The Real Story of Citibank’s $10M Hack

Take one hand — maybe an extra finger, but that’s it — and you can count with it the number of hackers in history who have such a reputation, such an aura around them as Vladimir Levin.

Perhaps Levin’s mystique begins with his image. Unlike the other notorious hackers of decades past — Mitnick, McKinnon, Lamo, and so on — only two photographs of Levin exist on the internet. They’re both grainy, black-and-white headshots that look like they were taken in the 1930s.

In the latter of the two, he looks a bit like young Stalin without the facial hair: handsome — a lean face with a wide nose, thick lips, eyebrows that don’t quite go all the way — and quite clean-cut, with dark, neatly parted hair, and dark, arresting eyes.

These photos would’ve been taken in the 80s or 90s, but the aesthetic — and his cold, emotionless expressions — gives him an air of an historical figure. You can imagine one of these photos in an encyclopedia, or hanging on the wall of a museum.

Indeed, in the media he is presented as a figure of historical significance. It’s often said that the then-27-year-old St. Petersburg-based software systems operator was the “first online bank robber.” He makes an appearance on many lists of the “top 10 greatest hackers” or “biggest cyber attacks of all time.” But if you read about him for more than a few minutes you might find that unlike the Mitnicks, McKinnons, and Lamos of the world, seemingly every account of his story is just a paragraph or two long.

Levin, as is often told, worked with a crew of Russian criminals to break into Citibank’s computer systems, and steal 10.7 million dollars. It was a remarkable feat, yet the exact details, you’ll find, tend to be glossed over. There’s information about his capture and sentencing, but precious little about the attack itself, besides some uncorroborated hearsay, unless you go way, way back.

In a Russian-language blog post from 2005, only accessible today via the Internet Archive, an individual who actually, likely, knew the story firsthand, expressed his frustration at how the Levin story has been recorded in history.

“[ArkanoiD] I have already made several attempts to tell this story one way or another – and each time it was monstrously distorted. In particular, I am especially irritated by the fact that every (!) time when I happened to give an interview, the journalists in the final editorial office – who “for technical reasons” “forgot” to show me – decided to “simplify” my story.”

The “true” tale of Levin’s infamous hack, he claimed, had been mangled by journalists only interested in presenting it for optimal consumption. For example, Levin himself? He wasn’t even a hacker — or, for that matter, anything else he was reported to be by members of the press.

“[ArkanoiD] The man who was referred to in the press as a brilliant hacker, programmer, mathematician and biotechnologist, was no more known in relevant circles as a hacker than as a mathematician, programmer or biotechnologist.”

As one Minsk-based computer company reported, Levin didn’t even know enough English to hack an American IT network. Plus, after his arrest…

“[ArkanoiD] The FBI’s attempts to engage him as an information security consultant revealed his complete incompetence in these matters.”

Now, in his own words, the writer — “ArkanoiD” — would explain the truth of Levin’s story.

Of course, you may be asking: why trust the account of an anonymous, Russian hacker?

Well, let’s start with his motives. Journalists, he explained, had been in the habit of attributing the wrong acts to the wrong people — for example:

“[ArkanoiD] [To those who say] I was the person who sold Levin the materials of the research group. I would like to say “God is their judge,” but, being far from the Christian religion, I will instead say – spit in the face of this scum. Such an accusation calls into question not only my professionalism, but even my possession of basic common sense.”

Later on, you’ll understand not just the general sentiment, but the full scope of what he means there by “basic common sense.”

The greater reason to believe ArkanoiD is that his account lines up with two other, separate testimonies recorded in a different unrelated, old, Russian language publication. The website “bugtraq.ru” solicited a short statement from one of the other known hackers to have been involved in the case — “Bukazoid” — as well as a longer account from an anonymous insider who, for the sake of simplicity, we’ll call “Hacker 3.” The details of Hacker 3’s story are consistent with Bukazoid’s and ArkanoiD’s tellings, but his perspective is unique enough that he seems to be a distinct, third player.

