Four Russian nationals and a Ukrainian have been charged in the US with running a sophisticated hacking organisation, stealing at least 160 million credit card numbers and causing losses of hundreds of millions of dollars.
Indictments were announced today in Newark, where US Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States.
The indictment says the suspects sent each other instant messages as they took control of the corporate data, telling each other, for instance: “NASDAQ is owned.” At least one man told others that he used Google news alerts to learn whether his hacks had been discovered, according to the court filing.
The defendants were identified as Russians Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and Ukrainian Mikhail Rytikov. Authorities say one suspect is in the Netherlands and another is due to appear in US District Court in New Jersey next week. The whereabouts of the three others were not immediately clear.
The victims in a scheme that allegedly ran from 2005 until last year included the electronic stock exchange Nasdaq, 7-Eleven, JCPenney, New England supermarket chain Hannaford Brothers, JetBlue, Heartland Payment Systems, one of the world’s largest credit and debit processing companies, French retailer Carrefour SA, and the Belgium bank Dexia Bank Belgium.
The prosecution builds on a case that resulted in a 20-year prison sentence in 2010 for Albert Gonzalez of Miami, who often used the screen name “soupnazi” and is identified in the new complaint as an unindicted co-conspirator. Other unindicted co-conspirators were also named.
Prosecutors identified Drinkman and Kalinin as “sophisticated” hackers who specialised in penetrating the computer networks of multinational corporations, financial institutions and payment processors.
Kotov’s specialty was harvesting data from the networks after they had been penetrated, and Rytikov provided anonymous web-hosting services that were used to hack into computer networks and covertly remove data, the indictment said.
Smilianets was the information salesman, the government said.
All five are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud. The four Russian nationals are also charged with multiple counts of unauthorised computer access and wire fraud.
The individuals who purchased the credit and debit card numbers and associated data from the hacking organization resold them through online forums or directly to others known as “cashers,” the indictment said. According to the indictment, US credit card numbers sold for about 10 dollars (€7.50) each; Canadian numbers were 15 dollars (€11.30) and European ones 50 dollars (€38).
The data was stored on computer servers all over the world, including in New Jersey, Pennsylvania, California, Illinois, Latvia, the Netherlands, Bahamas, Ukraine, Panama and Germany.
The cashers would encode the information onto the magnetic strips of blank plastic cards and cash out the value, by either withdrawing money from ATMs in the case of debit cards, or running up charges and purchasing goods in the case of credit cards.