Four Russians and a Ukrainian were charged in what prosecutors called the largest hacking and data breach scheme in U.S. history.
The five conspired in a "worldwide scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses," Paul Fishman, the U.S. attorney in New Jersey, said today in a statement.
U.S. prosecutors in New York separately indicted one of the five men and another Russian in another hacking scheme that targeted 800,000 bank accounts. Two of the men are in custody.
The five men operated "a prolific hacking organization" that "penetrated the secure computer networks of several of the largest payment-processing companies, retailers and financial institutions in the world," according to an indictment unsealed in federal court in Newark, N.J. They are accused of stealing user names and passwords, personal identification information, and credit and debit card numbers.
"This type of crime is the cutting edge," Fishman said. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security."
After stealing data, known as "dumps," the men sold it to "dumps resellers," who then sold it through online forums or to individuals and organizations, prosecutors charged.
The men encoded the data into the magnetic strips of blank plastic cards and withdrew money from automated teller machines and made credit-card purchases, the U.S. said.
"Financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to identity-theft victims," according to the indictment. Companies they allegedly targeted included Carrefour SA, France's biggest retailer.
The men conspired with Albert Gonzalez, a Miami hacker serving 20 years in prison, according to the indictment.
Those indicted were Vladimir Drinkman, 32, of Moscow and Syktyvkar, Russia; Aleksandr Kalinin, 26, of St. Petersburg; Roman Kotov, 32, and Dmitriy Smilianets, 29, of Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.
All five were charged with conspiracy to gain unauthorized access to computer and conspiracy to commit wire fraud. All but Rytikov were charged with wire fraud and unauthorized access to computers.
In New York, federal authorities also indicted Kalinin and accused him of hacking computers used by the Nasdaq Stock Market. From November 2008 to October 2010, Kalinin hacked servers and installed malicious software or malware, which let him and others execute commands to delete, change and steal data, according to a statement by U.S. Attorney Preet Bharara.
Kalinin also was indicted in New York with another Russian, Nikolay Nasenkov, on charges that they stole bank account information from Citigroup Inc. and PNC Financial Services Group Inc. through hacking and other techniques.
"Cyber criminals are determined to prey not only on individual bank accounts, but on the financial system itself," Bharara said in a statement. He noted the "close and growing collaboration between the U.S. government and the private sector on issues of cyber security."
In 2006, Nasenkov, 31, of St. Petersburg, supplied account information taken from PNC to co-conspirators who encoded blank ATM cards and stole $1.3 million from the accounts of victims, according to Bharara's statement.
In 2007, Kalinin placed malware on a computer network that processed ATM transactions for Citibank and other financial institutions, according to Bharara. The malware, which recorded data passing over the network, allowed Kalinin to steal information on 500,000 bank accounts, including 100,000 at Citibank, the prosecutor said.
The data were used to create ATM cards, which aided the withdrawal of $2.9 million from Citibank accounts, according to Bharara. Nasenkov in 2008 used a computer program "to mount an attack against Citibank's online banking website that resulted in the theft of account information for more than 300,000 accounts," according to Bharara. That stolen data were used to create ATM cards that led to the theft of $3.6 million, according to the prosecutor.
Gonzalez, 32, was sentenced in 2010 to 20 years in prison for stealing 130 million credit- and debit-card records from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group's Hannaford Brothers Co. and two unidentified national retailers. Another judge sentenced him to 20 years for stealing 40 million records from retailers including TJX Cos., OfficeMax Inc. and BJ's Wholesale Club Inc. His terms run at the same time.
Drinkman and his conspirators are charged with targeting Heartland, Hannaford, Carrefour and several other companies.
Kalinin and Drinkman were previously charged as Hacker 1 and Hacker 2 in a 2009 indictment of Gonzalez, according to Fishman. Rytikov was previously charged by federal prosecutors in an unrelated scheme in Virginia, according to Fishman.
Drinkman and Smilianets were arrested at the request of the U.S. while traveling in the Netherlands on June 28, 2012, according to Fishman. Smilianets, who was extradited in September and is in federal custody, will be arraigned at some point in New Jersey. Drinkman is in custody in the Netherlands pending an extradition hearing, according to Fishman.
Kalinin, Kotov, Rytikov and Nasenkov remain at large, according to Fishman and Bharara.
The cases are U.S. v. Drinkman, 09-cr-00626, U.S. District Court, District of New Jersey (Newark); and U.S. v. Kalinin and U.S. v. Nasenkov, 09-cr-1093, U.S. District Court, Southern District of New York (Manhattan).