Nearly 25 years on from the first bank robbery of the technological age

Mirella Grierson-Ryrie

25 October 2018

first bank robbery

In 1994, New York’s Citibank became the first large scale target for online bank robbery. Having noticed $400,000 missing from their accounts, the FBI opened their first cybercrime case. Over a four-month period, the FBI saw over $10 million in funds illegally transferred from Citibank’s accounts to personal offshore bank accounts. It was all traced back to St. Petersburg based Russian national Vladimir Levin and his 6 accomplices. Levin was sentenced to 3 years’ imprisonment by US judge Michael B. Mukasey.

The FBI witnessed 40 illegal transactions over a four-month period totaling more than 10 million. They traced the accounts to a Russian national couple Korlokova who were working for Levin. The couple were arrested and between the Russian and US authorities, evidence was gathered against Levin and he was lured to the UK in 1995 where he was arrested.

30 months later Levin was extradited to the US where he was trailed and plead guilty to conspiracy and fraud in 1998. Levin and his team targeted Citibank’s cash management computer system used by corporate clients by manipulating telecommunications networks and retrieving then current user ID’s and passwords, gaining them access into the system and transferring millions into personal bank accounts across the globe.

Details of Levin’s legal trail are patchy. Levin resisted extradition for 30 months before losing and finally being sent to New York for trial. The extradition and actual charges at the time still underscore legal problems encountered with the multi-jurisdictional nature of cybercrimes. At a time of limited cybercrime legislation, US judge Michael B. Mukasey sentenced Levin, who was charged with conspiracy and fraud under white collar crime, to 3 years’ imprisonment and took Levin’s 30 months into consideration.

Citibank recovered all funds aside from the initial $400,000 and Levin was ordered to pay $240,015 directly to Citibank. Four of Levin’s accomplices pleaded guiltily to conspiracy to commit bank fraud and served various different sentences.

This incident showcased the lack of relevant cybercrime laws in place. Very few laws pertained to this type of crime, so few that Levin was charged under white collar crime not cybercrime. After this case, in 1994 the 1984 computer Fraud and Abuse Act was revised. The Act applies to federal, bank and computers connected to the internet. The Wiretap Act of 1968 which prohibits using illegal intercepted material should been used to punish Levin with up to five years’ imprisonment.

Looking at the case and the sentence given today it seems absurd. There are multiple components missing from the legal trail which we can put down to the lack of experience and relevant legislation at the time. Levin’s attorney argued that none of the transactions technically passed through New York as Citibank’s computer system was in New Jersey, highlighting the issue of where international cybercrimes should be trialed.

Levin was very lightly charged and more should have been done, however the FBI at the time did not even have a specific cybercrime unit and the lack of legislation meant that Levin got off lightly. A longer sentence was given to Kevin Mitchnick three years’ prior for stealing 2000 credit cards.

For the time, and this being deemed the first online bank robbery, it is foreseeable how Levin got away with a short sentence. However frustrating this may seem, this case proved essential for the beginning of the cybercrime protection and legislation we have today.

The case marked a major change for all financial institutions. Citibank were courageously honest and public with the case which triggered much needed global reconsideration for financial industries’ security measures. At a time where electronic transactions were being rapidly pushed for by banks and as customers moved towards this, institutions were forced to put protective measures in place.

Unsurprisingly, Citibank lost over 20 of their top clients which highlighted how damaging cybercrime can be, not just for immediate monetary losses but also for long term loss of clientele. Immediately after this hacking incident Citibank implemented a credit-card like smart card that is encoded with an electronic signature unique to the user to finalize an online transaction and was similar to what we have today.

The case was fundamental for the FBI to create and realize the pressing need for not only serious legislation but also a cybercrime unit and it quickly created one.

Much new legislation arose from the case including the amendment of the federal computer fraud and abuse statute and related federal criminal laws such as the computer fraud and abuse act which outlaws conduct that victimizes computer systems, intimately shields computers from trespassing, threats, damage espionage and from being corruptly used as instruments of fraud.

In sum, there were clear holes at the time in order to deal with cybercrime appropriately, the solution was to create more legislation and authoritative bodies around this for example internally Citibank hired Stephen R. Katz as the banking industry’s first Chief Information Security Officer.

Although the outcome of Levin’s trail was frustratingly light, we can mark this case as a serious turning point in the way that the public, financial institutions and the law had to change to protect the constantly upcoming technological age. Nearly 25 years on, it is safe to say that Levin, now known as one of the best hackers of all time, had a lucky escape in his sentencing and the immense legislation in place nowadays would have sentenced him much more harshly.