Breach, Threat Management, Data Security

Five charged in hacking corporate networks to steal 160M card numbers

Federal prosecutors in New Jersey announced Thursday that five men have been charged for their role in one of the country's largest-ever hacking operations to be dismantled.

An indictment unsealed by the U.S. attorney's office charged Russian hackers Vladimir Drinkman, 32; Roman Kotov, 32; and Dmitriy Smilianets, 29; Aleksandr Kalinin, 26, along with 26-year-old Ukrainian Mikhail Rytikov, for their involvement in the ring. The five are alleged to have conspired with others.

Prosecutors said the defendants are charged with penetrating the computer networks of major U.S. companies in a campaign dating back to 2005. They are alleged to have hacked into networks and databases using a common method known as SQL injection, which enabled them to steal more than 160 million credit card numbers and cause hundreds of millions of dollars in financial losses.

The affected entities include Dow Jones, NASDAQ, JCPenney, JetBlue, Heartland Payment Systems, TJX, Hannaford Bros. and 7-Eleven, with three of the affected organizations claiming reported losses in excess of $300 million.

Investigators said the group conspired with Albert Gonzalez, who began serving a 20-year sentence in 2010 after being pleading guilty for stealing and reselling hundreds of millions of credit and debit cards in a campaign dating back to 2005. At that time still unnamed, Kalinin and Drinkman were charged as conspirators in Gonzalez's 2009 indictment.

Gonzalez, best known for masterminding the mega-hacks of Princeton, N.J.-based payment processor Heartland Payment Systems and discount retail parent company TJX, has been linked to the compromises at a number of other retailers and businesses.

According to prosecutors, each of the hackers took on different roles: Drinkman and Kalinin breached the targeted companies and gained access to the systems holding sensitive data of customers. Kotov mined the networks to steal valuable information. Rytikov helped hide his cohorts' activities by using anonymous web-hosting services. And Smilianets sold the information and distributed the proceeds.

The gang hijacked usernames, passwords, identification information and credit and debit card numbers, and sold the data “dumps” to resellers for between $10 and $50, depending on the victims' location, according to the U.S. attorney's office. Data belonging to Americans netted the lower end of the range, while information on Canadians and Europeans earned higher proceeds.

The resellers would typically sell the “dumps” online, and the information was oftentimes encoded into the magnetic stripe of blank cards, which were then used to purchase goods or withdraw cash from ATMs.

All five of the accused are being charged with conspiracy to gain unauthorized access to computers and conspiracy to commit wire fraud, which combined carry a maximum of 35 years in prison.

All but Rytikov are additionally charged with unauthorized access to computers and wire fraud, which also carry a five-year and 30-year maximum sentence, respectively.

U.S. Attorney for New Jersey Paul Fishman said in a news release on Thursday that the losses faced by victims of identity theft are "immeasurable."

Drinkman and Smilianets were arrested on June 28, 2012 in the Netherlands. Smilianets is in federal custody following a September 2012 extradition, and Drinkman is awaiting an extradition hearing in the Netherlands. Kalinin, Kotov and Rytikov remain at large.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.