NEWARK, N.J. – Four Russian nationals and a Ukrainian have been charged with running a sophisticated hacking organization that over seven years penetrated computer networks of more than a dozen major American and international corporations.
Indictments were announced Thursday in Newark, where the U.S. Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States.
The hackers conservatively acquired more than 160 million credit and debit card numbers from 2005 to 2012 and sold them to resellers around the world, prosecutors said.
Losses to consumers and the corporations were put in the hundreds of millions of dollars.
The victims included the electronic stock exchange Nasdaq; 7-Eleven Inc.; JCPenney Co.; the regional supermarket chain Hannaford Brothers Co.; Heartland Payment Systems Inc., one of the world’s largest credit and debit processing companies, French retailer Carrefour S.A., and the Belgium bank Dexia Bank Belgium.
The defendants were identified as Russians Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and Ukrainian Mikhail Rytikov.
The prosecution builds on a case that resulted in a 20-year prison sentence in 2010 for Albert Gonzalez of Miami, who is identified in the new complaint as an unindicted co-conspirator. Other unindicted co-conspirators were also named.
Prosecutors identified Drinkman and Kalinin as sophisticated hackers who specialized in penetrating the computer networks of multinational corporations, financial institutions and payment processors.
Kotov’s specialty was harvesting data from the networks after they had been penetrated, and Rytikov provided anonymous web-hosting services that were used to hack into computer networks and covertly remove data, the indictment said.
Smilianets was the information salesman, the government said.
All five are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud. The four Russian nationals are also charged with multiple counts of unauthorized computer access and wire fraud.
The individuals who purchased the credit and debit card numbers and associated data from the hacking organization resold them through online forums or directly to others known as “cashers,” the indictment said.
The cashers would encode the information onto the magnetic strips of blank plastic cards and cash out the value, by either withdrawing money from ATMs in the case of debit cards, or running up charges and purchasing goods in the case of credit cards.