On 25 July 2013, the US Department of Justice made public a federal indictment issued by the US District Court of New Jersey charging five individuals with conspiracy in computer hacking, wire fraud and unauthorised computer access. The defendants are Vladimir Drinkman, Russian citizen, Alexandr Kalinin, Russian citizen, Roman Kotov, Russian citizen, Mikhail Rytikov, Ukranian citizen, and Dmitriy Smilianets, Russian citizen. The defendants together with four conspirators allegedly hacked major corporate computer networks and stole more than 160 million credit card numbers in order to sell them. The targeted companies are NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. According to the US Department of Justice this is the largest data breach scheme ever prosecuted in the US.
According to the charging documents, the scheme was articulated in the following phases:
Scouting: the defendants and the conspirators identified potential corporate victims by searching their websites and studying their payment processing systems in order to identify vulnerabilities.
Illegal access: the defendants and the conspirators of illegally accessed the computer networks of the corporate victims by means of a Structured Query Language (SQL) injection attack, i.e. an attack on databases using the SQL language programming.
The malware: after gaining access, the defendants and the conspirators placed a malware in the hacked computer systems allowing them to access such systems at a later date in order to steal credit card information.
Concealing the attacks: it was part of the conspiracy that the defendants and the conspirators would use a number of advanced techniques to conceal their attacks. One of the techniques was bullet-proof hosting, i.e. leasing servers that are inaccessible to law enforcement. Another technique was the use of malware able to prevent anti-virus software from detecting the attacks.
Sale: after stealing credit card numbers and associated personal information (dumps), the defendants and the conspirators sold them in batches. The end users encoded the dumps onto magnetic strips of a blank plastic cards and used them to withdraw cash illegally from ATMs or make unauthorized purchases.
According to the US Department of Justice, as a consequence of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses.
The charges described above are mere allegations that need to be proven in order to consider the defendants guilty.
On 28 June 2012, Drinkman and Smiliantes were arrested in the Netherlands. Smilianets was extradited to the US on 7 September 2012. Drinkman is currently facing extradition proceedings in the Netherlands.
- Computer Hacking Conspiracy (Title 18 United States Code, Section 371: Conspiracy to commit offense or to defraud United States).
- Conspiracy to Commit Wire Fraud (Title 18 United States Code, Section 1349: Attempt and Conspiracy).
- Unauthorized Computer Access (Title 18 United States Code, Section 1030(a)(2)(C) and (c)(2)(B)(i): Fraud and related activity in connection with computers).
- Wire Fraud (Title 18 United States Code, Section 1343: Fraud by wire, radio, or television; Section 2: Principals)
- Computer Hacking Conspiracy (Title 18 United States Code, Section 371: Conspiracy to commit offense or to defraud United States).
- Conspiracy to Commit Wire Fraud (Title 18 United States Code, Section 1349: Attempt and Conspiracy).
- Unauthorized Computer Access (Title 18 United States Code, Section 1030(a)(2)(C) and (c)(2)(B)(i): Fraud and related activity in connection with computers).
- Wire Fraud (Title 18 United States Code, Section 1343: Fraud by wire, radio, or television; Section 2: Principals)
- Computer Hacking Conspiracy (Title 18 United States Code, Section 371: Conspiracy to commit offense or to defraud United States).
- Conspiracy to Commit Wire Fraud (Title 18 United States Code, Section 1349: Attempt and Conspiracy).
- Unauthorized Computer Access (Title 18 United States Code, Section 1030(a)(2)(C) and (c)(2)(B)(i): Fraud and related activity in connection with computers).
- Wire Fraud (Title 18 United States Code, Section 1343: Fraud by wire, radio, or television; Section 2: Principals)
- Computer Hacking Conspiracy (Title 18 United States Code, Section 371: Conspiracy to commit offense or to defraud United States).
- Conspiracy to Commit Wire Fraud (Title 18 United States Code, Section 1349: Attempt and Conspiracy).
- Computer Hacking Conspiracy (Title 18 United States Code, Section 371: Conspiracy to commit offense or to defraud United States).
- Conspiracy to Commit Wire Fraud (Title 18 United States Code, Section 1349: Attempt and Conspiracy).
- Unauthorized Computer Access (Title 18 United States Code, Section 1030(a)(2)(C) and (c)(2)(B)(i): Fraud and related activity in connection with computers).
- Wire Fraud (Title 18 United States Code, Section 1343: Fraud by wire, radio, or television; Section 2: Principals)
This case proves how sophisticated cyberattacks can prejudice the interests of millions of people and generate huge financial losses. The breach of the payment processing systems of a limited number of companies allowed the defendants to steal around 160.000 credit card numbers.
The transnational nature of most cyberoffences requires effective and expedited international cooperation in order to identify and prosecute the authors. In the present case, the defendants allegedly carried out the illegal conduct outside the US causing significant damages in the US and elsewhere. The US issued two extradition requests to the Netherlands for the surrender of Smilianets and Drinkman, who had been arrested by Dutch authorities while traveling there. Effective extradition practice requires the ratification by States of bilateral or multilateral extradition treaties. In addition, States should have criminal laws punishing cyber-related offences in place. This makes possible to meet the double-criminality requirement, which is a condition for the surrender of defendants in the domestic law of many countries and under many extradition treaties.