Nasdaq hackers charged following 'largest known data theft in history'

The U.S. Department of Justice has charged five men who allegedly targeted the Nasdaq and stole over 160 million credit card numbers.

Five men have been charged in conspiring to steal data from corporate networks worldwide.


According to the Department of Justice, U.S. Attorney Paul J. Fishman of the District of New Jersey revealed the indictment today which charges five men with conspiracy, wire tapping and fraud.

The accused five Eastern European men operated a global hacking scheme which managed to infiltrate a number of the world's largest financial institutions and corporate networks -- allowing the alleged theft of 160 million credit cards in addition to hundreds of millions of dollars in losses.

The defendants are being charged with attacking the Nasdaq, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. By targeting financial institutions, the hackers were able to steal valuable financial data for profit.

The case brought against the men (.pdf) is the largest hacking scheme ever prosecuted in the United States, according to DoJ officials.

Vladimir Drinkman, 32, of Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating network security. Both were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez in connection with five corporate data breaches. Roman Kotov, 32, of Moscow, allegedly focused on in data mining the exposed networks. Court documents allege that the defendants hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. After data was lifted, Moscow-based Dmitriy Smilianets, 29, allegedly sold the information stolen and handled the books.

By using SQL injections, the hackers were able to lift login credentials from corporate networks, and then install malware to grant the group backdoor access. Sometimes, malware was left on company servers for over a year. Sniffers and a global control center were then developed and installed to store and sell the data.

After acquiring card numbers and additional data, the information dumps were then allegedly sold through online forums or directly to individuals and businesses. According to court documents, $10 was charged for each stolen American credit card number, approximately $50 for each European credit card number, and $15 for each Canadian credit card number. These numbers could then be encoded into blank plastic cards to withdraw funds at ATMs or make purchases.

"This type of crime is the cutting edge," said U.S. Attorney Fishman. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows, there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful."

If convicted, the defendants could end up behind bars for decades.