The veracity of Hacker 3’s attestation is supported by certain details which we can independently confirm to have been true, including, but not limited to, aspects of Citibank’s systems which weren’t widely reported or otherwise known at the time. Hacker 3 is also remarkably detailed in his descriptions, as you’ll see, to a degree that made-up stories rarely are. So if you’re still not convinced, save it for the end.

In all, these accounts paint the clearest picture available of what happened in the Levin case. So, in this episode, we’re going to once and for all clarify how Vladimir Levin managed to steal 10.7 million dollars from Citibank, through the translated accounts of the hackers who, in fact, did the job for him.

“[ArkanoiD] So let’s start from the beginning: what was the world like in 1994? From the point of view of the average person, everything was approximately the same as it is now: there was the Internet, personal computers, e-mail, the web, there was Microsoft Office and even a beta version of Windows 95, then known as “Chicago”.

The major differences were in what was not visible. For example, although everyone already saw the same Microsoft Office, the most popular office suite then was not that, but Digital All-In-One.

[. . .] And the largest network, oddly enough, was not the Internet at all, but a collection of X.25 networks.”

X.25 was the packet-switching protocol used to communicate between systems on “Telenet,” one of the early networks that existed before the broader internet came to be. Compared with other backbone networks in the early ‘90s, Telenet had become top dog.

“[ArkanoiD] So much so that there was only one paid information service on this network, Dialog — [that] provided access to databases that were approximately twenty times larger in volume than the total volume of the entire public Internet at that time. As for Russia, a map of nodes for Sprint – one of the X.25 operators at the end of 1994 – looked noticeably more impressive than the map of the Russian Internet two years later.”

The X.25-based Telenet — later acquired by Sprint and renamed “SprintNet” — had become so popular because, having launched back in 1975, it was the first public data network. Unlike those reserved for the military and universities, anyone with the right equipment and access could use it. And, as Hacker 3 recalled, that wasn’t such a high bar, even for ordinary people.

“[Hacker 3] For me, this story began somewhere in the fall of ’92, when I got a modem. Soon after that (at the end of ’92), an acquaintance of mine told me about the Sprint network, Compuserve and the opportunities that came with modems.”

Compuserve was the first commercial online service for timesharing and remote access to servers. At the turn of the 80s, the company was bought by H&R Block and opened to the public, becoming the go-to place for online chat and message boards, software libraries, and online gaming. (Only years later would it cede to its rising competitor, AOL.)

“[Hacker 3] As it turned out, CompuServe was very easy to register.. This is how my interest in Sprint and the Internet began.”

These proto-internet systems weren’t just interesting, and open to anyone. Without any real hacking they were also, in effect, free to use.

“[Hacker 3] In Sprint, you didn’t have to register for it to work – it allowed you to connect for free to hosts who were willing to pay for the connections (reverse-charge calls). And there were such hosts: big on-line services and private services of various companies.”

Some corporations did end up identifying foreign users accessing computing resources, and running up their bills with SprintNet.

“[Hacker 3] Their administrators very quickly stopped the activities of freeloaders: after all, connections through Sprint were paid for by these services. In most cases, this resulted in the banning of reverse-charge calls from Russia.”

It was just as people were beginning to peek around inside Telenet that, in December, 1992, an individual named Skylar blew the doors wide open.

“[Hacker 3] Around this time, I came across the Phrack magazine on the Internet. In issue 42, a scan of SprintNet was published (titled “Sprintnet Directory Part I to III”). This was the beginning of the end.”

In Volume 4, Issue 42 of Phrack Magazine, Skylar published a “SprintNet Directory.” It began with a document describing how to access SprintNet, with step-by-step instructions, a glossary of all relevant codes, and any other relevant information.

Then, remarkably, Skylar proceeded to map out what was essentially a telephone book for all of the subnetworks and addresses on SprintNet. The long, three-part list included all of the U.S. states with their own networks, serving some of the largest corporations in America — Morgan Stanley, Lehman Brothers, Prudential — as well as government entities like the Congressional Quarterly Online System, and the U.S. Information Agency (USIA).

Even more remarkable was that, besides their specific addresses and instructions on how to access them, Skylar had appeared to amass login data. Phrack redacted this information from publication, though this detail foreshadowed events to come.

