Estonian man extradited to U.S. to face hacking charges

One of the masterminds behind the hacking of RBS WorldPay, in which thieves stole data belonging to an estimated 1.5 million individuals, has been extradited to the United States to face federal charges.

Sergei Tsurikov, 26, of Tallinn, Estonia was charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud and aggravated identity theft. Prosecutors said Tsurikov was one of four people who orchestrated the compromise of RBS WorldPay, the Atlanta-based payment-processing division of The Royal Bank of Scotland Group. They were indicted in November, and Tsurikov is the first to be extradited.

In addition, four others from Estonia — Igor Grudijev, 31; Ronald Tsoi, 31; Evelin Tsoi, 20, and Mihhail Jevgenov, 33 — were indicted on access device fraud charges. 

According to a news release issued Friday by the U.S. attorney's office in the Northern District of Georgia, the group used "sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards." Once the encryption was cracked, the defendants raised the account limits of targeted accounts, which allowed them to withdraw some $9 million from worldwide ATMs through the creation of 44 bogus payroll debit cards.

The gang hired so-called cashiers – who kept up to half of the stolen funds – to lift the money from 2,100 cash machines located in at least 280 cities, including in the United States.

If convicted, Tsurikov faces 20 years in prison for conspiracy to commit wire fraud and for each wire fraud count, up to five years for conspiracy to commit computer fraud, and up to five or 10 years for each count of computer fraud. Additionally, he faces a mandatory two-year prison term for aggravated ID theft, and fines up to $3.5 million.