A hacker charged with the defrauding the Royal Bank of Scotland's WorldPay system has been extradited to the US from his home country of Estonia.
Sergei Tsurikov of Tallinn is accused of breaching the data encryption on pre-paid debit cards, which were then used to withdraw cash worldwide, the FBI said in a statement on Friday. The 26-year-old faces charges in Atlanta court of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud and aggravated identity theft.
The charges date back to crimes committed in November 2008 over just 24 hours that saw $9.4m (£5.8m) pilfered from RBS WorldPay, which handles credit and debit card transactions and payroll management for other companies.
"Complex cyber-based criminal investigations such as this are becoming all too prevalent. The advances in technology, while aiding the corporate world and the consumer, also aid the criminal in conducting well coordinated fraud or theft-based schemes, often across international borders," said Atlanta FBI special agent in charge Brian Lamkin in a statement.
Tsurikov was indicted in November 2009 alongside Russia resident Viktor Pleshchuk, Moldova resident Oleg Covelin and an unidentified individual. Another four people, who are all residents of Tallinn, have been charged with lesser offenses of access device fraud.
Prosecutors allege that Tsurikov and the others facing serious charges hacked into RBS WorldPay's computer network and breached the data encryption on payroll debit cards. The cards are used by RBS WorldPay clients to pay their employees, who use the cards to get their wages from a cashpoint.
Once the card processing system was breached, the group raised the account limits on the compromised accounts, according to the US Department of Justice charges. They then allegedly used a ring of 'cashers' to withdraw more than $9m using 44 fake debit cards from over 2,100 cash machines in at least 280 cities dotted around the globe, in a span of less than 12 hours.
As well as returning the $9m allegedly taken, each defendant is facing a fine of up to $3.5m and several years in jail for each count (and attempted count) of wire fraud, computer fraud and identity theft.
In August 2008, an Estonian was among a group of hackers accused of infiltrating major US retailers' systems which compromised more than 40 million credit and debit card numbers, including some belonging to UK customers. In that case, the DoJ said that the stolen data was then sent back to encrypted servers in Eastern Europe and the US for storage.
In 2007, Estonia was also on the receiving end of denial-of-service and defacement attacks, suspected to have been carried out by Russian infiltrators, which crippled government and banking websites, as well as some cash machine operations. It was thought at the time that the attacks were in response to the relocation of the 'Bronze Soldier', a war memorial commemorating an unknown Russian who died fighting the Nazis.
The announcement of the successful extradition of Tsurikov comes following news of RBS's agreement to sell 80.01 percent of RBS WorldPay to Advent International and Bain Capital for up to £2bn. It will retain a minority stake of 19.99 percent as part of the agreement at the close of the deal, which is expected before the end of 2010.