By Chief Political Correspondent Michael Aron
The victims included NASDAQ, the 7-Eleven Corporation, JC Penny and Visa in the Middle East.
U.S. Attorney Paul Fishman said the four Russian men and one Ukrainian face up to 30 years in prison for conspiracy to commit wire fraud.
“The conspirators in this criminal enterprise breached the computer networks of at least 17 major retailers, financial institutions and payment processors and obtained more than 160 million credit and debit card numbers. They then sold those to card numbers to individuals who ultimately used them to cause losses of at least $300 million. And that, by the way, is our conservative estimate of the losses, the amount we’ve been able to confirm so far and suffered by only three of the victim companies,” Fishman said.
Fishman said the defendants would spend months probing a company’s website for vulnerabilities, and when they found a way in, they bundled the data into “dumps,” as they’re called, and sold the data dumps to re-sellers around the world, who in turn sold them to people who then went to ATM machines and retail stores and drained the accounts.
“The scheme was so sophisticated and brought together some of the most experienced and skilled hackers in the world,” Fishman said.
In terms of the number of hacks and the amount of money stolen, Fishman said, this is the largest hacking conspiracy case ever. It’s a New Jersey case because the first corporate victim, Heartland Systems, has a server in Princeton.
The alleged scheme began in 2005 and it’s taken six years of investigation to crack it.
“People who do hacks like these guys were doing hacks leave digital fingerprints,” Fishman said.
A co-conspirator was charged in 2009 and is serving a 20-year sentence.
Fishman wouldn’t say whether he has cooperated with the Secret Service and the FBI, the agencies that investigated the global network.
And Fishman couldn’t say whether any of those charged today had actually been in the United States.
“They used servers in Pennsylvania, Virginia, New Jersey, Florida, Ukraine, Latvia. What the internet has done is made it so that if you want to steal $100 million from somebody in Florida, you don’t have to be in Florida anymore. You can be in Ukraine,” Fishman said.
The hackers hit Heartland Systems, with its server in Princeton, for $200 million.
“So they can be prosecuted in lots of places, but we do them here partly because it started here, partly because you’ll see that the largest victim so far was here, but also because honestly — and I’m gonna crow a little bit — I think we have the best cyber unit in the country,” Fishman said.
One defendant is in custody in Holland, one in the U.S. and three are fugitives. The one in U.S. custody makes a first appearance in New Jersey federal court next week.