Authorities in Boston have cracked what is believed to be the largest federal hacking and identity theft case ever, involving the theft and sale of more than 41 million credit and debit card numbers.
Eleven people, including a U.S. Secret Service informant, have been charged in connection with data breaches at nine major retailers, the Justice Department announced last month. Three of those charged are U.S. citizens while the others are from places such as Estonia, Ukraine, Belarus and China.
The indictment returned by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.
“They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said. “And in total, they caused widespread losses by banks, retailers, and consumers.”
U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven’t identified all the people who had a card number stolen.
Sullivan said the alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.
The information was stored on two servers in Ukraine and Latvia — one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
According to the indictments, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is known only by an alias online, and his place of origin is unknown.
In the Boston indictment, the alleged ringleader Albert “Segvec” Gonzalez of Miami was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.
Indictments were also unsealed in San Diego against Maksym “Maksik” Yastremskiy of Kharkov, Ukraine, and Aleksandr “Jonny Hell” Suvorov of Sillamae, Estonia. They are charged with crimes related to the sale of the stolen credit card data.
Yastremskiy was arrested when he traveled to Turkey on vacation in July 2007. He is facing related Turkish charges, and U.S. officials said they have requested his extradition.
Justice Department officials said Suvorov was arrested on the San Diego charges by German officials in March. He is awaiting the resolution of extradition proceedings.
Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname “Delpiero” were also unsealed in San Diego.
A Justice Department spokeswoman said those three suspects, together with five others, are still at large.