Two Russian criminals have been sent down in America after pleading guilty to helping run the largest credit-card hacking scam in US history.
Muscovites Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, ran a massive criminal ring that spent months hacking companies to get hold of credit and debit card information. They then sold it online to the highest bidders, who then recouped their investment by ripping off companies and citizens around the world.
"Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information," said acting assistant attorney general John Cronan on Thursday.
"While mega breaches like these continue to affect millions of individuals around the world, hackers and would-be hackers should know that the Department of Justice will use all available tools to identify, arrest, and prosecute anyone who attacks the networks on which businesses and their customers rely."
The dodgy duo were arrested by Dutch authorities while on a trip to Amsterdam in June 2012 and sent to the US for trial. They were charged the following year, along with three associates who are still at large: Alexandr Kalinin, 31, of St Petersburg; fellow Muscovite Roman Kotov, 36; and Ukrainian Mikhail Rytikov, 30, of Odessa.
The two first caught Uncle Sam's attention in 2009 when they were noted to be working with US hacker Albert Gonzalez, who is serving a 20-year sentence for masterminding the hacking attacks that hit TJ Maxx and Heartland Payment Systems.
According to the Feds, Drinkman and his hacker chum Kalinin specialized in SQL injection attacks against corporate servers with the intent of grabbing payment card information and personal data needed to exploit it. Once inside the network, their associate Kotov would search for useful information using custom software sniffing tools, it is claimed.
Rytikov, prosecutors allege, acted as the group's ISP, supplying internet access that the gang knew would be unlogged and unrecorded. Smilianets handled the sales side, working dark web forums to find buyers for the cards at a cost of $50 per EU card, $10 for American accounts, and $15 for Canadian credit cards.
NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard were among the victims of the gang, the Feds claim. The final cost is difficult to estimate but just three of the companies targeted reported losses of over $300m thanks to the gang.
"These defendants operated at the highest levels of illegal hacking and trafficking of stolen identities," acting US attorney William Fitzpatrick said.
"They used their sophisticated computer skills to infiltrate computer networks, steal information and sell it for a profit. Perpetrators of some of the largest data breaches in history, these defendants posed a real threat to our economy, privacy and national security, and cannot be tolerated."
Drinkman pleaded guilty in a New Jersey district court to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. Judge Jerome Simandle sentenced him to 12 years in a US prison and three years' supervised release afterwards.
Smilianets got off more lightly, after pleading guilty to a single case of conspiracy to commit wire fraud. He was given about four and a half years in the clink, has already spent nearly five years in US jails, and will shortly be out under a three-year supervision order. Both are likely to be expelled from the country on their release, however.
"This case demonstrates the investigative capabilities of the US Secret Service and the collaborative efforts of our law enforcement partners, specifically the US Attorney's Office District of New Jersey, and the Dutch Ministry of Security and Justice," special agent in charge Mark McKevitt said.
"The Secret Service will continue to develop innovative ways to protect the financial infrastructure of the United States and bring to justice cyber criminals who use emerging technologies to conduct business." ®