Believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice, eleven people allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, the DOJ announced yesterday. The charges are related to the theft of more than 40 million credit and debit card numbers.
Eleven indicted in massive data heist conspiracy. (IMG:J.Anderson)
Three of the defendants are U.S. citizens, one is from Estonia, three are from the Ukraine, two are from the People’s Republic of China, and one is from Belarus. One individual is only known by an online alias, and his place of origin is as yet unknown.
The charges and cases are all linked, in what is being called a conspiracy on a massive scale. The cases reach across the U.S., and those charged are all part of a larger international ring, the court papers alleged.
“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General Michael B. Mukasey.
Attorney General Mukasey and U.S. Attorneys from Massachusetts, the Southern District of California, the Eastern District of New York, and U.S. Secret Service Director Mark Sullivan all had a hand in the case and released information explaining the scope of the conspiracy.
"While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results." commented U.S. Attorney Michael J. Sullivan.
"Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," he added.
In an indictment returned on Aug 05 of 2008 by a federal grand jury in Boston, Albert “Segvec” Gonzalez, Christopher Scott, and Damon Patrick Toey, of Miami, were charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for their roles in the scheme. However, Gonzalez is at the center of the case; while not named as the “ring leader,” he is the focus of many of the recently released court documents.
Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. During the course of the current investigation, the Secret Service discovered that Gonzalez, a confidential informant for the agency, was criminally involved in the case. Because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges covered in the Boston indictment.
The indictment claims that Gonzalez and his fellow conspirators obtained credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Once inside, the attackers installed sniffers that collected information and stored it in a central location. Gonzalez and his crew are then said to have sold some of the credit and debit card numbers, via the Internet, to others in the United States and Eastern Europe. The stolen numbers were then “cashed out” by encoding card numbers on the magnetic strips of blank cards.
The newly minted cards were used to withdraw tens of thousands of dollars at a time from ATMs. Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and also by channeling funds through bank accounts in Eastern Europe.
At the same time the news was coming out of Boston, indictments were unsealed in San Diego against conspirators Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “Jonny Hell” Suvorov, of Sillamae, Estonia. The San Diego indictments charge the two men with crimes related to the sale of the stolen credit card data that Gonzalez and others illegally obtained, as well as additional stolen credit card data.
Specifically, Suvorov is charged with conspiracy to possess unauthorized access devices, possession of unauthorized access devices, trafficking in unauthorized access devices, identity theft, aggravated identity theft, and aiding and abetting. Yastremskiy is charged with trafficking in unauthorized access devices, identity theft, aggravated identity theft, and conspiracy to launder monetary instruments.
In May 2008, Gonzalez, Suvorov and Yastremskiy were charged in a related indictment in the Eastern District of New York. The New York charges say that the trio took part in a scheme to hack into computer networks run by the Dave & Buster’s restaurant chain, and stole credit and debit card numbers from at least 11 locations. At one restaurant location, the packet sniffer installed by the trio captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 USD to the financial institutions that issued the credit and debit cards.
In addition to Suvorov and Yastremskiy, an indictment against Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China, and a person known only by the online nickname "Delpiero," were also unsealed in San Diego. Chiu, Wang and "Delpiero" are charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting.
Also coming out of San Diego is news that Sergey Pavolvich of Belarus, and Dzmitry Burak and Sergey Storchak, both of the Ukraine, were charged in a criminal complaint with conspiracy to traffic in unauthorized access devices. Sadly, all of them are outside the United States, so it is not known if they will be brought to the U.S. to face charges, or if Gonzalez will go it alone with Scott and Toey.
Gonzalez is currently in pre-trial confinement on the New York charges. Based upon the San Diego charges, officials in Turkey apprehended Yastremskiy in July 2007 when he travelled there on vacation. He has been in confinement there ever since, pending the resolution of related Turkish charges, and the United States has made a formal request for his extradition. At the request of the Department of Justice, Suvorov was apprehended by the German Federal Police in Frankfurt in March of 2008 on the San Diego charges when he travelled there on vacation. He is currently in confinement pending the resolution of extradition proceedings.
This is huge, and only proves that criminals are smart and will do anything to make a fast buck. While the people who committed these crimes are finally known, and are looking at some serious time behind bars, it is wise to remember that the lack of security at the companies who suffered was what allowed their crimes. The common thread in the conspiracy is data theft, and each of the companies hit were lax in their data security, proof positive that the data needs to be protected at all costs.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)