Feds Bust Largest Credit-Card Hacking Scheme in History

July 29, 2013

Federal authorities in New Jersey last week indicted four Russians and one Ukrainian man in what they said could be the largest hacking scheme in history. U.S. Attorney Paul Fishman indicated the breaches involved, some of which went back nearly a decade, resulted in the illegal acquisition of more than 160 million credit-card numbers from processors, retailers and other organizations around the world that led to hundreds of millions of dollars in fraud.

Two of the defendants—Russian national Vladimir Drinkman and Alexandr Kalinin—were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported. Heartland is one of the organizations targeted by the defendants in this new indictment. To what extent the separate indictments to Drinkman and Kalinin are related is unclear. Other companies that lost data to this hacking ring include NASDAQ, 7-Eleven, JCP, Hannaford, Wet Seal, JetBlue, Dow Jones, Euronet, Visa Jordan and Global Payment. Drinkman and Dmitriy Smilianets were arrested last year and extradited to the U.S. from the Netherlands. The other three defendants remain at large.

“This type of crime is the cutting edge,” Fishman said. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.”

According to the indictment, after harvesting payment details—sometimes waiting months or years after an initial intrusion to get credit-card information—the group sold the stolen numbers. Investigators said they sold the illegally obtained data through online forums or directly to individuals and organizations. The group allegedly charged $10, $15 or $50 for each record, depending on if the information was from an American, Canadian or European, according to the indictment.