The U.S. Attorney and Secret Service claim an international crime syndicate was behind the identity theft of more than 40 million credit and debit card numbers from TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The Department of Justice and Secret Service allege that the hackers used wardriving to hack networks and sniffer programs to capture card numbers and customer data.
In what is believed to the largest hacking and identity theft case ever
prosecuted, the Department of Justice said Aug. 5 it has indicted 11 people for
the theft and sale of more than 40 million credit and debit card numbers.
According to the DOJ, the card numbers were obtained by "wardriving"
and hacking into the wireless computer networks of major retailers including TJX
Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble,
Sports Authority, Forever 21 and DSW. Wardriving involves locating Wi-Fi
networks from a moving vehicle with a laptop or PDA.
Once inside the networks, the DOJ said, the hackers installed "sniffer"
programs that would capture card numbers, as well as password and account
information, as they moved through the retailers' credit and debit processing
networks. After the thieves collected the data, they concealed it in encrypted
computer servers that they controlled in Eastern Europe
and the United States.
The DOJ indictment claims the hackers sold some of the credit and debit card
numbers over the Internet to other criminals in the United
States and Eastern Europe. The
stolen numbers were "cashed out" by encoding card numbers on the
magnetic strips of blank cards. The thieves then used these cards to withdraw
tens of thousands of dollars at a time from ATMs.
"So far as we know, this is the single largest and most complex
identity theft case ever charged in this country," Attorney General
Michael Mukasey said at a Boston
news conference. "It highlights the efforts of the Justice Department to
fight this pernicious crime and shows that, with the cooperation of our law
enforcement partners around the world, we can identify, charge and apprehend
even the most sophisticated international computer hackers."
In an indictment returned on Aug. 5 by a federal grand jury in Boston,
Albert "Segvec" Gonzalez, of Miami,
was charged with computer fraud, wire fraud, access device fraud, aggravated
identity theft and conspiracy for a role in the scheme. Gonzalez was
previously arrested by the Secret Service in 2003 for access device fraud.
During the course of the current investigation, the Secret Service
discovered that Gonzalez, who was working as a confidential informant for the
agency, was criminally involved in the case. The DOJ said because of the
size and scope of his criminal activity, Gonzalez faces a maximum penalty of
life in prison if he is convicted of all the charges alleged in the Boston
Criminal indictments were also released in Boston
on related charges against Christopher Scott and Damon Patrick Toey, both of Miami.
In addition, indictments were unsealed in San Diego
against alleged scheme participants Maksym "Maksik" Yastremskiy, of Kharkov,
Ukraine, and Aleksandr "Jonny
Hell" Suvorov, of Sillamae, Estonia.
The San Diego grand jury also
indicted Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China,
and a person known only by the online nickname "Delpiero."
The indictments charge the defendants with crimes related to the sale of credit
card data that Gonzalez and others illegally obtained, as well as additional
stolen credit card data. Suvorov is charged with conspiracy to possess
unauthorized access devices, possession of unauthorized access devices,
trafficking in unauthorized access devices, identity theft, aggravated identity
theft, and aiding and abetting.
Yastremskiy faces charges of trafficking in unauthorized access devices,
identity theft, aggravated identity theft and conspiracy to launder monetary
instruments. The indictment also contains a forfeiture allegation. Chiu, Wang
and Delpiero are charged with conspiracy to possess unauthorized access
devices, trafficking in unauthorized access devices, trafficking in counterfeit
access devices, possession of unauthorized access devices, aggravated identity
theft, and aiding and abetting. All are believed to be foreign nationals
residing outside of the United States.
In May, Gonzalez, Suvorov and Yastremskiy were charged in a related
indictment in the Eastern District of New York. The New
York charges allege that the trio was engaged in a
scheme to hack into computer networks run by the Dave & Buster's restaurant
chain. According to the indictment, they stole credit and debit card numbers
from at least 11 locations.
The New York indictment claims
the defendants gained unauthorized access to the cash register terminals and
installed at each restaurant a packet sniffer. The packet sniffer was
configured to capture credit and debit card numbers as the information was
processed by the restaurants. At one Dave & Buster's location, the packet
sniffer captured data for approximately 5,000 credit and debit cards,
eventually causing losses of at least $600,000 to the financial institutions
that issued the credit and debit cards.
Gonzalez is currently in pretrial confinement on the New
York charges. Based upon the San
Diego charges, Turkish officials arrested Yastremskiy
in July 2007 in Turkey
when he traveled there on vacation. He has been in confinement since then in Turkey,
pending the resolution of related Turkish charges, and the United
States has made a formal request for his
Suvorov was apprehended by the German Federal Police in Frankfurt
in March on the San Diego charges
when he traveled there on vacation. He is currently in confinement pending the
resolution of extradition proceedings.
"While technology has made our lives much easier,
it has also created new vulnerabilities. This case clearly shows how strokes on
a keyboard with a criminal purpose can have costly results," U.S. Attorney
Michael J. Sullivan said. "Consumers, companies and governments from
around the world must further develop ways to protect our sensitive personal
and business information and detect those, whether here or abroad, that
conspire to exploit technology for criminal gain."