The U.S. Attorney's
Office today unsealed an indictment charging four Russians and a Ukrainian with
a multi-million hacking scheme that netted 160 million credit card numbers from
several major American and international corporations.
The charges stem
from hacking attacks dating back to 2005 against several global brands,
including the NASDAQ exchange, 7-Eleven, JC Penney, Hannaford, Heartland,
JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and
Ingenicard.
The five men that
are being indicted are Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia,
and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized
in penetrating networks and gaining access to the corporate victims' systems.
- Roman Kotov, 32,
of Moscow, allegedly specialized in mining the networks compromised by Drinkman
and Kalinin to steal valuable data.
- Mikhail Rytikov,
26, of Odessa, Ukraine, allegedly offered anonymous web-hosting services for
the others to hide their illegal activities.
- Dmitriy
Smilianets, 29, of Moscow, allegedly sold the information stolen by the other
conspirators and distributed the proceeds of the scheme to the participants.
Two of the five men Drinkman
and Smilianets have been captured while traveling in the
Netherlands last year and they have been extradited to the United States to
face charges while the other three men remain at large. Court documents show the men took user names
and passwords, identification, credit and debit card numbers that correspond to
personal identification information of cardholders.
The men gained
access to systems by using an SQL injection attack as their initial entry
point. Once the networks were breached,
they used malware to create a back door to maintain their access to these
systems. The men also used sniffers to
identify, collect, and steal data from victims and used the stolen data and
sold it to others. As their punishment,
they face a five year prison sentence for conspiracy to gain unauthorized access
to computers; 30 years in prison for conspiracy to commit wire fraud; five
years in prison for unauthorized access to computers; and 30 years in prison
for wire fraud.