NEWARK, N.J. — Four Russian nationals and a Ukrainian have been charged with running a sophisticated hacking organization that penetrated computer networks of more than a dozen major American and international corporations over seven years, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars.
Indictments were announced Thursday in Newark, where U.S. Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States.
Heartland Payment Systems of Princeton, N.J., which processes credit and debit cards for small to midsized businesses, was identified as taking the biggest hit in a scheme starting in 2007 — the theft of more than 130 million card numbers at a loss of about $200 million.
At Atlanta-based Global Payment Systems, another major payment processing company, nearly 1 million card numbers were stolen, with losses of nearly $93 million, prosecutors said.
About 800,000 card numbers were stolen in an attack on the Visa network, but the indictment did not cite any loss figure.
The defendants were identified as Vladimir Drinkman, 32, of Syktyvkar, Russia, and Moscow; Aleksander Kalinin, 26, of St. Petersburg, Russia; Roman Kotov, 32, of Moscow; Dmitriy Smilianets, 29, of Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.
Smilianets is in U.S. custody and was expected to appear in federal court next week. Drinkman is being held in the Netherlands pending extradition, prosecutors said. The other three remained at large.
The prosecution builds on the 2009 case that resulted in a 20-year prison sentence for Albert Gonzalez of Miami, who often used the screen name "soupnazi" and is identified in the new complaint as an unindicted co-conspirator. Other unindicted co-conspirators were also named. In the Gonzalez case, which focused on the theft from Heartland — at the time the biggest breach of its kind ever discovered in the U.S. — Kalinin and Drinkman were charged as "Hacker 1" and "Hacker 2."
Prosecutors identified the two as sophisticated hackers who specialized in penetrating the computer networks of multinational corporations, financial institutions and payment processors.
Kotov's specialty was harvesting data from the networks after they had been penetrated, and Rytikov provided anonymous Web-hosting services that were used to hack into computer networks and covertly remove data, the indictment said.
Smilianets was the information salesman, the government said.
The individuals who purchased the credit and debit card numbers and associated data from the hacking organization resold them through online forums or directly to others known as "cashers," the indictment said. According to the indictment, U.S. credit card numbers sold for about $10 each; Canadian numbers were $15; and better-encrypted European ones $50.
The cashers would encode the information onto the magnetic strips of blank plastic cards and cash out the value, by either withdrawing money from ATMs in the case of debit cards, or running up charges and purchasing goods in the case of credit cards.