US lawmakers have charged five men with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses.
Over a seven-year period the alleged conspirators successfully penetrated the networks of major banks - including Citibank and PNC - the Nasdaq stock market, and payment processors and corporate giants such as 7-eleven. Just three of the corporate victims reported more than $300 million in losses as a result of the spree.
The alleged ringleaders, Aleksandr Kalinin and Vladimir Drinkman were previously arraigned in New Jersey as 'Hacker 1' and 'Hacker 2' in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches - including the massive attack on Heartland Payment Systems. Gonzalez is currently serving 20 years in federal prison for those offenses.
US attorneys in New York have unsealed two additional indictments against Kalinin: one charges him in connection with hacking certain computer servers used by Naasdaq and another with an international scheme to steal bank account information by hacking US-based financial institutions.
According to court documents, Kalinin and Drinkman and three other defendants allegedly pilfered 160 million card numbers, and associated user names and passwords, which they then sold on through the criminal underworld, charging $10 for each stolen American credit card number and associated data, $15 for Canadian cardholders and $50 for European cards - offering discounted pricing to bulk and repeat customers.
Court documents allege that the initial entry was often gained using a SQL injection attack. Once the network was infiltrated, the defendants allegedly placed malicious code, or malware, on the system. The defendants allegedly had malware implanted in multiple companies' servers for more than a year.
If convicted, the maximum penalties for the charged counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.