U.S. indicts hackers in biggest cyber fraud case in history

by Reuters
Thursday, 25 July 2013 22:01 GMT

* Prosecutors say men were associates of Albert Gonzales

* Say at least 160 mln credit card numbers stolen

* Nasdaq said to be victim of two-year breach

* Hackers could delete, change, steal Nasdaq data-prosecutors

By David Jones and Jim Finkle

NEWARK, N.J./BOSTON, July 25 (Reuters) - Federal prosecutorssaid on Thursday they have charged five men responsible for ahacking and credit card fraud spree that cost companies more$300 million and two of the suspects are in custody, in thebiggest cyber crime case filed in U.S. history.

They also disclosed a new security breach against Nasdaq,though they provided few details about the attack.

Other companies targeted by the hackers include a Visa Inc licensee, J.C. Penney Co, JetBlue Airways Corp and French retailer Carrefour SA, accordingto an indictment unveiled in New Jersey.

Authorities have been pursing the hackers for years. Many ofthe breaches were previously reported, though it appeared theone involving Nasdaq OMX Group Inc was being disclosedfor the first time.

Prosecutors said they conservatively estimate that the groupof five men from Russia and Ukraine helped steal at least 160million payment card numbers, resulting in losses in excess of$300 million.

Authorities in New Jersey charged that each of thedefendants had specialized tasks: Russians Vladimir Drinkman,32, and Alexandr Kalinin, 26, hacked into networks, while RomanKotov, 32, mined them for data. They allegedly hid theiractivities using anonymous web-hosting services provided byMikhail Rytikov, 26, of Ukraine.

Russian Dmitriy Smilianets, 29, is accused of selling thestolen data and distributing the profits. Prosecutors said hecharged $10 for U.S. cards, $15 for ones from Canada and $50 forEuropean cards, which are more expensive because they havecomputer chips that make them more secure.

The five hid their efforts by disabling anti-virus softwareof their victims and storing data on multiple hacking platforms,prosecutors said. They sold payment card numbers to resellers,who then sold them on online forums or to "cashers" who encodethe numbers onto blank plastic cards.

"This type of crime is the cutting edge," said New JerseyU.S. Attorney Paul J. Fishman. "Those who have the expertise andthe inclination to break into our computer networks threaten oureconomic wellbeing, our privacy and our national security."

The indictment cited Albert Gonzalez as a co-conspirator. Heis already serving 20 years in prison after pleading guilty tohelping mastermind one of the biggest hacking fraud schemes inU.S. history, helping steal millions of credit and debit cards.

Prosecutors say the defendants worked with Gonzalez beforehis arrest in Miami, then continued on a crime spree after hiscapture.

Drinkman and Smilianets were arrested in June 2012, whiletraveling in the Netherlands, at the request of U.S.authorities. Smilianets was extradited last September and isexpected to appear in New Jersey Federal court next week.Drinkman is awaiting an extradition hearing in the Netherlands.

Prosecutors declined comment on the whereabouts of the otherthree defendants.

Tom Kellermann, a vice president with security softwaremaker Trend Micro, said he thinks the prospects are dim thatthey will be caught because authorities in some countries turn ablind eye to cyber criminals.

"There is an enormous shadow economy that exists in EasternEurope. In some countries, sophisticated hackers are seen asnational assets," he said.

Kalinin and Drinkman were previously charged in New Jerseyas "Hacker 1" and "Hacker 2" in a 2009 indictment chargingGonzalez in connection with five breaches.


The U.S. Attorney's Office in Manhattan announced two otherindictments against Kalinin, one charging he hacked servers usedby Nasdaq from November 2008 through October 2010. It said heinstalled malicious software that enabled him and others toexecute commands to delete, change or steal data.

The infected servers did not include the trading platformthat allows Nasdaq customers to buy and sell securities,prosecutors said. Officials with Nasdaq said they could notimmediately comment.

A source with knowledge of the breach said on Thursday theindictment was not related to a 2010 attack that Nasdaq hadpreviously disclosed, which was targeted against Directors Desk,a service used by corporate boards to share documents andcommunicate with executives, among other things.

The source, who asked to remain anonymous due to thesensitivity of the matter, said that hackers appear to have usedtheir access to the firm's network to create their own landingpage on a Nasdaq website, where users were directed when theywanted to change their passwords.

The second indictment filed against Kalinin in Manhattan,which was unsealed on Thursday, charged that he worked with asixth hacker, Russian Nikolay Nasenkov, 31, to steal bankaccount information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in thetheft of millions of dollars.


Mark Rasch, a former federal cyber crimes prosecutor, toldReuters that the arrests show that law enforcement is makingprogress in identifying those responsible for major cybercrimes.

"They involve dozens or even hundreds of people huddled overcomputer terminals all over the world in a common purpose ofstealing of disseminating credit card numbers," said Rasch, whowas not involved in bringing the case.

Among the breaches cited in the New Jersey indictment,prosecutors charged that the group was responsible for the theftof more than 130 million credit card numbers from U.S. paymentprocessor Heartland Payment Systems Inc beginning inDecember 2007, resulting in approximately $200 million oflosses. That was the same case for which Gonzalez was convictedand which was the largest case of its kind before the latestindictments.

Heartland released a statement praising authorities fortheir work: "We hope that this indictment further delivers themessage that prolific hacking organizations worldwide will bepursued and charged for crimes such as this one."

The indictment charged that they took approximately 30million payment card numbers from British payment processorCommidea Ltd in 2008 and 800,000 card numbers from Visa Inc's licensee Visa Jordan in 2011.

An attack on Global Payment Systems that begin in aboutJanuary 2011 resulted in the theft of more than 950,000 cardsand losses of about $93 million, according to the indictment.

It charged the ring with stealing approximately 2 millioncredit card numbers from French retailer Carrefour SA, beginningas early as October 2007 and said the theft of card numbers fromDexia Bank Belgium resulted in $1.7 million in losses.

Other victims included Dow Jones, Wet Seal Inc and7-Eleven Inc, according to prosecutors.

Dow Jones said in a statement that there was "no evidence"that information of Dow Jones or Wall Street Journal customersinformation was compromised as a result of the breaches.

Officials with Carrefour, Global Payments and JCPenneydeclined comment.