For nearly a decade, a band of cybercriminals rampaged through the servers of a global business who's who: Among the victims were 7-Eleven, Dow Jones, Nasdaq, JetBlue and JC Penney. Prosecutors say the hackers stole "conservatively" 160 million credit card numbers, and the dollar value of the crimes they helped facilitate is enormous — just four of the victims are out $300 million. The suffering caused to identity theft victims was "immeasurable," say prosecutors.
On Thursday, five of the gang's members were indicted. One is in custody in the U.S., a second is awaiting extradition in the Netherlands, and three more are still at large in what U.S. Attorney Paul Fishman said is the largest data heist case ever prosecuted.
Dmitriy Smilianets, 29, of Moscow, is in custody, while Vladimir Drinkman, 32, of Syktyykar, is awaiting an extradition hearing. The other three — Aleksandr Kalinin, 26, Roman Kotov, 32, and Ukrainian Mikhail Rytikov, 26, remain at large.
Originally part of a crime ring led by Albert Gonzalez, who was arrested back in 2008, the five continued their data conquests even after Gonzalez was sentenced to 20 years in prison.
The group kept security professionals and journalists busy for years, causing embarrassing data leaks at grocery-store chain Hannaford Brothers Co. (4.2 million cards), Discover (2 million cards), and Dow Jones (10,000 corporate logins).
Often, one of the criminals would shop at the retailers to observe checkout registers and deduce which systems were used, assessing their vulnerability. Then, they'd gain access to credit card payment systems and siphon off millions of victims' account numbers as they were involved in transactions.
They even bragged to each other about the fame they were gaining by picking prominent targets — and used Google alerts to learn when their access might be cut off. The following chat transcript was included in Thursday’s indictment:
Kalinin: haha they had hannaford issue on tv news?Gonzalez: not hereGonzalez: I have triggers set on google news for things like "data breach" "credit card fraud" "debit card fraud" "atm fraud" "hackersGonzalez: I get emailed news articles immediately when they come out, you should do the same, its how I find out when my hacks are found :)Gonzalez: hannaford lasted 3 months of sales before it was in the news, im trying to figure out how much time its gonig (sic) to be alive for
The group really hit paydirt when they turned away from brand-name retailers and toward credit card payment processors. Hoards of stolen card numbers — known as "dumps" — flowed through these little-known financial firms that connect retailers and banks, leading to record-breaking heists: Heartland Payment Systems (130 million cards); Commidea, in Europe (30 million); Euronet (2 million); and Global Payment Systems (950,000).
Prosecutors say they took the "dumps" and turned to middle-men called "dump resellers." They in turn split up the data into blocks, and resold it through a worldwide network of "cashers." U.S. card numbers could fetch $10, while European cards fetched up to $50.
Prosecutors say the five men used relatively simple "SQL Injection" methods to break into company servers. That family of attacks has many variations, but it essentially involves using website forms to feed bad information into an underlying database and tricking it into giving access to an attacker.
For example, a long string of unexpected characters entered into a blank form used to enter an email address can confuse a misconfigured server and dupe it into giving the user privileged access. In the Nasdaq hack, attackers exploited a feature designed to help legitimate users recall forgotten passwords.
The process could take time however. When the hackers first gained access in August 2007, they talked about how overwhelming the data haul was.
"Those dbs (databases) are hell big and I think most of info is trading histories," Kalinin wrote at the time. But six months later, they'd figured out how to get valuable information from Nasdaq servers. "Nasdaq is owned," he wrote.
Three of the five men indicted remain at large. Smilianets and Drinkman were arrested in the Netherlands in June 2012 while traveling. Smilianets has been extradited to the U.S.; Drinkman is still in the Netherlands awaiting an extradition hearing.
The indictment comes after a years-long investigation by federal authorities into a massive credit card fraud operation that was first identified back in 2008, when Gonzalez — also known as “soupnazi” — was arrested. Gonzalez is probably the most notorious credit card hacker in history.
Directing a group called Shadowcrew, Gonzalez simultaneously worked as a cooperating witness for federal investigators, but continued to direct Shadowcrew to steal millions of credit card numbers. In Gonzalez's 2009 indictment, Kalinin and Drinkman were previously charged as “Hacker 1” and “Hacker 2.”
"This type of crime is the cutting edge," Fishman said in a press release. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day."
All five suspects face wire fraud charges which carry a maximum penalty of 30 years in jail. Four of the five face 10 other counts of wire fraud, conspiracy and unauthorized access to computers, with additional penalties of up to 30 years in jail.
In a separate indictment, Kalinin was charged by the U.S. Attorney in the Southern District of New York with hacking Nasdaq servers, and with participating in a scheme to hack into U.S. financial institutions.
Follow Bob Sullivan on Facebook or Twitter. His new book, The Plateau Effect, is now on sale.