For aspiring hackers like ArkanoiD and Hacker 3, reading through Skylar’s directory, one name seems to have stood out to them above all others.

“[ArkanoiD] it was almost impossible not to pay attention to Citibank, which occupied a separate network there outside the regular geographical numbering! Undoubtedly, it became one of the main objects of interest for hackers from all over the world.”

Looking back at it today, you can really tell what he’s talking about here — why Citibank would’ve stood out. The directory lists subnetworks state by state — New York, California, Texas, Indiana — and then, weirdly, there’s Citibank, not as a user in those regions, but a network unto itself.

“[Hacker 3] It was Citibank’s own X.25 network, connecting its branches around the world, using Sprint addresses and having a gateway to Sprint, so that its hosts were directly accessible from Sprint anywhere in the world.”

“[ArkanoiD] [But] everything would have been much less interesting if the Global Finance Technology Division of Citicorp had not come up with the idea of organizing a BBS for their own purposes.”

Through cross-referencing Phrack with a 2001 SEC filing, the bulletin board system (BBS) ArkanoiD is referring to appears to be Galacticomm Technologies’ Worldcom 3.0, an integrated suite for web-based e-mail, polls, questionnaires, newsgroups, shared File Libraries and chat. A paywalled 1995 article in a local Davenport, Iowa newspaper cited, in passing, that Citibank used Worldcom to, quote, “connect 700 Audit Division employees from as far away as Sydney and Bombay.”

Evidently, hosting such a large and widespread BBS also left open opportunity for foreign, unauthorized access.

“[ArkanoiD] new users with minimal rights were allowed there. However, gaining access to administrator passwords, which made it possible to [. . .] use advanced services, including chats between users and the ability to share files, was a trivial matter, and in general no one was particularly serious about this resource.”

Access was so wide open, he explained, that one fellow hacker…

“[ArkanoiD] registered a user on behalf of Citibank Antarctica and received expanded access “on a legal basis.””

Phrack 42 had been their inspiration, and it was in this exposed Citibank BBS where the paths of Arkanoid, Hacker 3, and Bukazoid collided, in 1994.

“[ArkanoiD] the possibility of easy communication with every curious person wandering through the Citibank network made it possible to organize that unique research group.”

“[Hacker 3] Then an acquaintance of mine – let’s call him Bukazoid – came to visit me and very vaguely told me that he had found a bunch of interesting hosts in Sprint. I remembered my delving into the depths of Sprint and quickly got him talking. Bukazoid, as it turned out, really fell in love with one BBS which for some reason was installed in Citibank, found a bunch of holes there that allowed users to set arbitrary limits, and sat there regularly, using it to communicate with friends from different cities (luckily Citibank paid for everything).”

Bukazoid was uncovering a deluge of vulnerabilities — mostly, it seems, for the fun of it, because the job of hacking into Citibank in 1994 didn’t actually require such high-level trickery.

“[ArkanoiD] As for the technical side of the hack, alas, here I have to disappoint the reader – everything that happened was, I honestly admit, very low tech. That is, there was no “blind” analysis of buffer overflows in unknown programs, without source codes for exotic architectures and other aerobatics. There was a systematic approach and a little bit of luck.”

“[Hacker 3] I began to dig into the Citibank network. Fortunately, at that time, they already had a large IP network with real addresses (naturally fenced off from the Internet by a firewall). […] In addition, these servers allowed connections to be established using the DEC LAT protocol within the local network of the department, where a particular server was installed.”

LAT — local area transport — was a networking protocol for DECnet, the peer-to-peer network architecture for OpenVMS operating systems.

“[ArkanoiD] Almost none of the [research] group members had regular access to (let alone personal ownership of) a computer with the VMS operating system, which was used at most of the places of interest to us. So we set up administrator and developer computer accounts at MRDC so we could experiment with the software in peace.”

