A Money Heist, But Without The Masks
You've probably watched Money Heist. Maybe you've read about old-school bank jobs the ones where the gang vaults the counter, somebody's holding a shotgun, somebody else is screaming at a manager to open the vault. The whole thing depends on bodies in a room.
Now picture the same heist, but nobody's in the building. No masks, no hostages, no getaway car. Just a man at a desk, a CRT monitor, and a phone line into a network most people had never heard of. That's how the world's first online bank robbery actually played out and honestly, the more I read about it, the more I think it's one of the most under-told stories in security history.
This post is a case study of Vladimir Levin, a group of St. Petersburg hackers, and the $10.7 million they moved out of Citibank in 1994. I'll walk through the context that made it possible, the actual technique, the FBI investigation, and what it set in motion that we're still living with today.
Before 1994 You Had To Show Up
The first recorded bank robbery in the United States happened in March 1831. James Honeyman and William J. Murray forged a set of keys, walked into the City Bank of New York after hours, and walked out with the equivalent of around $245,000. They were caught within weeks. (Both The New York Times archive and the Saturday Evening Post covered it; Wikipedia has the cleanest summary.)
For the next 160-odd years, that was the model: forged keys, dynamited safes, masked men, getaway cars. The bank had a vault, the vault had a door, and the only way to get to the money was through the door. Banks responded by hardening the physical layer thicker walls, better locks, alarms wired to police, dye packs, time-locked vaults. By the late 80s, robbing a bank in person was a bad bet. The defence had won.
What the defence had not paid attention to was the new door they'd just built the one for sending money out of the bank without anyone walking in.
X.25 The Internet Before The Internet
Quick context, because this part matters. The "internet" most people know TCP/IP, the World Wide Web, web browsers wasn't really a thing for the public in 1994. ARPANET was being shut down. Tim Berners-Lee had only released the first web browser three years earlier. If you wanted to talk to a bank's mainframe in 1994, you didn't go to a website. There weren't any.
What banks ran on instead was X.25 a packet-switched network protocol from the 1970s. Think of it as a private internet for big institutions. SWIFT ran on it. Airline reservation systems ran on it. Citibank's wire transfer back-end ran on it. You couldn't get there from a regular phone line; you needed a leased X.25 link or a PAD (packet assembler/disassembler) connection basically a special modem and the right credentials.
Why This Matters
Because X.25 was so obscure and so industrial, banks treated it as a trusted network. Authentication on the wire transfer terminal was strong on paper but weak in practice once you were on the network and had a valid login, the system mostly assumed you were supposed to be there. There was no MFA. No anomaly detection of the kind we'd recognise today. No SOC watching dashboards.
That's the door I'm talking about. By 1994, every bank had one. Almost nobody was watching it.
St. Petersburg, 1994 The Group That Found The Door
The hack didn't start with Vladimir Levin. This is the part most popular tellings get wrong.
A group of St. Petersburg hackers one of them going by the handle "Buckazoid" had been mapping X.25 networks for months. They were curious, broke, and very good. While poking around, they stumbled onto Citibank's network. They found the wire transfer terminal. They confirmed they could log in.
And then they got scared.
Pulling money from Citi's wire system was not the kind of thing you did on a hunch. The risk of getting caught by Russian authorities, by US authorities, by people scarier than either was real. So the group did something I find genuinely interesting: they decided not to steal the money themselves. Instead, they sold the access details credentials, the terminal info, the methodology to Vladimir Levin for around $100.
Read that again. The world's first online bank robbery was kicked off by a hundred-dollar transaction in a back room. That's not a metaphor. That's the actual chain of custody.
Levin At The Terminal
Vladimir Levin was a programmer in his late twenties, working out of a small St. Petersburg software company called AO Saturn. By all accounts he wasn't a network exploitation specialist. He didn't need to be. He had what the Buckazoid group had sold him a working set of credentials and the path to use them.
Between June and October 1994, Levin sat at his terminal and issued a series of fraudulent wire transfers from Citibank corporate customer accounts into accounts he controlled in Finland, the United States, the Netherlands, Germany, Israel, and Switzerland. Confederates on the receiving end would withdraw the money or move it on. Total moved: around $10.7 million.
