US officials have announced indictments against four Russians and a Ukrainian in the country's largest-ever hacking case. The suspected thefts amounted to hundreds of millions of dollars in company losses.
Four Russians and a Ukrainian were charged on Thursday with running a ring of hackers who, over a period of seven years, broke into computer networks of American and international companies, stealing information and selling it on.
U.S. Attorney Paul Fishman said the case was the largest hacking and data breach scheme ever tried in the United States.
"This type of crime is the cutting edge," Fishman said. "Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security."
The defendants were identified as Russians Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and Ukrainian Mikhail Rytikov.
Smilianets is in US custody and is expected to appear in federal court next week. Drinkman is being held in the Netherlands pending extradition, and the other three remain at large.
All five are charged with participating in a computer hacking conspiracy and conspiracy to commit wire fraud. The Russians are also charged with multiple counts of unauthorized computer access and wire fraud.
These charges stem from a case that resulted in a 20-year prison sentence in 2010 for Albert Gonzalez of Miami, who often used the screen name "soupnazi" and is identified in the new complaint as an unindicted co-conspirator.
The prosecutors revealed that Heartland Payment Systems Inc. took the biggest hit. Hackers targeted them starting in 2007, stealing more than 130 million card numbers at a loss of around $200 million (152 million euros).
Another victimized company was Global Payment Systems, which had nearly 1 million card numbers stolen to the tune of $93 million in losses.
Several hundred thousand card numbers were stolen when the suspected hackers targeted the Visa network, but prosecutors did not cite the exact figure of losses. And not all of the targeted companies that the hackers infected with malicious software suffered financial losses. Nasdaq and Dow Jones Inc., for example, had credentials stolen from them but the trading platforms were not affected.
The indictment said the suspects sent each other instant messages as they infected the corporate data, declaring things like: "NASDAQ is owned."
The criminals who bought the credit and debit card numbers and associated data from the hacking organization resold them through online forums or directly to others known as "cashers," the indictment said.
Data stolen by the hackers was stored on servers worldwide, including sites in New Jersey, Pennsylvania, California, Illinois, Latvia, the Netherlands, Bahamas, Ukraine, Panama and Germany.
Cashers got hard currency by encoding the stolen information onto magnetic strips of blank plastic cards. They would then either withdraw money from ATMs on debit cards or run up charges on credit cards.
tm/dr (AP, Reuters)