Troy Owen never thought he’d see the day when the cyber thieves who robbed his company of $800,000 would ever be charged with any crime. Owen said investigators had warned him early on that the perpetrators were mostly overseas in places like Ukraine and Moldova, and that it might be tough to pursue those responsible.

But earlier today, authorities in New York announced they had charged more than 60 individuals — and arrested 20 — in connection with international cyber heists perpetrated against dozens of companies in the United States, including Owen’s.

In November 2009, cyber crooks used a sophisticated password stealing Trojan horse program called “ZeuS” to hack into computers at Owen’s firm — Plano, Texas-based Hillary Machinery. The program swiped the company’s online banking passwords, allowing the attackers to initiate more than $800,000 in bogus transfers out of the company’s online account to dozens of people in the United States who helped launder the money and send it to the attackers in Eastern Europe.

Fraudulent wire transfers from Hillary Machinery.

More than $14,100 of Hillary’s money was wired to Stanislav Rastorgeuv, a 22-year-old Russian national who entered the United States in June 2009 on a “J1″ student visa. According to charging documents, Rastorgeuv was the poster child for money launderers looking to recruit new mules to help retrieve the proceeds of ZeuS Trojan virus attacks.

Authorities say almost all of those arrested or charged in this case are young Eastern Europe men and women who were either planning to travel to, or were already present in, the United States on J1 student visas. Once the students  were in the United States, the organizers  of the mule organization gave  the recruits fake foreign passports to open accounts at local banks.

Then, days or weeks after those accounts were opened, other actors in the group would transfer money from cybercrime victims into the mule accounts, typically in amounts close to $10,000. Once the transfers were complete, the mules would quickly withdraw the money, keep a portion for themselves (usually 8 to 10 percent) and transfer the remaining amount to other participants in the fraud scheme, usually individuals overseas.

Some mules were asked to open a large number of bank accounts to help launder stolen funds. Charging documents say Rastogeuv opened up multiple bank accounts under his own name and using fake passports for fictitious individuals, including the names “Petr Rubsashkin” and “Alexey Iankov.” In addition to the unauthorized transfer sent to him by Hillary Machinery, Rastogeuv allegedly helped to launder nearly $30,000 from other victim companies over the next two months.

U.S. authorities say the ringleader of the New York-based money mule gang was Artem “Artur” Tsygankov, a Russian citizen living in New York who allegedly recruited Rastogeuv and other mules, supplied them with fake identity documents, and managed their daily activities. In all, the New York gang cleared more than $3 million from victim corporations using hundreds of accounts opened under false identities.

Others are charged with hacking into and siphoning funds from online brokerage accounts. Jamal Beyrouti, 53, Lorenzo Babbo, 20, and 29-year-old Vincenzo Vitello worked with hackers who infiltrated trading accounts at E-Trade and TD Ameritrade, executing fraudulent sales of securities and transferring the proceeds to accounts the mules controlled. At the same time, the attackers blasted victims’ phones with a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. The scam allowed mules to transfer roughly $1.2 million from hacked brokerage accounts.

Today’s announcement is the culmination of a year-long investigation by the U.S. Attorney’s Office for the Southern District of New York, the FBI, the NYPD, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service.

The law enforcement sweep announced today also coincides with a related action in the United Kingdom, where police this week charged 11 men and women from Belarus, Estonia, Latvia, and Ukraine with facilitating money mule operations in the U.K. The e-Crimes Unit of the U.K. Metropolitan Police said gang members arrested there are believed to have stolen more than $30 million from banks and businesses worldwide, and roughly £6 million (US $9.5 million) from financial institutions in the United Kingdom during a three-month period.

“As today’s arrests show, the modern, high-tech bank heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity,” Manhattan U.S. Attorney Preet Bharara said in a written statement. “And it can be accomplished in the blink of an eye, with just a click of the mouse. But today’s coordinated operation demonstrates that these 21st Century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat, and bring cyber criminals to justice.”

