A United States Judge this week sent two Russian nationals to prison for their involvement in a hacking scheme that compromised roughly160 million credit card numbers and incurred losses of hundreds of millions.
The two, Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, both of Moscow, were arrested in the Netherlands on June 28, 2012. Smilianets was extradited to the United States on Sept. 7, 2012, while Drinkman was extradited on Feb. 17, 2015.
Drinkman, who previously pleaded guilty before U.S. District Judge Jerome B. Simandle of the District of New Jersey, was sentenced to 144 months in prison. Smilianets, who pleaded guilty in September 2013, was sentenced to 51 months and 21 days in prison.
Drinkman and Smilianets, along with three co-defendants, were charged with hacking into the networks of organizations engaged in financial transactions, retailers operating with financial data, and other institutions with information of interest to the group.
The conspirators hacked the computer networks of NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard, court documents and statements show.
Each of the five defendants played a specific role in the scheme, with Drinkman penetrating network security, gaining access to the corporate victims’ systems, and harvesting valuable data from the compromised networks. Smilianets would sell the stolen data and distribute the proceeds of the scheme to the participants.
The other three co-defendants, namely Alexandr Kalinin, 31, of St. Petersburg, Russia, Roman Kotov, 36, of Moscow, Russia, and Mikhail Rytikov, 30, of Odessa, Ukraine, are fugitives.
The hackers targeted the computer networks of corporate victims to steal information such as user names and passwords, means of identification, credit and debit card numbers, and other personal identification information of cardholders.
The group used SQL injection attacks to penetrate the victims’ networks. The hackers targeted vulnerabilities in SQL (Structured Query Language) databases for initial access, then installed malware on the system to create a backdoor and help them maintain access to the network. They would sometime assault a victim network for months before being able to bypass security.
“The defendants used their access to the networks to install ‘sniffers’, which were programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then used an array of computers located around the world to store the stolen data and ultimately sell it to others,” a Department of Justice announcement reads.
The stolen data was sold through online forums or directly to individuals and organizations for around $10 for a stolen American credit card number and associated data, $50 for a European credit card number and associated data, and $15 for a Canadian credit card number and associated data.
Their customers would encode such data onto the magnetic strip of a blank plastic card and use it to withdraw money from ATMs or make purchases.
To conceal the scheme, the five defendants used various methods, starting with the use of anonymous web-hosting services provided by Rytikov. They also used private and encrypted communication channels and also attempted to evade protections by security software, in addition to modifying settings on victim networks to disable the logging of their actions.
“As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses – including more than $300 million in losses reported by just three of the corporate victims – and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges,” DoJ says.
In addition to prison terms, Drinkman and Smilianets were also sentenced to three years of supervised release.