Indictments Announced In NJ In Massive Hacking Scheme
By David Madden
NEWARK, N.J. (CBS) -- The US attorney in New Jersey has announced the indictments of five Eastern European men -- four Russian nationals and a Ukrainian -- in what's being called the largest hacking and data breach case in US history.
The five men, with help from four others who were not indicted here, allegedly used an elaborate and complicated plan over a period of seven years to rip off more than a dozen major international corporations to the tune of at least $300 million.
"That is our conservative estimate of the losses -- the amount we've been able to confirm so far -- and suffered by only three of the victim companies," said US attorney Paul Fishman today. "The actual loss here may well be much, much higher."
Among the alleged victims were Nasdaq, the electronic stock exchange; the 7-Eleven chain; JC Penney Co.; the regional supermarket chain Hannaford Brothers; Heartland Payment Systems Inc., one of the world's largest credit and debit processing companies; French retailer Carrefour SA; and the Belgium bank Dexia Bank Belgium.
The hackers also grabbed more than 160 million credit card numbers and the personal data that goes with them. They were allegedly sold around the world to others who may have ripped off cardholders for amounts still unknown.
The prosecution builds on a case that resulted in a 20-year prison sentence in 2010 for Albert Gonzalez of Miami, who is identified in the new complaint as an unindicted co-conspirator.
The defendants were identified as Vladimir Drinkman, Aleksander Kalinin, Roman Kotov, Dmitriy Smilianets, and Mikhail Rytikov.
Prosecutors identified Drinkman and Kalinin as sophisticated hackers who specialized in penetrating the computer networks of multinational corporations, financial institutions, and payment processors.
Kotov's specialty was harvesting data from the networks after they had been penetrated, and Rytikov provided anonymous web-hosting services that were used to hack into computer networks and covertly remove data, the indictment said.
Smilianets was the information salesman, the government said.
All five are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud. The four Russian nationals are also charged with multiple counts of unauthorized computer access and wire fraud.
The individuals who purchased the credit and debit card numbers and associated data from the hacking organization resold them through online forums or directly to others known as "cashers," the indictment said.
The cashers would encode the information onto the magnetic strips of blank plastic cards and cash out the value, by either withdrawing money from ATMs in the case of debit cards, or running up charges and purchasing goods in the case of credit cards.