Stanislav Rastorguev, from fbi.gov

Hillary Machinery’s Owen said he’s pleased about the news, but he isn’t breaking out the bubbly just yet: While Stanislav Rastorgeuv is charged with conspiracy to commit bank fraud and the false use of a passport and faces 40 years in prison and more than $1 million in fines, he is among 17 individuals charged today that authorities say are still at large.

“This is still excellent news, even if they haven’t caught everyone involved,” Owen said. “I had already pretty much given up hope that they’d be able to find these guys. I’m just glad they’re finally starting to bring some of these people to justice.”

If Owen is jaded, it may have something to do with the legal nightmare he and his company had to endure after the theft. A month following the cyber heist, the firm’s bank – Plains Capital Bank – sued Hillary Machinery in a preemptive bid to convince a judge to declare that the bank’s online security was commercially reasonable and capable of protecting customers from the latest cyber threats.

Both parties later settled the dispute for an undisclosed amount. But there are many similar cases now working their way through U.S. courts, as more and more businesses and banks tussle over who is responsible for cyber heists that frequently net thieves hundreds of thousands of dollars.

More often than not, victimized businesses are left holding the bag. That’s because unlike consumers – who under U.S. law cannot be held liable for fraud against their accounts if they report the unauthorized activity promptly – businesses enjoy no such protections.

Owens said he’s not waiting around for the banks to get their acts together: His company now only conducts online banking from a dedicated computer that is only used to access the company’s bank accounts online.

“Even if they do manage to catch all of these crooks, I wonder how many people are waiting in line to take their place,” Owen mused. “I still think wholeheartedly that the best approach is to have good, preventative security in place.”

Update, Oct. 5, 12:40 a.m.: The FBI’s Wanted page now indicates Rastorguev has surrendered.

A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.

Both the victim corporation – Plano based Hillary Machinery Inc. – and the bank, Lubbock based PlainsCapital, agree on this much: In early November, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account, and PlainsCapital managed to retrieve roughly $600,000 of that money.

PlainsCapital sued Hillary on Dec. 31, 2009, citing a letter from Hillary that demanded repayment for the rest of the money and alleged that the bank failed to employ commercially reasonable security measures. The lawsuit asks the U.S. District Court for the Eastern District of Texas to certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. The documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.

Troy Owen, Hillary’s vice president of sales and marketing, doesn’t dispute that the perpetrators stole their online banking credentials, but said Hillary is still investigating how the information was taken. Owen said the transfers appear to have been initiated from computers in Romania and Italy, among others, and sent to accounts in Ukraine, Russia and other Eastern European nations.

According to a Nov. 12 memo that Owens said PlainsCapital shared with him, the institution’s commercial banking platform requires that each customer not only enter a user name and password, but also “register” their computer’s Internet address by entering a secure access code sent to the e-mail address on file for the customer.

The bank’s memo states that on Nov. 8, secure access code e-mails were sent to a Hillary e-mail address, but that the request came from a computer with an Internet address in Italy. The memo further states that the actual wire transfer requests were made from computers with Internet addresses in Romania.

Owen said no one in his company received any such e-mails on or around the date of the break-in Nov 8th and 9th, and that it is likely whoever stole the company’s banking credentials also intercepted the e-mails.

“It’s pretty ridiculous that the bank is saying their security was reasonable,” Owens said. “The people who run this bank are from an area that still leaves their doors unlocked at night and their keys in the car. These security measures were probably very up to date 10 to 15 years ago, but they’re not in today’s age.”

PlainsCapital declined to discuss the memo or other details of the case, citing the pending litigation. The bank’s president Jerry Schaffner said in an e-mailed statement that “It is evident that the loss incurred by Hillary Machinery, Inc., although regrettable, was not the result of a cyber attack on PlainsCapital Bank.”

Transaction logs shared by Hillary indicate that the majority of the unauthorized transfers were international wires for roughly $100,000 each. But at least $60,000 of the money was sent to more than two dozen money mules, willing or unwitting accomplices in the United States who are often recruited through work-at-home job scams.

A copy of the bank’s complaint against Hillary Machinery is available here (PDF).

Update: Since this blog post ran, the story of Hillary’s fight with Plains Capital has been picked by several mainstream media outlets, including the Dallas Morning News, Forbes, and Fox News.