June 6, 2012

The alleged ringleader of a Romanian hacker gang accused of breaking into and stealing payment card data from hundreds of Subway restaurants made news late last month when he was extradited to face charges in the United States. But perhaps the more interesting story is how his two alleged accomplices were lured here by undercover U.S. Secret Service agents, who promised to shower the men with love and riches.

Adrian-Tiberiu Oprea, 27, appeared in a New Hampshire federal court a week ago Tuesday, after being extradited from Constanta, Romania to face charges of hacking into the point-of-sale terminals at more than 150 Subway restaurants and at least 50 other retailers. Oprea was among four men indicted last year on charges of conspiracy to commit computer fraud, wire fraud and access device fraud.

Two of Oprea’s alleged accomplices arrived in Boston one day apart in August 2011, and were arrested immediately after stepping off of their respective flights. Previous news stories have noted their arrests and detentions in the United States, but all of the accounts I read neglected to mention one very interesting fact: Both men entered the country of their own volition.

I spoke last week with Michael Shklar, the public defender appointed to 27-year-old Iulian Dolan — the man authorities say helped Oprea sell credit and debit card accounts harvested in the break-ins. According to Shklar, U.S. Secret Service agents tricked his client into voluntarily visiting the United States by posing as representatives from a local resort and casino that was offering him a complimentary weekend getaway.

“My client was actually smart enough to say, ‘Oh, I don’t believe this. Why would you invite me to a weekend for free?’ And they basically told him, ‘Well, we know you gamble online, and we would like to comp you a weekend because it gives us a cosmopolitan feel.”

Shklar said his client apparently was taken in by the ruse, and thought he’d struck a rapport with the female casino employee who’d invited him. Dolan didn’t know it, but the Secret Service and the casino had set up a dedicated telephone line for the female “employee,” and gave her an email with the casino’s domain name. When a suspicious Dolan sought to verify her story, it checked out. The airline ticket itself was even purchased by the casino, in case Dolan checked on that detail as well.

Apparently convinced he was headed for a weekend of fun, Dolan packed a suitcase with three days’ worth of clothes — plus jewelry for his erstwhile casino friend — and hopped on a complimentary flight from Bucharest to Logan International Airport…where he was presented with complimentary silver bracelets.

“He arrived in the U.S. with some clothes, a cheap necklace, a little bit of money, and three very large boxes of grape-flavored Romanian condoms,” Shklar said.

Investigators took a different approach with Cezar Iulian Butu, the 26-year-old from Ploiesti, Romania who is accused of purchasing stolen debit and credit cards from Dolan. Investigators had subpoenaed Yahoo!, GoDaddy and other communications providers to snoop on Butu’s emails. Information gleaned from those messages included quite a bit of information about where he’d traveled, bars he’d visited, his friends, etc.

Armed with this information, U.S. investigators reached out to Butu posing as an attractive female tourist he had met while he was in France approximately one year earlier. According to Shklar, Butu believed he was coming to the United States to meet an independently wealthy Hooters waitress who said she worked at the restaurant chain for the health insurance coverage and because she liked people.

“He gets off the plane and they nab him and the handcuffs don’t even have fur on them,” Shklar said.

The Secret Service declined to comment on the record for this story, citing the ongoing legal case.

The fourth man indicted last year in connection with the hacking case, Florin Radu, 23, of Rimnicu Vilcea, Romania, remains at large. If convicted, the defendants face a maximum of five years in prison for each count of conspiracy to commit computer related fraud, 30 years in prison for each count of conspiracy to commit wire fraud and five years in prison for each count of conspiracy to commit access device fraud.  They also face fines up to twice the amount of the fraud loss and restitution.

25 thoughts on “Alleged Romanian Subway Hackers Were Lured to U.S.

  1. Thomas Maegerle

    so these jokers really need a public defender? They can’t afford their own private lawyer?

    They’ve been enriching themselves stealing from others. They get a free ticket to the US. They get a public defender, who’s supposed to be there for people who really can’t afford representation. And soon they’ll get free food and shelter courtesy of the US government.

    1. Eric

      So the better option is….what, exactly? They get to use money they stole from victims to pay for their own defense against those charges?

      1. Jeremy Janson

        After their conviction they can be fined the sum of money and work much of that fine off in prison workshops over the next several years. The rest they will pay gradually for the rest of their lives.

        Still, they must really not think they have a chance if they took the public defender, because at the federal level and at the level of most states as well, public defenders really stink. There are a few states that do a good job using contract public defenders (instead of a designated public defenders office, the state just pays a regular private lawyer to take the case), but even those are a minority. Really, unless you have no chance whatsoever of winning, or even getting a good plea bargain, you would rather pay out of pocket.

