Authorities believe Maksym Yastremskiy, 25, led the sale of data stolen through the March 2007 hacking of discount retailer TJX, in which more than 45 million credit card and debit card numbers potentially were exposed.
Yastremskiy was sentenced to 30 years in prison and ordered to pay fines totaling $23,200 for unauthorized access to computer systems and fraud, unrelated to the TJX theft. Yastremskiy reportedly hacked into the computer systems of 12 Turkish banks, then sold hundreds of thousands of credit card numbers and other personal information.
Yastremskiy has been held in Turkey since he was arrested there in July 2007, when he was visiting the country on vacation. The United States has made a formal request for his extradition pending the resolution of Turkish charges, the U.S. Department of Justice said in August.
In the United States, Yastremskiy and 10 others face charges for hacking into the wireless computer networks of nine major retailers — including TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW -- resulting in the theft and sale of more than 40 million credit and debit card numbers.
Yastremskiy and two others -- Albert "Segvec" Gonzalez of Miami and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia -- face additional charges in New York on charges of hacking into computer networks run by the Dave & Buster's restaurant chain, and stealing credit and debit card numbers from at least 11 locations, according to a U.S. Department of Justice news release.
“The authorities should be congratulated for bringing another hacker to justice, and it will be interesting to see what else emerges from this ongoing case involving other suspects in the [TJX] case around the world,” wrote Graham Cluley, senior technology consultant at Sophos, in a blog post about the incident.
Cluley said this should send a message to cybercriminals that more convictions are being made and international cooperation on cybercrime is improving.