The two alleged network intruders, identified as 20-year-old Alexey Ivanov and 25-year-old Vasiliy Gorshkov, were indicted earlier this month on counts of conspiracy, wire fraud and violations of the Computer Crime and Abuse Act, said Assistant U.S. Attorney Stephen Schroeder.
The duo allegedly broke into the computer systems of several e-commerce companies, stole credit-card information and then returned to the companies as "consultants" to charge for fixing the flaw.
"After they hacked into the system, they would communicate with the system administrator and ask to be paid for information regarding the vulnerability," said Schroeder, the prosecutor assigned to the case for the Western District of Washington.
Among the victims in the case are Internet service providers Speakeasy.net of Seattle and San Diego-based CTF as well as the Los Angeles-based U.S. subsidiary of South Korea's Nara Bank. Schroeder said that evidence also linked the two to the theft of 15,700 credit-card numbers from Western Union last September.
Federal authorities say they also found evidence that the two intended to create a Web page made to resemble the site of online cash-transfer service PayPal to nab credit card numbers from more victims. However, it's unknown whether the scam was ever attempted.
A PayPal spokesman confirmed that such a site existed. "In fact, a number of 'mirror' or 'spoof' sites of PayPal's Web site were constructed and briefly displayed on the Web in 2000--(that one) being among the most publicized," said Vincent Sollitto, vice president of corporate communications for the company.
However, Sollitto stressed that even if an online fraudster garnered account names and passwords, it would be nearly impossible to exploit them.
"Data is not fully displayed in a user's PayPal acccount," he said. "Additionally, PayPal is able to trace any suspicious transaction once it is reported to the service, (and) PayPal provides free insurance against unauthorized transactions."
International crime spree
The duo's alleged exploits largely match the details of a warning issued by the FBI in March regarding the activities of organized hacker groups in Russia and the Ukraine. The advisory blames the international groups for online break-ins at 40 companies in 20 states.
Schroeder said much of the information in the advisory came from details revealed by the FBI and the Department of Justice during their investigation of Ivanov and Gorshkov. He added that the arrests, at most, scratched the surface of computer-crime circles in Russia.
"There is not just one group in Russia," he said. "And I'm sure that we didn't get this entire group."
Internet sting operation
Federal authorities say they arrested the two Russians after an FBI sting operation lured them to the United States with promises of a job with a fictitious company.
The FBI started the sting operation in July after it had identified Ivanov as a suspect, said Schroeder.
"We communicated with them and set up a system and invited them to probe the system," he said, adding that when the two cracked into the computer, law enforcement officials noted what vulnerabilities they exploited.
Over several months, law enforcement managed to convince the Russians to come to the United States to join the company. When they arrived in November, they were arrested.
Ivanov's court-appointed attorney Kenneth Kanev could not be reached for comment. CNET News.com could not immediately identify the court assigned to represent Gorshkov.
Currently, Gorshkov is being held without bail in Seattle until his May 29 trial. Ivanov has been remanded to Connecticut authorities to face charges there.