US charges six in biggest credit card hack on record
U.S. prosecutors charged six foreign nationals with hacking crimes, including credit and debit card thefts that authorities say cost U.S. and European companies more than $300 million in losses, and charged one of them with breaching Nasdaq computers.
Prosecutors said the indictments unsealed on Thursday for the payment card hacking were the biggest cyber fraud case filed in U.S. history.
The long list of victims includes financial firms Citigroup, Nasdaq OMX Group, PNC Financial Services Group and a Visa licensee, Visa Jordan. Others include retailers Carrefour and J.C. Penney along with JetBlue Airways, prosecutors said as they announced indictments.
(Watch: Nothing Is Safe in Cyberspace: Pro)
Prosecutors said they conservatively estimate that a group of five men stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.
Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.
Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits. Prosecutors said he charged $10 for U.S. cards, $15 for ones from Canada and $50 for European cards, which are more expensive because they have computer chips that make them more secure.
The five concealed their efforts by disabling anti-virus software on victims computers and storing data on multiple hacking platforms, prosecutors said. They sold the payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards.
"This type of crime is the cutting edge," said U.S. Attorney Paul J. Fishman for the District of New Jersey. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security."
The indictment also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in U.S. history, helping steal millions of credit and debit cards.
(Read more: Internet criminals now targeting smaller companies)
Drinkman and Smilianets were arrested at the request of U.S. authorities on June 28, 2012, while traveling in the Netherlands. Smilianets was extradited last September and is expected to appear in New Jersey Federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.
Asked if he believed the other three are still in Russia, Fishman said: "I'm not going to say where I believe they are, we just know they're not in our custody."
Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Gonzalez, 32, in connection with five breaches—including one on Heartland Payment Systems.
The U.S. Attorney's Office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.
The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.
A source with knowledge of the breach said on Thursday the indictment was not related to a 2010 attack that Nasdaq had previously disclosed, though it has said little about the matter. Sources told Reuters in 2011 that the previously disclosed attack targeted Directors Desk, a service used by corporate boards to share documents and communicate with executives, among other things.
The source who spoke to Reuters on Thursday, who asked to remain anonymous due to the sensitivity of the matter, said that Nasdaq was working with the FBI and Justice Department on the matter.
The second indictment filed against Kalinin in Manhattan, which was unsealed on Thursday, charged that he worked with a sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank account information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in the theft of millions of dollars.
Mark Rasch, a former federal cyber-crimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cyber-crimes.
"They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing of disseminating credit card numbers," said Rasch, who was not involved in bringing the case.
Among the breaches cited in the New Jersey indictment, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from U.S. payment processor Heartland Payment Systems beginning in December 2007, resulting in approximately $200 million of losses.
The indictment charged that they took approximately 30 million payment card numbers from British payment processor Commidea Ltd. in 2008 and 800,000 card numbers from Visa's licensee Visa Jordan in 2011.
An attack on Global Payment Systems that begin in about January 2011 resulted in the theft of more than 950,000 cards and losses of about $93 million, according to the indictment.
It charged the ring with stealing approximately 2 million credit card numbers from French retailer Carrefour, beginning as early as October 2007, and 4.2 million card numbers from U.S. grocer Hannaford Brothers, a unit of Delhaize Group. It said the theft of card numbers from Dexia Bank Belgium resulted in $1.7 million in losses.
Dow Jones said in a statement that there was "no evidence" that information of Dow Jones or Wall Street Journal customers' information was compromised as a result of the breaches.
Officials with Carrefour, Global Payments and J.C. Penney declined comment.