Federal prosecutors on Thursday brought what they called the largest hacking and data breach case in the country, charging five people with running an organization that hacked the computer networks of more than a dozen corporations, stealing and selling at least 160 million credit and debit card numbers.
The scheme was run by four Russian nationals and a Ukrainian, said the prosecutors, who announced the indictments in Newark, N.J. Paul Fishman, the U.S. attorney for the District of New Jersey, said losses ran into the hundreds of millions of dollars.
“The losses in this case are staggering,” Fishman said at a press conference. “This type of crime is really the cutting edge of financial fraud.”
The victims in the scheme, which prosecutors said ran from 2005 until last year, included Visa; J.C. Penney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and the French retailer Carrefour. A separate case involving one of the defendants and the Nasdaq stock exchange was filed by the U.S. attorney for the Southern District of New York.
“The defendants and their co-conspirators penetrated the secure computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, and stole the personal identifying information of others such as user names and passwords,” prosecutors said.
The defendants were identified as Vladimir Drinkman, Alexander Kalinin, Roman Kotov and Dmitriy Smilianets of Russia and Mikhail Rytikov of Ukraine. Drinkman is in custody in the Netherlands, and Smilianets is in custody in the United States. The whereabouts of the three others was unclear.
The attacks underscore the broader threat that hacking poses to a financial system that is almost entirely reliant on networked communications.
In the Nasdaq case, Kalinin is accused of hacking into the servers used by the exchange. From November 2008 through October 2010, he installed malicious software, or malware, on servers that allowed him to delete, change or steal data, according to the indictment unsealed Thursday. The infected servers did not include the platform for securities trading.
In a separate indictment also unsealed in federal court in New York, Kalinin and another Russian, Nikolay Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims’ bank accounts. From December 2005 through November 2008, the two men hacked into computer systems and stole information from banks including Citibank and PNC Bank, according to the indictment.
In January 2006, the personal identification numbers for hundreds of customer accounts were compromised by a cyberattack on PNC Bank’s online banking website, the indictment said. Nasenkov supplied stolen account information to co-conspirators who, in turn, used it to encode blank ATM cards and withdraw $1.3 million from victims’ accounts.
In 2007, Kalinin placed malware on a computer network that processed ATM transactions for Citibank and other financial institutions and used the code to steal bank account information for about 500,000 bank accounts, including 100,000 Citibank accounts, the indictment said. The stolen account information was used to create ATM cards that were used to withdraw $2.9 million from Citibank customers’ accounts.
In 2008, Nasenkov used a computer program to attack Citibank’s website that resulted in the theft of account information for more than 300,000 accounts, according to the indictment. The information was used to create ATM cards that were used to withdraw $3.6 million.