars or thousands of euros.
Tenenbaum allegedly gave an accomplice additional cards in an April 20 chat and asked the accomplice to find a “casher” — the underground’s term for the low-level worker whose only job is to withdraw the loot.
“I am making a small operation, you have casher?” he allegedly wrote. “I been trying to get a hold of you. I saved for you 25 cards, each one $1,500 limit. Get casher as soon as possible. OK, I will load them.”
According to authorities, after Tenenbaum got into the 1st Source Bank network, he obtained administrator privileges that allowed him to view credit card numbers and ATM output. This latter activity apparently collided with other hackers who were in the system trying to execute shell commands.
“Is HUGE,” he allegedly wrote an accomplice. “I saw ATM outputs, tons of cards. I am admin there, and I already cracked some of the domain.”
His accomplice replied that there were already people inside the network and asked Tenenbaum to get out. Tenenbaum replied, “Dude, like I told ya. It’s [Microsoft] Windows network. I am happy I could help you to get shell there. Now it’s your guys’ job.”
About a month later, Tenenbaum allegedly disclosed that he’d hacked Alpha Bank in Greece, the country’s second largest commercial bank, where he said friends of his worked.
Despite Tenenbaum’s earlier notoriety as The Analyzer, he apparently made no attempt to hide his real identity, using an e-mail address with a name that was previously tied to him, as well as an IP address that was easily connected to him.
“He’s a really intelligent guy, but I think he’s just got this cocky attitude that ‘no one can get me,’” Hafner told Threat Level. As a result, he says, Tenenbaum made a lot of telling missteps.
According to the affidavit, the subscriber information for the Hotmail account that was used to discuss the hacks was registered under Tenenbaum’s real name and birth date. Hafner also told Threat Level that Tenenbaum was caught on an ATM surveillance camera withdrawing funds from one of the compromised Canadian accounts.
Tenenbaum was director of a computer security company called Internet Labs Secure that he ran out of Montreal. U.S. authorities found that someone using an IP address registered to his company accessed the Hotmail account, and also used it to access the Global Cash Card network to check the balances of compromised cards and attempt to increase the limits on the accounts. Someone used a second IP address associated with Tenenbaum to access Global Cash Card and “download a file containing all of that compromised computer’s data,” according to the affidavit.
A spokesman for Symmetrex (which was owned at the time of the hack by Britain-based Altair Financial Services) had no knowledge of the breach when Threat Level contacted the company last March. But he said Symmetrex processes about 500,000 debit transactions a month for prepaid payroll and gift cards, and claimed the company was compliant with the PCI security standards that financial institutions say protect them from such intrusions.
Symmetrex was the third card-processing company known to have been hacked within the course of a year. RBS Worldpay, a U.S. payment-processing division owned by the Royal Bank of Scotland, announced last December that it had been hacked in November, and that information on 1.5 million cardholders was compromised. Heartland Payment Systems announced earlier this year that it also had been hacked sometime last year.
The affidavit detailing the charges against Tenenbaum says investigators have attributed $10 million in losses to the hacking spree, though it attributes only $1 million in losses to the OmniAmerican and Global Cash Card hacks, and $3 million to the 1st Source Bank and Symmetrex hacks.
It’s not clear where the remaining $6 million in alleged losses come from, and the U.S. Attorney’s office in the Eastern District of New York, where Tenenbaum was charged, was unable to account for the discrepancy in the totals.
Ehud Tenenbaum, then 18, sits in his father’s car outside a police station near Tel Aviv, Israel, in 1998.