U.S. prosecutors charged six foreign nationals with hacking crimes, including credit- and debit-card thefts that authorities say cost U.S. and European companies more than $300 million in losses, and charged one of them with breaching Nasdaq computers.
Prosecutors said the indictments for the payment-card hacking unsealed on Thursday constituted the biggest cyber fraud case filed in U.S. history.
The long list of victims include financial firms Citigroup Inc., Nasdaq OMX Group Inc., PNC Financial Services Group Inc. and a Visa Inc. licensee, Visa Jordan. Others include retailers Carrefour SA and J.C. Penney Co., along with JetBlue Airways Corp., prosecutors said as they announced indictments.
Prosecutors said they conservatively estimate that a group of five men stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.
Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.
Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits.
The five concealed their efforts by disabling anti-virus software on victims’ computers and storing data on multiple hacking platforms, prosecutors said. They sold the payment card numbers to resellers, who then sold them on online forums or to “cashers” who encode the numbers onto blank plastic cards.
“This type of crime is the cutting edge,” said U.S. Attorney Paul J. Fishman for the District of New Jersey. “Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security.”
The indictment also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in U.S. history, helping steal millions of credit and debit cards.
Drinkman and Smilianets were arrested on June 28, 2012, in the Netherlands. Smilianets is expected to appear in New Jersey Federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.
The U.S. Attorney’s Office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.
The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.
The second indictment filed against Kalinin in Manhattan, which was unsealed on Thursday, charged that he worked with a sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank account information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in the theft of millions of dollars.