The four Russians and a Ukrainian stole and sold more than 160 million credit card numbers from corporate networks from 2007 to 2012, resulting in losses of hundreds of millions of dollars, federal prosecutors said.
Announcing the indictments, U.S. Attorney Paul Fishman called the case the largest hacking and data-breach scheme ever prosecuted in the United States.
Vladimir Drinkman, 32, Alexandr Kalinin, 26, Roman Kotov, 32, and Dimitriy Smilianets, 29, could face prison sentences of up to 70 years each for wire fraud, unauthorized access to computers, conspiring to commit wire fraud and conspiracy to gain unauthorized access to computers. The Ukrainian, Mikhail Rytikov, 26, was charged with conspiracy only and could face a 35-year sentence.
Of the five men, only two have been arrested. Drinkman is being held in the Netherlands pending extradition, while Smilianets is already in U.S. custody. Special Agent James Mottola of the Secret Service’s Newark field office said the case is an example of the agency’s determination to pursue criminals “no matter where they reside.”
Fishman described the hackers’ scheme as a “cutting-edge” crime.
“Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security,” he said.
The indictments describe Drinkman and Kalinin in particular as “sophisticated hackers who specialized in penetrating network security of the biggest multinationals and gaining access to the corporate victims’ systems.”
According to the indictments, Princeton, N.J.-based Heartland, one of the world’s largest credit and debit card payment-processing companies, reported losses of $200 million in the attacks. Atlanta-based Global Payment Systems, another leader in electronic transaction processing, estimated its losses at $92.7 million.
Other companies targeted were retailers 7-Eleven, Carrefour, J.C. Penney, Hannaford and Wet Seal, JetBlue, financial services companies Dexia, Bank A, Visa in Jordan, Diners in Singapore and Ingenicard, financial publisher Dow Jones and the Nasdaq Stock Market, the indictment said.
The hackers charged about $10 for each stolen American credit card number and associated data, $15 for each Canadian one and $50 for the higher-security European ones. They also offered discounted pricing to bulk and repeat customers. According to the indictment, their clients would encode each card’s information onto the magnetic strip of a blank plastic card and cash out the value of the stolen credit card by either withdrawing money from automated teller machines or making purchases.