Russia has quietly arrested several suspects in one of the world’s worst cyberbank heists, raising hopes of a previously unseen level of official co-operation in a country that has been a haven for criminals.

The Russian Federal Security Service (FSB) detained suspects including Viktor Pleshchuk, one of the alleged masterminds behind a £6m (€6.6m, $9m) attack on the payment processing unit of the Royal Bank of Scotland, people familiar with the inquiry told the Financial Times.

The FSB asked the Federal Bureau of Investigation in the US, which has made the probe one of its top international priorities, to keep silent on the arrests to avoid scaring other targets in Russia into covering their tracks. The FSB, FBI and the US justice department declined interview requests, while the bank said only that it was continuing to work with authorities.

“I believe we are embarking on an new era of genuine co-operation with Russian authorities,” said Don Jackson, a cybersecurity expert with SecureWorks in Atlanta who has documented shortcomings of Russian law enforcement.

RBS WorldPay, the payment processor, is also based in Atlanta. A US grand jury there indicted Mr Pleshchuk in November, along with Sergei Tsurikov, an Estonian, and Oleg Covelin of Moldova.

At the time a federal prosecutor said the probe had “broken the back of one of the most sophisticated computer hacking rings in the world”.

Allegedly led by Mr Pleshchuk and Mr Tsurikov, the group broke RBS encryption protecting the data associated with payroll debit cards distributed to employees of customer companies and used to draw down salaries. Counterfeit versions of the cards were used in a 12-hour period in late 2008 to withdraw cash from 2,100 ATMs in 280 cities, the indictment said.

US authorities said last year they had received co-operation in the case from other countries, including Estonia, which noticed suspicious withdrawals from cashpoint machines in Tallinn, then arrested Mr Tsurikov and arranged for his extradition.

Russian law forbids extradition of the country’s citizens, and it is unclear how severe the penalties would be for Mr Pleshchuk if he should be convicted there. It is also unknown whether the St Petersburg hacker was part of an established cybercrime gang that had been protected by officials.

Some Russian individuals and criminal groups have been able to deflect investigations through political connections while allowing their equipment to be used against opponents of the Kremlin.

US and UK officials have long been frustrated by their inability to make progress in Russia.

Two of the biggest US identity theft indictments in the past decade – against the “carding” group ShadowCrew and Albert Gonzalez, a hacker accused of stealing data for 40m credit and debit cards – alleged Russian involvement. Nobody has been arrested.

The few Russian nationals that have been apprehended were lured overseas or caught by friendly governments while on holiday. But that has not always furthered official co-operation.

Michael Schuler, an FBI agent, conned two Russian suspects into flying to Seattle in 2000, where they were arrested. But Russian authorities then said they were investigating Mr Schuler for his unauthorised remote searches of the hackers’ computers on Russian soil.

Western authorities had been loath to fault Russia publicly as they continued to seek better relations. People familiar with the matter said the FBI believed it had improved relations in the past year by putting less emphasis on ties to the MVD, Russia’s main national law enforcement body, and going directly to the FSB.

This, the successor to the KGB spy agency, is the most powerful bureaucracy in the country. Even the FBI is unsure what ultimately broke the logjam and produced the first significant arrests in what the US agency hopes will be the start of co-operative efforts.

But Mr Jackson and other private researchers noted that Russian cybergangs, facing increasing competition from each other and from organised criminals elsewhere, had released programmes designed to steal money from Russian bank accounts as well as those abroad.

“Russian cybercriminals no longer follow hands-off rules when it comes to motherland targets, and Russian authorities are beginning to drop the laisser faire policy towards these cybercriminals,” Mr Jackson said.

Additional reporting by Charles Clover in Moscow

Get alerts on USSR when a new story is published

Copyright The Financial Times Limited 2022. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Comments have not been enabled for this article.