A federal indictment made public July 25 in New Jersey charges five men with conspiring in a worldwide hacking and data breach scheme that targeted major corporate credit card processing networks, stole more than 160 million credit card numbers, resulted in hundreds of millions of dollars in losses and is the largest such scheme ever prosecuted in the United States.
The defendants allegedly sought corporate victims engaged in credit card processing transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit. The defendants are charged with attacks on corporations including NASDAQ, 7-Eleven, , Wet Seal, JetBlue, and Dow Jones. This is a cutting edge type of crime committed by those who have the expertise to break into credit card processing networks and threaten our economic well-being, privacy, and national security. The real cost is that this type of fraud in particular increases the cost of doing business for every American consumer.
The defendants were allegedly responsible for leading a world-wide hacking conspiracy that victimized consumers and corporations, causing hundreds of millions of dollars in losses. Because of this, the Secret Service will continue to apply innovative techniques to successfully investigate and arrest transnational cyber criminals. While the global nature of cyber-crime continues to have a profound impact on credit card processing companies, this case demonstrates the global investigative steps that U.S. Secret Service Special Agents are taking to ensure that criminals will be pursued and prosecuted no matter where they reside.
According to the second superseding indictment unsealed today in Newark federal court and other court filings:
The five men each served particular roles in the scheme. Vladimir Drinkman and Alexandr Kalinin each specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data. The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov. Dmitriy Smilianets sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.
The Credit Card Processing Attacks
The five defendants conspired with others to penetrate the computer networks of several of the largest credit card processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. Conservatively, the conspirators unlawfully acquired more than 160 million card numbers through hacking.
The initial entry was often gained using a “SQL injection attack.” SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases to infiltrate a computer network. Once the network was infiltrated, the defendants placed malware on the system, which left the system vulnerable and helping the defendants maintain access to the network.
Instant message chats obtained by law enforcement reveal the defendants often targeted the victim credit card processing companies for many months, waiting patiently as their efforts to bypass security were underway. The defendants had malware implanted in multiple companies’ servers for more than a year. The defendants used their access to the networks to install programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then used an array of computers located around the world to store the stolen data and ultimately sell it to others.
Selling the Data
After acquiring the card numbers and associated data, the conspirators sold it around the world. The buyers then sold through online forums or directly to individuals and organizations. Smilianets was in charge of sales, vending the data only to trusted identity theft wholesalers. Ultimately, the end users encoded each magnetic strip of a blank plastic card and cashed out the value by either withdrawing money from ATMs or making purchases with the cards.
Covering Their Tracks
The defendants used a number of methods to conceal the scheme. Unlike traditional Internet service providers, Rytikov allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement. Over the course of the conspiracy, the defendants communicated through private and encrypted communications channels to avoid detection. Fearing law enforcement would intercept even those communications, some of the conspirators attempted to meet in person. To protect against detection by the victim credit card processing companies, the defendants altered the settings on victim company networks to disable security mechanisms from logging their actions. The defendants also worked to evade existing protections by security software.
As a result of the scheme, credit card processing companies and consumers suffered hundreds of millions in losses, and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.