The “MRDC” Arkanoid is referring to may have been MRDC software, an early data analysis software company the hackers seem to have used as a gateway to DECnet. As Arkanoid explains, after all of the events surrounding Citibank:

“[ArkanoiD] I managed to briefly chat with one of the MRDC system administrators, who finally began to notice “suspicious” activity on the network, but we didn’t have time to say anything interesting to each other.”

ArkanoiD had such visibility into this company that he could see them discussing technical issues with their Laserjet printer. So, as a courtesy, he dropped them a document explaining how to fix it.

Anyway, back to Hacker 3 mapping the Citibank network:

“[Hacker 3] Initially, X.25 was used to combine networks: from any computer it was possible to establish a connection via LAT to a terminal server, and from it – via X.25 – to another server, and from it again via LAT to the desired computer.”

Between these various servers and protocols, Hacker 3 could navigate from one part of the Citibank network to another, and gather intel along the way.

“[Hacker 3] For the convenience of hackers, the servers had a help command, as well as commands for showing configurations [and] a list of known IP addresses with ARP.”

ARP — address resolution protocol — connects IP and MAC addresses.

“[Hacker 3] I very quickly created a script that downloaded a list of services, then connected with every one and recorded what they answered. Thus, a bunch of gateway servers to other networks were found, with access to modems with the ability to make calls around the world, and services that allowed you to establish connections via X.25 on behalf of Citibank (only on Sprintnet and Timnet) [. . .] which made it possible to connect to those hosts that refused to accept unpaid connections, or connections from Russia.”

Within one of the many servers Hacker 3 now had access to was what he referred to as “a very funny service” — the console for a local Cisco router, plugged into the terminal service port. Here, fortuitously enough…

“[Hacker 3] The local admin [. . .] forgot to type ‘logoff’ (or whatever this command was called – it was a long time ago, I don’t remember). But RS-232 is not telnet – it doesn’t know that it has been disconnected.”

RS-232 is a standard for connecting things like computer terminals and modems.

“[Hacker 3] I found out that the password for accessing it was “cisco”, and the password for privileged access was “access”.

These passwords were stored unencrypted, in plaintext.

“[Hacker 3] As it turned out, the same passwords were used in almost all Citibank routers, or replaced with the host name. Using a simple script, I scanned all the routers (using the ARP output) and found several computers with Unix and the login ‘guest/guest’. [. . .] As a result of this disgrace, I received an excellent picture of the entire Citibank network with all its terminal servers and routers.

“[ArkanoiD] The results were impressive: the analytical group had in their hands the most detailed information about the structure of the internal network, including development plans, placement of equipment on floors and premises [. . .] Without exaggeration, we can say that we were better versed in some details of the network’s architecture than many bank employees.”

While Hacker 3 developed a complete, detailed map of Citibank’s IT systems, Bukazoid gained access to its most sensitive parts. One of the terminal servers, it turned out, had an interesting hole: it did not track the disconnection of clients that reached it via X.25.

“[Hacker 3] For convenience, access servers had a “show users” command that showed all clients on all ports and the addresses or names of the computers to which they were connected. You go to the server, type ‘show users’, disconnect from it and start connecting to the ports on which someone is hanging.

Bukazoid quickly ended up on a couple of VAX [computers] instead of their admins, got himself a bunch of logins there, and began studying VMS’s and the activities of Citibank admins. I collected some files there, read correspondences, etc. For example, admins liked to send each other large lists with machine administrator passwords.”

“[ArkanoiD] no one thought that this particular mail, often containing passwords and access instructions to dozens of other systems, would be a most valuable find for any hacker…”

At this point one wonders how these systems could be so vulnerable, just letting hackers in and allowing them to roam free. They must have been terribly designed, right?

Not exactly.

“[Hacker 3] The VAXs had remarkable security controls, which created huge reports on all suspicious activity… Bukazoid found one of these – it had all the traces of his work.”

With admin access, Bukazoid had a copy of the forensic data which would’ve implicated him in hacking Citibank’s network. The actual employees of the company, however, didn’t have as much interest in it, as Bukazoid himself could see, because he had visibility into their communications.

“[Hacker 3] From their correspondence it turned out that everyone knew about the problems with this access server… But no one really cared about it. They planned to replace it in six months or a year.”

