The alleged ringleader of a retail hacking ring was working for the Feds as an informant at the same time he was allegedly masterminding an even bigger racket.
Albert "Segvec" Gonzalez of Miami has been charged, along with ten other suspects, with hacking into nine of the networks of nine major US retailers and lifting 40 million credit and debit card numbers. Members of the retail hacking ring are charged with fraud and computer hacking offences involving raids on the networks of retailers named as TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
The TJX heist alone netted an estimated 45.7m payment cards. Either prosecutors are only charging the retail fraudsters with stealing the records there is evidence they nabbed, or another gang was also involved in the infamous cybercrime.
The attacks on the other eight retailers received little by way of publicity before the DoJ announced the unsealing of indictments in its biggest ever ID theft case on Tuesday. That so many retailers were hit using the same technique points to an underlying problem, widespread in the retailing industry.
In the case of the TJX hack, at least, the inability of older point-of-sales terminals to support anything more robust than the woefully inadequate Wired Equivalent Privacy protocol was blamed for the attack.
Wardriving and data siphoning
Gonzalez, along with fellow Miami residents and co-conspirators Christopher Scott and Damon Patrick Toey, are charged with obtaining credit card numbers by "wardriving" and hacking into the wireless computer networks of the retailers. According to court papers, the Florida-based members of a wider criminal conspiracy installed "sniffer" programs that captured card numbers along with password and account information.
The gang allegedly concealed their cache of stolen data on computer servers. Some of the stolen credit card numbers were sold online, while others were used to make counterfeit credit cards which were then used to make fraudulent cash withdrawals. Internet-based currencies and bank accounts in Eastern Europe were used to launder these funds. Investigators reckon the gang ran an international credit card theft ring with branches in Ukraine, Belarus, Estonia, China, the Philippines and Thailand.
Gonzalez was arrested by the Secret Service in 2003 for access device fraud, and was working as an informant for the feds at the time he was allegedly masterminding an even bigger racket. The extent of his alleged criminality (and double dealing) is such that prosecutors will seek a sentence of life imprisonment, if he's convicted.
Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia are charged with fencing the stolen credit card numbers obtained by the American gang, as well as aggravated identity theft and sundry hacking offences. Yastremskiy allegedly made $11m through his criminal activities.
A DoJ statement on the case can be found here.
Dave & Busted
Gonzalez, Suvorov and Yastremskiy were charged in May 2008 with hacking into the computer systems run by the Dave & Buster's restaurant chain in a separate case. The trio allegedly stole card numbers from at least 11 locations using the same packet sniffer and wireless hacking tactics. In one location alone 5,000 credit card records were lifted, resulting in losses to banks estimated at $600,000.
Gonzalez is currently in pre-trial confinement on these charges while Suvorov and Yastremskiy were each arrested on holiday in Germany and Turkey, respectively. Each is the subject of extradition proceedings.
Other suspects in the TJX retail hacking ring indictments include Hung-Ming Chiu and Zhi Zhi Wang, both of China, someone going by the online moniker "Delpiero", Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine. Each of the six are charged with various identity theft and trafficking in access devices offences.
These indictments are the result of a three-year undercover investigation led by the San Diego office of the US Secret Service.
More TJX suspects
These are not the first charges in the TJX case - six people were arrested in Florida in March 2007 on suspicion of using card details obtained in the TJX heist to buy gift cards at Wal-Mart and Sam's Club stores throughout Florida. The group allegedly used gift vouchers to buy high-value items including computers and widescreen TVs, taking banks for losses estimated at $8m.
Those arrested as part of the scam included Irving Escobar, then 18, Reinier Camaraza Alvarez (27), Julio Oscar Alberti (33) Dianelly Hernandez (19), Nair Zuleima Alvarez (40) and Zenia Mercedes Llorente (23). ®