[ AO Saturn, St. Petersburg ]
|
| dial-up + X.25 PAD
v
[ Citibank Cash Management System ]
|
| session: USER=[REDACTED] PASS=[REDACTED]
v
[ Wire transfer: corp account --> mule account ]
|
+--> Finland (mule withdraws cash)
+--> USA (mule withdraws cash)
+--> NL / DE / IL / CH
Levin's mistake and it was the same mistake every old-school robber made was greed and frequency. The transfers stacked up. Citibank's risk team noticed unusual patterns on corporate accounts. They flagged it. The FBI got the call. From that moment, the heist stopped being a heist and became an investigation.
London, March 1995 The Airport Arrest
The investigation was joint FBI, Citibank's internal team, and cooperating Russian sources. They went after the mules first. Mules in Israel, the US, and the Netherlands started getting picked up as they tried to withdraw the funds. Out of the ~$10.7M moved, only about $400,000 ever stayed gone. The rest got frozen, recovered, or never made it past the receiving bank.
Once the FBI had statements from the mules and once they'd traced the wire-transfer sessions back to a specific computer in St. Petersburg they had Levin. The problem was getting hands on him. Russia at the time had no extradition treaty with the US.
So they waited. The FBI learned Levin was leaving Russia, transiting through London on the way to the Netherlands. They tipped off British authorities. In March 1995, Vladimir Levin was arrested at Stansted Airport. He fought extradition for nearly two years. In September 1997, he was finally handed over to US custody, pleaded guilty in 1998, and was sentenced to three years and ordered to pay Citibank around $240,000 in restitution.
Note
For years afterward, members of the original St. Petersburg group claimed Levin was never the real "hacker" that he was the buyer, not the breaker. The 2005 reporting around "Buckazoid" supports that telling. Either way, Levin was the one at the wire-transfer terminal, and he's the name on the conviction.
What This Set In Motion
The technical mechanics of the Citibank job look almost quaint now. There's no zero-day, no kernel exploit, no malware family named after it. It was credential reuse, network access, and a wire transfer terminal that trusted whoever logged in. The kind of thing a junior pentester would write up in a finding today and call "insufficient access controls on legacy infrastructure."
But the cultural shift it caused was massive. For the first time, a group of people with a computer and a phone line had moved more money than a dozen physical bank jobs combined. The story leaked. Programmers noticed. The pattern got copied. By the late 90s, phishing was a word. By the 2000s, banking trojans like Zeus were industrial. The Levin case is the cultural before-and-after the moment when "robbing a bank" stopped meaning "drive to the bank."
A few things from this case still show up in modern engagements I run:
- Trusted network ≠ secure network. Internal segments, "private" links, and management VLANs still get treated like Citi treated X.25.
- Credentials are the door. Levin didn't break crypto. He logged in. The same is true of most of the breaches I see today.
- Anomaly detection saves the bank, not the firewall. Citibank's risk team caught it through patterns, not perimeter alerts. That's still where most blue teams should be investing.
- The mule layer is the brittle layer. Then and now. If you can roll one mule, the rest of the chain unravels.
Honestly, I think about Levin every time I write a finding about an exposed admin panel that "isn't reachable from the internet." It usually is. Somebody's just not looking yet.
References & Further Reading
Sources I cross-checked while writing this. Worth reading if you want the long-form versions.
- Wikipedia — Vladimir Levin · biographical summary, timeline, and conviction details.
- The New York Times (Aug 19, 1995) — Citibank Fraud Case Raises Computer Security Questions · the original break of the Citibank story.
- The New York Times (Feb 25, 1998) — Lower Fraud Loss Cited by Citibank · the recovery numbers and final loss figure.
- Wired (Oct 2005) — Who Is the Real Hacker? · the 2005 reporting on "Buckazoid" and the St. Petersburg group's claim that Levin was the buyer, not the breaker.
- FBI History — The Citibank Case · the bureau's own write-up of the investigation and arrest.
- Wikipedia — X.25 · background on the packet-switched network the attack rode on.
- Wikipedia — Bank robbery: History · the 1831 City Bank of New York job (Honeyman & Murray) referenced in section 02.
- U.S. DOJ archive — Levin indictment / press release · primary court material around the case.