According to Hacker 3, the systems were so thoroughly unguarded that hackers from Bulgaria “and other places” were exploring the same network at the same time they were.

So thoroughly unguarded that they could access the single most sensitive systems in the whole organization: those that controlled money transfers.

“[Hacker 3] Naturally, more than once Bukazoid and I found ourselves connected through this glitchy server to the computers responsible for financial transactions. […] You could simply enter their account number and transfer money from the client’s account.”

It’s worth repeating this point. At this stage, the hackers were not just inside of the IT network of one of the world’s biggest banks, they were seemingly capable of stealing unlimited amounts of money, simply by typing in the numbers they wished.

If true, this was the most comprehensive financial cyber hack ever committed — maybe the most comprehensive that will ever be committed, ever. Which makes it all the more shocking to learn exactly what these Russian hackers chose to do next.

“[Hacker 3] It was clear that it would not be possible to steal money and remain unnoticed, and if we did, we would not be able to survive after that. Therefore, we avoided computers with money.”

According to all three accounts, they decided not to steal any money. And even if they wanted to, ArkanoiD acknowledged, they didn’t have the resources to handle the financial-logistical half of the crime.

“[ArkanoiD] Without having the organizational resources for the “offline” part of the operation (and in Russia, if you remember, in 1994, this meant contacting, um, “unpleasant” people), “draining the cabbage” seemed to us difficult and impractical. [. . .] Instead, the network was used as an entertainment resource – free modem calls or X.25 connections to any address – and a lot more interesting technologies. And this, I tell you, is a completely special feeling.”

For around six months the hackers enjoyed using Citibank’s systems to connect to whatever network they wished, or run whatever they wanted on the unpoliced servers.

“[ArkanoiD] I even played my favorite Star Trek, having installed and launched it “on the other side.” Because a significant part of these computers were for “collective use”, no one paid attention to another user who, it seems, used a terminal server on the bank premises and did not particularly bother anyone.”

ArkanoiD goes on to describe with romance that feeling only those old hacker stories have — the near-Matrix-like experience of using your old computer monitor to bounce around the world, in a virtual reality, where you can go places that exist only on screen, and touch things that exist far away, yet right in front of you.

“[ArkanoiD] But I digress. Who would have thought that one of us would be such an ass?”

In an instant, it all came to an end.

“[ArkanoiD] Now I understand that this is my miscalculation as an organizer – the fact that I entrusted valuable information to a person about whom, in general, it was clear that he could abuse it [. . .] I’m not talking about Levin – Levin was not a member of the group. I’m talking about the one who sold it to him for—the journalists don’t lie here—a hundred dollars.”

“[Hacker 3] A mutual acquaintance of ours with Bukazoid, came running to me with horror in his voice, and told me that it was he who told Levin about the secret, having received $100 for it.”

Contrary to what has been published about him for decades, Vladimir Levin — the vaunted cybercriminal on everyone’s top 10 listicle — likely had no hand whatsoever in compromising Citibank’s IT network. Instead, one member of the “research team” sold him the information they’d collectively gathered for $100.

With help from accomplices in organized crime, Levin used Citibank’s money transfer system to turn a $100 investment into 40 fraudulent transactions totalling 10.7 million dollars. This is the side of the story that’s well-documented by other sources you can find online. The FBI captured him during a layover at a London airport in 1995, after which he served three years in prison and paid $240,000 in recompense. $400,000 of the 10.7 million was never recovered and, ever since his release, Levin has never been heard from again.

And as for the hackers who actually hacked Citibank? They didn’t get millions of dollars, but they also didn’t get any jail time.

“[ArkanoiD] One of the participants in the events I know, like me, continues to be involved in information security, for many years as a “white hat”. His projects are very interesting, among them is one of the best personal firewalls for Windows. The other one is now working as a “simple” system administrator, although also not so simple, he’s very successful. The traces of the others were lost, but I am almost sure that the experience gained was useful to them.”

Latest episodes

The Real Story of Citibank’s $10M Hack

Hosted By

Ran Levi

Co-Founder @ PI Media