WWD.com/business-news/legal/members-of-hacker-ring-charged-1703689/
government-trade
government-trade

Members of Hacker Ring Charged

Group believed responsible for theft of over 40 million credit and debit card numbers.

Credit Cards

The Justice Department has charged 11 people with the theft of more than 40 million payment card numbers from retailers including TJX Cos., DSW Inc. and Forever 21. The department’s investigation revealed an international operation of enormous scope and complexity tying together data security breaches at nine U.S. retailers that were previously thought to be unrelated.

This story first appeared in the August 6, 2008 issue of WWD.  Subscribe Today.

The alleged perpetrators were charged on Tuesday with fraud, identity theft and conspiracy in federal courts in Boston and San Diego.

According to indictments returned by federal grand juries in the two cities, the conspirators obtained the numbers by hacking into the wireless computer networks of various U.S. retailers and installing a type of software known as a packet sniffer to capture consumers’ data.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General Michael Mukasey in Boston. “They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves. And, in total, they caused widespread losses by banks, retailers and consumers.”

The ring targeted a wide range of retailers, including BJ’s Wholesale Club Inc., OfficeMax, Boston Market, Barnes & Noble and Sports Authority, as well as TJX, Forever 21 and DSW. The TJX incident, which the company acknowledged in January 2007, was the largest. It compromised information relating to 45.7 million credit and debit cards as well as the driver’s licenses and, in some cases, social security numbers of as many as 450,000 customers who returned items without a receipt, TJX said.

The 11 people indicted include three U.S. citizens and citizens of at least four other countries in Europe and Asia. Miami resident Albert Gonzalez is alleged to be the plot’s mastermind.

According to the indictment returned Tuesday in Boston, Gonzalez had been arrested by the Secret Service in 2003 for access device fraud and subsequently worked as a confidential informant. His alleged further criminal activity was discovered later.

Of the suspects charged Tuesday, only three are in custody and only one, Gonzalez, is in U.S. custody. According to the Department of Justice, officials in Turkey are holding Maksym Yastremskiy of Ukraine and officials in Germany are holding Aleksandr Suvorov of Estonia. Both men face pending extradition proceedings. The U.S. charged all three in a related indictment in federal court in New York in May alleging that they stole card numbers from the Dave & Buster’s restaurant chain using sniffer software.

Gonzalez and alleged conspirators Christopher Scott and Damon Patrick Toey located retailers’ wireless networks by driving by with a laptop with Wi-Fi installed, according to the Boston indictment issued Tuesday. The group then hacked into the networks and installed sniffer software to collect payment card numbers as well as password and account information as the data was passing through the retailers’ networks. Some of the data were sold to other criminals in the U.S. and in Eastern Europe. The conspirators also withdrew tens of thousands of dollars at a time from ATMs using blank cards in whose magnetic strips they encoded stolen card numbers. They concealed fraudulent earnings by using anonymous Internet-based currencies and Eastern European bank accounts, the Justice Department alleged.

The San Diego indictments, brought after a three-year investigation by the Secret Service, charge Yastremskiy, Suvorov, Hung-Ming Chiu and Zhi Zhi Wang of China and an unidentified person known only by the Internet handle “Delpiero” with conspiracy, trafficking and identity theft for their alleged roles in selling the credit card data Gonzalez obtained. Sergey Pavolvich of Belarus and Dzmitry Burak and Sergey Storchak, both of Ukraine, were charged with conspiracy to traffic in unauthorized devices.