A bloodless bank heist that netted more than $45 million has left even cybercrime experts impressed by the technical sophistication, if not the virtue, of the con artists who pulled off a remarkable internationally organised attack.
"It was pretty ingenious," Pace University computer science professor Darren Hayes said on Friday.
On the creative side of the heist, a small team of highly skilled hackers penetrated bank systems, erased withdrawal limits on prepaid debit cards and stole account numbers.
On the crude end, criminals used handheld devices to change the information on the magnetic strips of old hotel key cards, used credit cards and depleted debit cards.
Seven people were arrested in the US, accused of operating the New York cell of what prosecutors said was a network that carried out thefts at ATMs in 27 countries from Canada to Russia.
Law enforcement agencies from more than a dozen nations were involved in the investigation, which was being led by the Secret Service.
Here's how it worked:
First, the hackers, quite possibly insiders, broke into computer records at a few credit card processing companies, first in India and then the US. This has happened before but here's what was new: They didn't just take information.
They actually raised the limit on prepaid debit cards kept in reserves at two large banks.
"It's pretty scary if you think about it. They changed the account balances. That's like the holy grail for a thief," said Chris Wysopal, co-founder of security company Veracode.
The next step was technically simpler, almost an arts-and-crafts activity.