'Cutting-Edge' Hacking Scheme Stole More Than $300M, U.S. Attorney Says

Five people have been indicted for their roles in what authorities have called the "largest hacking and data breach scheme ever prosecuted in the United States" that resulted in the thefts of data from more than 160 million credit cards and other information from companies including NASDAQ, Dow Jones, JetBlue and the 7-Eleven convenience store chain, the U.S. Attorney's Office said.

“The individuals in this case are the ones at the very top, the ones who steal the data,” U.S. Attorney for New Jersey Paul Fishman said during a press conference in Newark.

The hacking into NASDAQ did not affect the tech stock exchange’s trading, officials said.

Two Russian men, Vladimir Drinkman and Dimitry Smilianets, are already in custody. Smilianets is expected to appear in Federal Court in New Jersey next week while Drinkman is in the Netherlands pending extradition to the United States.

Three other men, Aleksandr Kalinin, Roman Kotov and Mikhail Rytikov, remain at large, Fishman said.

Since at least 2007, officials said the hackers have been infiltrating computer networks across the globe, including Heartland Payment Systems of Princeton, at the time the largest such breach ever detected. Describing the scheme as “cutting-edge crime," Fishman also said the losses sustained by companies amounted to at least $300 million, but were likely to be much higher.

Generally, although it was individual credit card numbers that were stolen and used fraudulently, the companies were obligated to swallow the losses. Individual victims, however, also sustained losses related to identity theft. 

According to the indictment, the sophisticated hackers chose their targets carefully, sometimes scouting them online for months before breaking into a network. The hackers chose several targets that processed large amounts of credit card transactions.

Once a target was selected, the hackers would then launch an “SQL injection,” giving them a presence in a firm’s network. Fishman said that the group would often brag to one another once a system had been infiltrated.

“They would text one another and say this network is ‘owned,'” Fishman said.

The group would then allegedly install “sniffers” within the networks to automatically obtain electronic data from tens of thousands of credit cards, data which would eventually be sold to street-level criminals who would download it onto phony, duplicate cards.  

Fishman declined to say whether the investigation would be or has been expanded to include the people actually selling the fake cards, but added that such crimes are routinely investigated and prosecuted even when they cannot be tied to a particular “hack.”

The network allegedly charged $10 for American credit card information, $50 for European information and $15 for Canadian data, although “good customers” could often get a volume discount.

American credit card information was the least expensive, Fishman said, because U.S. cards lack a computer chip, a modern anti-fraud measure common in Europe.   

Authorities also said they will attempt to recover as much of the money as they can on behalf of the corporate victims. Other firms that were hacked include Carrefour, a French supermarket chain, American retailer JCP, Visa Jordan, Wet Seal, Commidea, Diners Singapore and Euronet.