Breach, Threat Management, Data Security, Threat Management, Vulnerability Management

Prison sentence for RBS hacker suspended in Russia

One of the leaders of a cybercriminal gang that hacked into payment services provider RBS WorldPay and stole $9 million has received a six-year suspended sentence in Russia, according to reports. 

Viktor Pleshchuk, 28, of St. Petersburg, also received four years of probation and was ordered to pay the equivalent of $8.9 million in restitution for his role in the November 2008 heist, according to a report in Bloomberg. Pleshchuk, who prosecutors said was one of four people who orchestrated the compromise, received a reduced sentence for cooperating with authorities.

He was arrested earlier this year by the Russian Federal Security Service. 

The sentence seems low compared to U.S. standards, especially considering that Pleshchuk was one of the prime coordinators behind the multimillion dollar heist, Chester Wisniewski, senior security adviser at Sophos, told in an email on Thursday.

“It is not atypical, however, by international standards, especially considering the victims aren't Russian,” Wisniewski said. “It is a positive sign that the Russians arrested him and charged him at all. Historically, many of these criminals got away scot free.”

Post-Soviet Union states have often been the beneficiaries of this type of crime and turned a blind eye to it, he added. But this case may serve as the “tipping point” that leads to greater cooperation and prosecution. 

Pleshchuk faces separate charges in the U.S. that were handed up last November by a federal grand jury in Atlanta.

However, the United States does not have an extradition treaty with Russia, so it is unlikely Pleshchuk will face charges in this country unless he is nabbed while traveling outside of Russia, Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post on Thursday.

Several other Eastern Europeans also face U.S. charges in connection with the hack, including Sergei Tsurikov, 25, of Tallinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and an unnamed person known as "Hacker 3." Each were charged in 16-count indictments alleging wire fraud, conspiracy to commit wire fraud, computer fraud, conspiracy to commit computer fraud, access device fraud and aggravated identity theft.

In addition, four others from Estonia — Igor Grudijev, 31; Ronald Tsoi, 31; Evelin Tsoi, 20; and Mihhail Jevgenov, 33 — each were indicted on access device fraud charges.

The gang used sophisticated hacking techniques to evade encryption on the network of the U.S. payment processing division of Atlanta-based RBS and compromise prepaid payroll debit cards, prosecutors have said in a statement. The defendants then raised the limits on the accounts, created 44 counterfeit cards and hired a group of "cashers" to use the cards to withdraw more than $9 million in less than 12 hours from 2,100 cash machines across 280 cities worldwide.

Acting U.S. Attorney Sally Yates said the scheme was "perhaps the most sophisticated and organized computer fraud attack ever conducted.”

Early last month, Tsurikov, another mastermind behind the hack, was extradited from Estonia to the United States and arraigned in U.S. District Court in the Northern District of Georgia for his role in the scheme.

Tsurikov, Pleshchuk, Covelin and "Hacker 3" each face up to 20 years in prison for conspiracy to commit wire fraud and for each wire fraud count, up to five years for conspiracy to commit computer fraud, up to 10 years for each count of computer fraud, and a mandatory two-year sentence for aggravated ID theft. In addition, they each face fines of up to $3.5 million.

The four facing access device fraud charges face a maximum sentence of up to 15 years and fines of up to $250,000.

A RBS WorldPay spokesperson could not immediately be reached for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.