Ehud Tenenbaum, aka “The Analyzer,” was quietly sentenced in New York this week to time served for a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks.
He was also ordered to pay restitution in the amount of $503,000 and was given three years probation.
The notorious Israeli hacker seemed to disappear after his 2008 arrest in Canada for his alleged involvement in a scheme that stole about $1.5 million from Canadian banks. Before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States, where he was in the custody of the U.S. Marshals Service for more than a year.
But after a sentencing hearing scheduled for 2009 was canceled, Tenenbaum’s case seemed to languish with little activity, until a notice about a new sentencing hearing scheduled for last November appeared in the federal court system, and U.S. District Judge Edward R. Korman formally filed his sentencing order this week.
It’s not clear how long Tenenbaum was in custody after he was extradited. The U.S. Marshal Service told Threat Level in August 2010 that he’d been released on bond in March of that year, after Tenenbaum had agreed to plead guilty on the access device charge. The sequence of events, the lengthy time that the case remained inactive, and the quiet sentencing suggest that part of the plea agreement may have involved cooperation with authorities, something that is a condition of many plea agreements that involve hacking and bank fraud.
All that’s known about Tenenbaum’s case appeared in an extradition affidavit that U.S. prosecutors filed in 2008 with Canadian officials. According to that document, Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. Authorities said the scheme resulted in at least $10 million in losses and were part of a larger international conspiracy to hack financial institutions in the United States and abroad.
Tenenbaum was charged in the U.S. with one count of conspiracy to commit access-device fraud and one count of access-device fraud, but the conspiracy charge was later dropped. He pleaded guilty in 2009 to the access-device charge.
Tenenbaum made headlines a decade ago under his hacker handle “The Analyzer,” when he was arrested in 1998 at the age of 19, along with several other Israelis and two California teens in one of the first high-profile hacker cases, dubbed Operation Solar Sunrise, that made international news.
The teens were accused of penetrating Pentagon computers and other networks. Israel’s then-prime minister Benjamin Netanyahu called Tenenbaum “damn good” after learning of his deeds, but also “very dangerous, too.”
Israeli law enforcement opted to prosecute Tenenbaum instead of extraditing him to the U.S. to face charges. He was eventually sentenced in 2001 to six months of community service in Israel. By then, he was working as a computer-security consultant.
At the time of his arrest in Canada in 2008, Tenenbaum had been living in France, and had only been in Canada about five months on a six-month visitor’s permit when police in Calgary arrested him. He and three alleged accomplices were charged with hacking into Direct Cash Management, a Calgary company that distributes prepaid debit and credit cards. A Canadian court set bail at CN$30,000 ($27,600), but before Tenenbaum could be released from jail in Canada, U.S. authorities swooped in with a provisional warrant to retain him in custody while they pursued an indictment and extradition.
“I think he’s probably been getting away with stuff for 10 years,” Darren Hafner, an acting detective with the Calgary police, said at the time. “We haven’t seen or heard from him since the Pentagon attack. But these guys tend to get this ‘cops can’t touch me attitude’ and then they get sloppy like any criminal in any type of crime.”
According to an affidavit filed by U.S. authorities in Canada, the U.S. Secret Service began investigating “an international conspiracy” to hack into computer networks of U.S. financial institutions and other businesses in October 2007. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.
In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company’s database software. The attacker grabbed credit- and debit-card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.
In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid-debit-card processor based in Florida. The intruder again used SQL injection attacks, and losses added up to more than $3 million.
Investigators traced the intrusions to several servers belonging to HopOne Internet in McLean, Virginia, which turned out to be just a routing point for an attack that originated from servers at the Dutch web hosting company LeaseWeb — one of the largest hosting companies in Europe.
U.S. officials asked Dutch law-enforcement agents On April 7, 2008, to track “all computer traffic pertaining to three servers hosted by LeaseWeb” and intercept “the content of that traffic” for 30 days, according to the affidavit. The interception request was renewed for another 30 days on May 9.
Among the wiretapped traffic, authorities found communications that allegedly occurred between Tenenbaum — using the e-mail address [email protected] — and other known hackers, discussing the breaches into the four U.S. institutions, “as well as many other U.S. and foreign financial institutions.”
In one instant message chat in April 2008, Tenenbaum allegedly discussed trying to hack into Global Cash Card after system administrators at the company apparently locked him out from an initial intrusion.
“Yesterday I rechecked [Global Cash Card]. They are still blocking everything,” he allegedly wrote. “So we can’t hack them again.”
Authorities say Tenenbaum gave a co-conspirator the compromised debit- and credit-card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he’d used to execute the attack. Then, throughout the night of April 20, 2008, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work.
The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he’d racked up about “350 – 400″ in earnings. The affidavit notes that this likely referred to thousands of dollars or thousands of euros.
Tenenbaum allegedly gave an accomplice additional cards in an April 20 chat and asked the accomplice to find a “casher” — the underground’s term for the low-level worker whose only job is to withdraw loot.
“I am making a small operation, you have casher?” he allegedly wrote. “I been trying to get a hold of you. I saved for you 25 cards, each one $1,500 limit. Get casher as soon as possible. OK, I will load them.”
According to authorities, after Tenenbaum got into the 1st Source Bank network, he obtained administrator privileges that allowed him to view credit card numbers and ATM output. This latter activity apparently collided with other hackers who were in the system trying to execute shell commands.
“Is HUGE,” he allegedly wrote an accomplice. “I saw ATM outputs, tons of cards. I am admin there, and I already cracked some of the domain.”
His accomplice replied that there were already people inside the network and asked Tenenbaum to get out. Tenenbaum replied, “Dude, like I told ya. It’s [Microsoft] Windows network. I am happy I could help you to get shell there. Now it’s your guys’ job.”
About a month later, Tenenbaum allegedly disclosed that he’d hacked Alpha Bank in Greece, the country’s second largest commercial bank, where he said friends of his worked.
Despite Tenenbaum’s earlier notoriety as The Analyzer, he apparently made no attempt to hide his real identity, using an e-mail address with a name that was previously tied to him, as well as an IP address that was easily connected to him.
“He’s a really intelligent guy, but I think he’s just got this cocky attitude that ‘no one can get me,’” Hafner told Threat Level in 2008. As a result, he says, Tenenbaum made a lot of telling missteps.
According to the affidavit, the subscriber information for the Hotmail account that was used to discuss the hacks was registered under Tenenbaum’s real name and birth date. Hafner also told Threat Level that Tenenbaum was caught on an ATM surveillance camera withdrawing funds from one of the compromised Canadian accounts.
Tenenbaum was director of a computer security company called Internet Labs Secure that he ran out of Montreal. U.S. authorities found that someone using an IP address registered to his company accessed the Hotmail account, and also used it to access the Global Cash Card network to check the balances of compromised cards and attempt to increase the limits on the accounts. Someone used a second IP address associated with Tenenbaum to access Global Cash Card and “download a file containing all of that compromised computer’s data,” according to the affidavit.
The affidavit detailing the charges against Tenenbaum said investigators attributed $10 million in losses to the hacking spree, though it attributed only $1 million in losses to the OmniAmerican and Global Cash Card hacks, and $3 million to the 1st Source Bank and Symmetrex hacks.
It’s not clear where the remaining $6 million in alleged losses come from, and the U.S. Attorney’s office in the Eastern District of New York, where Tenenbaum was charged, was unable to account for the discrepancy in the totals when asked by Threat Level.
Photo: Ehud Tenenbaum, then 18, sits in his father’s car outside a police station near Tel Aviv, Israel, in 1998. Nati Harnik/AP