This hack exploited dial-up and weak security to steal millions.

We’ve talked much about how the earlier days of the internet were a very different time, especially with regard to security and encryption protocols. And while some of the incidents we covered in earlier articles ended up being the result of curiosity or experimentation over malicious intent, today's article is quite different from that. While it wasn’t the first digital heist, it was one of the first big ones and still pretty interesting. However, even now, 30 years later, some details still remain vague.


However, despite this, we’ll still have a shot at taking a walk down memory lane, back to 1994, when our incident first occurred. Before we do though, it’s worth pointing out that attitudes to computers, technology and the newfangled internet were much different back then. This, of course, made it much bigger news at the time.

The BackGround

In the old days, to rob a bank you’d usually need a mask, a gun and a willingness to face significant risk. However, the early days of the internet changed all that. While bankbooks and other physical methods of managing accounts still existed, for the most part, the world was slowly transitioning to a digital one. This meant servers were being put online, banks were experimenting with ways to manage and transfer money using the new technology and even things like web banking were starting to look like real ways to manage money over some kind of futuristic or non-existent tech.

However, like many things that are in early development, attitudes around security could often be pretty lax and it’s fair to say that the financial sector was not immune to these problems. It took some time though to realise that rather than being the plot of a movie, these digital assets would face real-world threats and as such would need real-world protection.

The Hack

While much of the technical process for this one is shrouded in mystery or lost to the passage of time, there are a few things that are accepted as facts with regard to this incident.
Firstly, the timeframe for the incident was over a 4 month period in 1994, namely the time between June — October. While it’s unknown precisely how many intrusions occurred, it’s accepted that during this timeframe over 10 million dollars was stolen.

While details around the exploit process were limited in press information at the time, what is known is that the attacks were carried out using a dial-up connection. Once access was gained, a vulnerability in the Society for Worldwide Interbank Financial Telecommunications (SWIFT) encryption protocol was exploited.

This then was paired with Citibank’s customer data that had been intercepted previously. It was believed that user account information including names and passwords were able to be intercepted using man-in-the-middle techniques and this data could then be used to initiate the transfers and complete the heist.

Despite evasion methods being used, like different accounts for transfers and varying the time and frequency of transactions, Citibank's fraud detection strategies would eventually identify the irregularities within the transfer system. At this point, the game was up.

The Hackers

Like our earlier article on the work done by Cliff Stoll in identifying international hackers, it didn’t take long for investigators in this instance to realise that they were dealing with a similar situation (minus the military espionage of course).

By the end of 1994, it was realised that Russian National Vladimir Leonidovitch Levin (Владимир Леонидович Левин) was the mastermind behind the hack. However, in a high-end hack, with millions of dollars stolen and plenty of information lacking, it’s reasonable to expect that it wouldn’t end there and you would, in fact, be correct.

Later investigations in 1995 and again in the early 2000s would uncover unverified claims that rather than masterminding the hack on his own, Lenin merely purchased the exploit and then took advantage of it. While it’s unknown to what extent this is true, it does add some further mystery to an already interesting story. What is known, is that while at least 3 accomplices were used to withdraw and move the stolen funds, their role in the actual hack would remain uncertain.

After being identified, government agencies would go to work investigating Lenin and looking at ways to make the arrest. This would occur in late 1995 when he was arrested at London’s Stansted Airport while transferring from a flight from Moscow.


While it would take a few years for the legal wheels to turn, by 1998 he was in the United States where he was convicted of stealing 3.7 million worth of Citibank’s dollars

The Fallout

While the legal process would take some time to play out in full, the impact on the financial and security sectors was immediate. The connected nature of the modern world meant that despite it being the early days of the internet, multiple government agencies across several countries were used to carry out the investigation and subsequent arrest.

And, while multiple people were charged others were identified but never charged or convicted due to a lack of evidence. One account in particular, was linked to a Russian couple that had previously lived in the United States, but now resided overseas meaning that extradition would be unlikely.

However before the dust had even settled, banks, security experts and other professionals were reviewing their trade and implementing fixes to help tighten security. It didn’t take long for most to realise that the new era of digital banking would provide an array of tantalising opportunities to cyber criminals.

However, it wasn’t just the Banking sector that would undergo changes due to this. Policing agencies worldwide began to realise that to combat these new threats effectively, cross-border and inter-agency cooperation would need to be improved as well.

Changes Made

The first thing to go as a result of the hack was the weak encryption used to perpetuate the hack and steal the funds. Citibank would also go on to provide a greater focus on user authentication and data protection throughout the transaction process.

A greater focus was then placed on fraud protection, including methods to monitor and identify fraudulent transactions while they are occurring. This more robust approach to security ensured the SWIFT system remained secure, and is still used today.

While many police departments are often small agencies with limited resources, for many this was the catalyst event that identified a need for a dedicated online investigative unit and enhanced processes around dealing with the requests for interagency cooperation.

It’s fair to say that after this event, no longer would the internet be the sole domain of the alphabet agencies. Now, local policing would go global in an effort to identify and reduce the new era of cybercrime.

Medium has recently made some algorithm changes to improve the discoverability of articles like this one. These changes are designed to ensure that high-quality content reaches a wider audience, and your engagement plays a crucial role in making that happen.

If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.

🌟 Enjoyed this article? Support our work and join the community! 🌟

💙 Support me on Ko-fi: Investigator515

📢 Join our OSINT Telegram channel for exclusive updates or

📢 Follow our crypto Telegram for the latest giveaways

🐦 Follow us on Twitter and

🟦 We’re now on Bluesky!
🔗 Articles we think you’ll like:

1. What The Tech?! Rocket Engines
2. OSINT Investigators Guide to Self Care & Resilience

✉️ Want more content like this? Sign up for email updates