(CNN) — Four Russian nationals and a Ukrainian have been charged with running a massive scheme to steal info from more than 160 million credit and debit cards at a cost of hundreds of millions of dollars.
Each of the five men indicted had different roles in what the Department of Justice described Thursday in a news release as “the largest such scheme ever prosecuted in the United States.” According to that U.S. agency, one of the accused hosted “bullet-proof” web-hosting services, two of the defendants hacked corporate networks, one mined and stole sensitive data and the fifth sold that information to “identity theft wholesalers.”
Two of the men were arrested at the request of U.S. authorities in June 2012 in the Netherlands. One of them, Dmitriy Smilianets, was extradited months later to the United States. He’ll appear in a federal court in New Jersey on the new charges of hacking conspiracy, conspiracy to commit wire fraud, unauthorized computer access and wire fraud, according to the Department of Justice.
The three other indicted men were still at large Thursday.
They are all accused of having targeted more than a dozen major American and international companies between 2005 and 2012, including JCPenney, Carrefour, 7-Eleven, Nasdaq, JetBlue, Dow Jones and Ingenicard. More than 130 million card numbers were stolen from one company alone — Heartland, a U.S.-based credit and debit card processing company — resulting in about $200 million in losses, according to the U.S. federal court indictment unsealed Thursday. in a federal court in New Jersey
“Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security,” said U.S. Attorney Paul Fishman, whose jurisdiction is New Jersey. “And this case shows, there is a real practical cost because these types of frauds increase the cost of doing business for every American consumer, every day.”
Working with co-conspirators — at least one of whom, Albert Gonzalez of Miami, is now serving a 20-year prison sentence related to several data breaches, according to the news release — they’d “probe potential vulnerabilities” in their targets’ websites and, in some cases, would even visit their retail stores, the indictment states.
Then they would strike against retailers and other corporations engaged in financial transactions or the transmission of financial data.
The defendants used computers in at least seven countries, including the United States, and anonymous web-hosting services allegedly provided by one of those charged, Mikhail Rytikov, to help hide their identities.
Two of the defendants — Alexandr Kalinin and Vladimir Drinkman, the latter of whom was arrested last year in the Netherlands — would allegedly hack into networks and install malicious code, or malware, to make these systems more vulnerable. In some instances, this malware might be in place for more than a year.
Once in, another of the accused — Roman Kotov — allegedly would capture loads of data such as user names and passwords, other identifying info and credit and debit card numbers.
This information would then be sold by Smilianets at a price that varied, depending on its origin, U.S. authorities claim in the indictment. A single U.S. credit card number, for instance, would go for $10, a Canadian one for $15 and a European number for $50, according to the indictment. Bulk and repeat “customers” shopping for this illicit info got discounted prices.
This data would then be encrypted on blank cards, which could be used to withdraw cash from ATMs or make purchases.
Also Thursday — in addition to the charges outlined in the indictment — the U.S. Attorney’s Office for the Southern District of New York announced two additional indictments against Kalinin for hacking servers used by the financial securities market Nasdaq. A separate indictment accuses Kalinin and another Russian, Nikolay Nasenkov, of engineering a scheme to hack U.S.-based financial institutions, steal account information and withdraw millions of dollars from victims’ bank accounts.
“As today’s allegations make clear, cyber criminals are determined to prey not only on individual bank accounts, but on the financial system itself,” Manhattan U.S. Attorney Preet Bharara said.
The various hacking charges come on the same day that Stanford University experienced what it called “an apparent breach of its information technology infrastructure similar to incidents reported in recent months by a range of companies and large organizations in the United States.”
In a message linked from its official Twitter feed, Stanford said it was still looking into the origin and the impact of the apparent breach.
“We do not yet know the scope of the intrusion, but we are working closely with information security consultants and law enforcement to determine its source and impact,” the university said.