A federal indictment made public today in New Jersey charges five men with
conspiring in a worldwide hacking and data breach scheme that targeted major
corporate networks, stole more than 160 million credit card numbers, resulted in hundreds of millions of dollars in losses and is the largest such scheme ever
prosecuted in the United States.
The defendants allegedly sought corporate victims engaged in financial
transactions, retailers that received and transmitted financial data and other
institutions with information they could exploit for profit. The defendants are
charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland,
Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global
Payment, Diners Singapore and Ingenicard. It is not alleged that the NASDAQ hack
affected its trading platform.
"This type of crime is the cutting edge," U.S. Attorney Fishman said. "Those who
have the expertise and the inclination to break into our computer networks
threaten our economic well-being, our privacy, and our national security. And
this case shows there is a real practical cost because these types of frauds
increase the costs of doing business for every American consumer, every day. We
cannot be too vigilant and we cannot be too careful."
According to the second superseding indictment unsealed today in Newark federal
court and other court filings:
The five men each served particular roles in the scheme. Vladimir Drinkman, 32,
of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg,
Russia, each specialized in penetrating network security and gaining access to
the corporate victims? systems. Roman Kotov, 32, of Moscow, also a hacker,
specialized in mining the networks Drinkman and Kalinin compromised to steal
valuable data. The hackers hid their activities using anonymous web-hosting
services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy
Smilianets, 29, of Moscow, sold the information stolen by the other conspirators
and distributed the proceeds of the scheme to the participants.
Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and
"Hacker 2" in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in
connection with five corporate data breaches - including the breach of Heartland
Payment Systems Inc., which at the time was the largest ever reported. Gonzalez
is currently serving 20 years in federal prison for those offenses. The U.S.
Attorney's Office for the Southern District of New York today announced two
additional indictments against Kalinin: one charges him in connection with
hacking certain computer servers used by NASDAQ and a second indictment,
unsealed today, charged Kalinin and another Russian hacker, Nikolay Nasenkov,
with an international scheme to steal bank account information by hacking U.S.-
based financial institutions. Rytikov was previously charged in the Eastern
District of Virginia with an unrelated scheme. Kotov and Smilianets have not
previously been charged publicly in the United States.
The five defendants conspired with others to penetrate the computer networks of
several of the largest payment processing companies, retailers and financial
institutions in the world, stealing the personal identifying information of
individuals. They took user names and passwords, means of identification, credit
and debit card numbers and other corresponding personal identification
information of cardholders. Conservatively, the conspirators unlawfully acquired
more than 160 million card numbers through hacking.
After acquiring the card numbers and associated data, the conspirators sold it
to resellers around the world. The buyers then sold the dumps through online
forums or directly to individuals and organizations. Smilianets was in charge of
sales, vending the data only to trusted identity theft wholesalers. He would
charge approximately $10 for each stolen American credit card number and
associated data, approximately $50 for each European credit card number and
associated data and approximately $15 for each Canadian credit card number and
associated data ? offering discounted pricing to bulk and repeat customers.
Ultimately, the end users encoded each dump onto the magnetic strip of a blank
plastic card and cashed out the value of the dump by either withdrawing money
from ATMs or making purchases with the cards.
The defendants used a number of methods to conceal the scheme. Unlike
traditional Internet service providers, Rytikov allowed his clients to hack with
the knowledge he would never keep records of their online activities or share
information with law enforcement.
Over the course of the conspiracy, the defendants communicated through private
and encrypted communications channels to avoid detection. Fearing law
enforcement would intercept even those communications, some of the conspirators
attempted to meet in person.
To protect against detection by the victim companies, the defendants altered the
settings on victim company networks to disable security mechanisms from logging
their actions. The defendants also worked to evade existing protections by
security software.