Five Charged, Two Arrested in Online Theft of Credit Card Data

Federal prosecutors charged five citizens of Russia and the Ukraine with stealing information on more than 160 million credit cards and selling it for millions.

Federal prosecutors charged five men with computer crimes on July 25 in one of the largest online fraud schemes investigated by U.S. authorities to date.

The five men, along with other co-conspirators not charged in the indictment, allegedly stole information about more than 160 million credit cards and sold them on the underground market. Those numbers, when turned into fraudulent credit cards and used by low-level criminals known as "cashers," resulted in more than $300 million in damages, prosecutors said.

"Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security," New Jersey U.S. Attorney Paul J. Fishman, said in a statement announcing the indictment. "And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.  We cannot be too vigilant and we cannot be too careful."

The five men are accused of attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard, according to the U.S. Attorney's office.

Each of the accused played a specific role in the organized efforts to steal credit cards, according to the indictment. Vladimir Drinkman, 32, and Alexandr Kalinin, 26—both of Russia—allegedly focused on compromising corporate computer systems. Another Russian citizen—Roman Kotov, 32—is accused of using that access to search for valuable information on the networks. A fourth Russian national—Dmitriy Smilianets, 29—acted as a fence, selling the information that was stolen from the firms, and the sole Ukranian hacker—Mikhail Rytikov, 26—provided anonymizing services to the hackers, the indictment states.

Two of the accused—Drinkman and Smilianets—were arrested in June 2012 while traveling in the Netherlands. While Smilianets has been extradited to the United States, Drinkman awaits an extradition hearing in the Netherlands.

The indictment reveals that the attackers most often gained access to the victims' networks through a common Website security flaw known as SQL injection, where the hackers can target the databases that provide dynamic content to the Websites. By exploiting such flaws, Drinkman and Kalinin were allegedly able to embed malware inside the victim's network, patiently waiting for months to carefully expand beyond their beachhead.

Albert Gozalez, the hacker convicted of stealing credit cards and serving a 20-year prison sentence, also features in the indictment as a co-conspirator. The five men allegedly worked with Gozalez before his arrest and then continued hacking and selling the data following his conviction.

The group of hackers were able to sell each credit card dossier for different amounts, depending on the nationality of the owner. American credit card numbers sold for $10, Canadian for $15 and European for $50, the indictment stated.