Four Russian nationals and a Ukrainian have been charged with running a massive scheme that involved hacking more than 160 million credit and debit cards from 2005 to 2012.
The five men hacked into computer networks of more than a dozen major American and international companies, including J.C. Penney(JCP), Wet Seal(WTSL), 7-Eleven, Nasdaq(BANK), JetBlue(JBLU) and Dow Jones, to steal valuable personal identifying information and sell them, according to the U.S. Attorney's Office for New Jersey.
The defendants allegedly targeted retailers and other corporations engaged in financial transactions, or transmitting financial data. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders, according to the indictment.
The data breach, which the U.S. Attorneys' office said was the largest such scheme ever prosecuted in the U.S., resulted in hundreds of millions of dollars in losses.
"Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security," said U.S. Attorney Paul Fishman.
The indictment said the five men played specific roles in the scheme.
Vladimir Drinkman and Alexandr Kalinin gained access to the companies' systems, while Roman Kotov mined the networks for valuable data.
The hackers used anonymous web-hosting services provided by Mikhail Rytikov to hide their identities. Dmitriy Smilianets was responsible for selling the stolen data and divvying up the proceeds among the five men.
Kalinin and Drinkman were previously charged in New Jersey in connection with five corporate data breaches.
How to hack a bank with a laptop
The U.S. Attorney's Office for the Southern District of New York on Thursday announced two additional indictments against Kalinin for hacking servers used by the financial securities market Nasdaq and an international scheme to steal bank account information by hacking U.S.-based financial institutions.
Law enforcement obtained instant message chats that reveal the defendants often targeted the companies for many months, "waiting patiently as their efforts to bypass security were underway," the New Jersey U.S. Attoney's office said. The men implanted malware software on companies' servers for more than a year.
Once they obtained the data, they would sell each stolen American credit card number for $10. European cards would go for $50, while Canadian cards for $15. Bulk and repeat customers would get discounted prices.
Other companies that were also allegedly defrauded were Hannaford, Heartland, Commidea, Dexia, Euronet, Visa Jordan, Global Payment, Diners and Ingenicard.