U.S. federal authorities have indicted five men — four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.
The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.
Federal prosecutors in New Jersey today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert “Soupnazi” Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.
One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman, 32 of Syktyvkar, Russia, is awaiting extradition to the United States. Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.
According to the government’s indictment, other high-profile heists tied to this gang include compromises at:
Hannaford Brothers Co: 2007, 4.2 million card numbers
Carrefour S.A.: 2007, 2 million card numbers
Commidea Ltd.: 2008, 30 million card numbers
Euronet: 2010, 2 million card numbers
Visa, Inc.: 2011, 800,000 card numbers
Discover Financial Services: 500,000 Diners card numbers
In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.
The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data.
The government’s indictment alleges that the thieves were at times overwhelmed by the sheer amount of data yielded by their SQL attacks. On Aug. 12, 2007, Kalinin allegedly sent Gonzalez an instant message that he’d just gained access to 30 SQL servers on NASDAQ’s network, but hadn’t yet cracked the administrator passwords that secured the data inside. “These [databases] are hell big and I think most of info is trading histories.” On Jan. 9, 2008, after Gonzalez offered to help attack the trading floor’s computer systems, Kalinin allegedly messaged back, “NASDAQ is owned.”
Court documents feature an alleged conversation between Kalinin and Gonzalez from March 18, 2008, months after the Hannaford Bros. attack:
Kalinin: haha they had hannaford issue on tv news?
Gonzalez: not here
Gonzalez: I have triggers set on google news for things like “data breach” “credit card fraud” “debit card fraud” “atm fraud” “hackers”
Gonzalez: I get emailed news articles immediately when they come out, you should do the same, it’s how I find out when my hacks are found 🙂
Just a few weeks later, news of a massive credit card breach at Hannaford started trickling out:
Gonzalez: hannaford lasted 3 months of sales before it was on news, im trying to figure out how much time its going to be alive for
Gonzalez: hannaford will spend millions to upgrade their security!! lol
Kalinin: they would better pay us to not hack them again
According to prosecutors, the other members of the gang helped harvest data from the compromised systems, and managed the bulletproof hosting services from which the group launched its SQL attacks [the government alleges that Rytikov, for example, was none other than “Abdullah,” a well-known BP hosting provider]. The men allegedly sold the credit card data to third parties who routinely purchased them at prices between $10 and $50 apiece. The buyers were given PIN codes and magnetic stripe data that allowed them to create cloned cards for use at retailers and ATMs around the world.
A copy of the indictment is here (PDF).
Update: 3:39 p.m ET: Corrected state in which the accused were charged.