A ring of people spread across the globe hacked into nine major U.S. companies and stole and sold more than 41 million credit- and debit-card...
A ring of people spread across the globe hacked into nine major U.S. companies and stole and sold more than 41 million credit- and debit-card numbers from 2003 to 2008, costing the companies and individuals hundreds of millions of dollars, federal law-enforcement officials said Tuesday.
“So far as we know, this is the single largest and most complex identity-theft case ever charged in this country,” U.S. Attorney General Michael Mukasey said at a news conference in Boston.
A grand-jury indictment released Tuesday charged that Albert “Segvec” Gonzalez, of Miami, the alleged ringleader, and 10 conspirators cruised around with a laptop and tapped into accessible wireless networks.
They then hacked into the networks of TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster’s, Sports Authority, Forever 21 and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords and account information, officials said.
Most Read Nation & World Stories
- U.S. Naval Academy: New hair rules don't apply to midshipmen
- Nation's new aircraft carrier enters next phase at shipyard
- John Cynn claims World Series of Poker title, wins $8.8M VIEW
- Trump questions US intel, not Putin, on Russia 2016 meddling WATCH
- Pussy Riot upstages Putin with protest that halts World Cup VIEW
Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point.” U.S. Attorney Michael Sullivan said that though most of the victims were in the United States, officials haven’t identified all the people who had a card number stolen.
Sullivan said the alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed “sniffer programs” that captured card numbers as they moved through a retailer’s processing networks.
The information was stored on two servers in Ukraine and Latvia, one with more than 25 million credit- and debit-card numbers and one with more than 16 million numbers, Sullivan said.
In addition to Gonzalez, two other Miami residents were charged in Boston, and eight people were charged in San Diego. The other defendants — one from Estonia, three from Ukraine, two from China, one from Belarus and one of unknown origin — allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States. They sold some of the numbers, via the Internet, to other criminals, authorities said.
The suspected hackers also encoded some stolen numbers on the magnetic strips of blank credit or debit cards, which were then used to withdraw tens of thousands of dollars from automated teller machines, officials said.
Rene Palomino Jr., a Miami lawyer representing Gonzalez, said his client is innocent.
Lawyers for the other men charged in Boston did not return calls.
Part of the scheme came to the public’s attention last year, when TJX, which runs T.J. Maxx, Marshalls and other stores, found that credit- and debit-card information had been stolen from its computer systems.
Gonzalez was a U.S. Secret Service informant who helped the agency take over a Web site being used to transmit stolen identifiers and stolen credit-card numbers, U.S. Secret Service Director Mark Sullivan said.
But he added that the Secret Service later found out that Gonzalez had been feeding criminals information about investigations. “Obviously, we weren’t happy that a person working for us as an informant was double-dealing,” Mark Sullivan said.
Gonzalez is in a federal prison in New York awaiting trial on related charges.
Christopher Scott and Damon Patrick Toey, of Miami, were also charged in Boston. Maksym “Maksik” Yastremskiy, Dzmitry Burak, and Sergey Storchak, of Ukraine; Aleksandr “Jonny Hell” Suvorov, of Estonia; Hung-Ming Chiu and Zhi Zhi Wang, of China; Sergey Pavlovich, of Belarus; and a person known only by the online nickname of “Delpiero” were charged in San Diego.
The indictments charge the defendants with crimes related to the sale of the stolen credit-card data.
The indictments alleged Yastremskiy earned more than $11 million from his illicit operation.
Material from The Associated Press
is included in this report.