In our last column, we wrote about dangers posed to corporations and law firms by cyber attacks from hackers who secretly take control of host computers.1 In this column, we describe “Unlimited Operations,” a narrower but no less insidious form of cyber attack that poses a particular threat to financial institutions. In a typical unlimited operation, hackers remove security features from bank accounts, increase balances, and then provide teams of “cashing crews” with account information that allows them to make mass ATM withdrawals from the compromised accounts. The lack of security features and increased account balances allow the cashing crews to withdraw money from ATM branches all over the world in amounts far greater than typical withdrawal limits.

While the dangers are especially acute for international banks, the technology could also apply to any corporation that issues any form of credit or debit card—even gift cards. These attacks also use payment processors and vendors as a means to access the card issuer, thus creating potential liability and litigation risk for a variety of corporations.

Our last column described the FBI's most-wanted cyber criminal, Evgeniy Bogachev, who is wanted for orchestrating cyber attacks that are believed to have caused hundreds of millions of dollars in damages. Bogachev is still at large, but the FBI's second most wanted cyber criminal has not been as elusive. On June 24, 2015, the U.S. Attorney's Office for the Eastern District of New York announced the extradition and unsealing of an indictment against Ercan Findikoglu, who is charged with orchestrating a cyber attack that allegedly succeeded in stealing $55 million from a number of banks.2 The methods purportedly used by Findikoglu and a diffuse network of conspirators pose a threat to banks and a variety of other corporations.