        1. george

          I don’t know if Mr. Shklar is a good lawyer or not, but to be honest I am surprised he shared with Brian, a reporter, those juicy details about his client especially since there is an ongoing legal case (as the Secret Service pointed out when requested to comment). Frankly, if he was my lawyer either hired by me or appointed through the public office, I would dismiss him. Make no mistake, I am glad he did spoke with Brian and we found out about those fellows and a glimpse in their way of “thinking”, but I’m afraid the disclosure might somehow open some procedural doors they can use in their advantage to get away unpunished for their crimes.

  2. george

    Thank you Brian, you made my day (again).
    From the indictment it appears those clowns were not doing traditional skimming but were somehow over the Internet scanning those POS’s for open RDP ports and then trying default passwords. I find hard to believe a POS would be accessible over Internet just like that. I mean, c’mon, not even a VPN ?

  3. ted

    The people that failed to properly secure the POS devices should be in a cell next to them.

    1. anon

      no, no chance

      don’t be curious 🙂 and please read/see the dates

  4. Hagrid

    As was pointed out to me this morning, it’s not 6.5M accounts, it’s 6.5M unique password hashes. Given that sites like LinkedIn allow the same password to be used by multiple users, and that not all the users on the site are 100% security conscious, chances are it’s a lot more than 4% of the sites accounts.

  5. Richard Steven Hack

    How many times have Eastern European hackers been invited to the US for alleged jobs or whatever and ended up in jail?

    You’d think they would get the message: hacking in the US will get you prison time IF you’re stupid enough to come here openly at the invitation of someone whose identity you cannot verify.


    I admit the FBI was clever in using the casino scam with a female fronting it, rather than their old ruse of offering the hacker a job because the hacker was so good at his work.

    The three boxes of condoms? Serious optimism… This guy must think every American woman is a “ho”. 🙂

    1. J Edgar Hoover

      Where is the FBI mentioned in this report? I didn’t see them mentioned once.

      1. Clyde Tolson

        Get off the Internet Edgar and come back to bed!

    2. Jeremy Janson

      Stereotypes of America are pretty much always based on Southern California, and generally LA county itself, not even the more conservative and normal parts of SoCal, occasionally with a VERY small amount of Texas or New York mixed in. It amazes me how many people around the world actually think Fast Food is the entirety of American cuisine. Some of these people live in major cities in the US that stopped being part of real America 50 years ago.

  6. Richard Steven Hack

    I just read this part:

    “Butu believed he was coming to the United States to meet an independently wealthy Hooters waitress who said she worked at the restaurant chain for the health insurance coverage and because she liked people.”

    Now THAT says SERIOUS MORON! 🙂 🙂

  7. Jeremy Janson

    It’s always nice to see the Feddies doing something – sometimes in this country I think the police turn a blind eye to theft. We’re so busy worrying about who got high on what or didn’t buckle their seatbelt or should be arrested for throwing a bucket of water at somebody that we can’t protect property or life.

  8. David Mitchell

    I changed my password as instructed and received six (6) emails from LinkedIn confirming that I had done this. My confidence in LInkedIn is already damaged and this only reduces my confidence even more 🙁

  9. John Smith

    Since this is a IT-Security site, it would be nice to call them crackers not hackers. Crackers break and steal while hackers are just a bit too curious for their own good (sometimes hackers will help improve the security on the long run).

    1. oleg

      john i’m going to guess you’re in the over-40 or over-50 crowd. usually only people who’ve been in the business for a long time seem to still get upset about the hacker/cracker thing. everyone else seems to accept that they’re interchangable and that languages change over time, as they should.

      “Subway Crackers” sounds like some snack you’d buy from Subway or eat on the subway. Fail.

      1. bob

        Language “should” change over time? Did you ask it? What brand jeans was it wearing?

        I’m going to guess you’re under 13. Usually, adults understand that grammatical conventions, like lexical conventions, aid understanding.

        1. voksalna

          Language *does* change over time. Ask any linguist. It’s how languages come to be in the first place. This is more likely a case of “I do not like you using the same word on me or someone I respect as someone I do not respect” — which is to say, an attempt at stigma avoidance.

          The problem is, at the end of the day — they still hacked.

          If anything, “cracker” is, was, and has always been a *subset* of hacker. Just because you do not like it, does not make it any other way.

          It’s not a matter of semantics, just a matter of intent.

Comments are closed.