In what federal prosecutors are calling several of the largest known data-breach schemes in U.S. history, four Russians and one Ukrainian man are being charged with hacking more than a dozen of the world's largest national and international corporations to steal and resell over 160 million credit card numbers.
In an indictment announced today in Newark, N.J., the men are accused by federal prosecutors of a conspiracy to infiltrate the networks of major organizations and financial institutions such as Visa, NASDAQ, J.C. Penney, JetBlue and 7-Eleven to defraud the companies' computers and steal customer data. The alleged crimes took place from August 2005 through at least July 2012, according to the indictment obtained by ABCNews.com.
"The losses in this case are staggering," U.S. Attorney Paul Fishman said today. "The conspirators breached the computer networks of at least 17 major retailers, financial institutions and payment processors and obtained more than 160 million credit and debit card numbers … This scheme was so sophisticated and brought together some of the most experienced and skilled hackers in the world."
The defendants, who are said to have been operating out of New Jersey's Mercer and Middlesex counties, are named as Russians Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and Ukrainian Mikhail Rytikov. The men are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud. The Russians are facing multiple counts of unauthorized computer access and wire fraud.
Drinkman is now in custody and awaiting an extradition hearing in the Netherlands, and Smilianets will appear in court in New Jersey next week, according to Fishman. The remaining three are fugitives. With the wire fraud charge alone, the men each face a maximum penalty of 30 years in prison and a fine of $1 million, or twice the gain or loss incurred. If convicted they d be ordered to repay the victims of their loss.
ABCNews.com was unable to reach attorneys representing Smilianets.
Using unique malware and sophisticated hacking methods, the five men are accused of acquiring customer data such as credit card numbers and associated data -- referred to by the men as "dumps," according to the indictment. They would then sell these "dumps" to "dumps resellers," who would in turn sell the data on online forums or directly to buyers – who are referred to as "cashers."
These "cashers" would then take the stolen data "dump" and encode it onto a credit card blanket, according to the indictment. Cashers would then withdraw the money from ATMs or charge items to the cards.
The ring would charge $10 for U.S. card, $15 for each Canadian card and $50 for each European card, and payments were made to the defendants via Western Union MoneyGram or international wire transfer.
The defendants would use instant messaging to communicate with each other as they allegedly infiltrated the corporate networks. According to the indictment, one defendant said "NASDAQ is owned" while discussing attacking the exchange's network.
At one point, while discussing how his alleged victim Hannaford Bros. supermarket chain will pay millions for new security, Kalinin says: "They would better pay us not to hack them again," according to the indictment. Another alleged conspirator said that he used Google News alerts to track when his hacks were discovered.
The companies named in the indictment are believed to have lost hundreds of millions of dollars because of this ring's actions, with three companies incurring losses in excess of $300 million alone, according to the indictment.
Losses to identity theft victims, who must deal with costs associated with the crimes, are considered immeasurable, the indictment states.