International hacking ring caught in $9 million fraud

Three individuals from Russia, Ukraine and Moldova have been indicted by a federal grand jury on charges of hacking into a computer network operated by the credit card processing company RBS WorldPay.

The 16-count indictment charges them with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft. The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards.

Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours.

The hackers then allegedly sought to destroy data stored on the card processing network in order to conceal their hacking activity. The indictment alleges that the “cashers” were allowed to keep 30 to 50 percent of the stolen funds, but transmitted the bulk of those funds back to the defendants. Upon discovering the unauthorized activity, RBS WorldPay immediately reported the breach.

The defendants Tsurikov, Pleshchuk, Covelin and “Hacker 3” each face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and each wire fraud count; up to five years in prison for conspiracy to commit computer fraud; up to five or 10 years in prison for each count of computer fraud; a two-year mandatory minimum sentence for aggravated identity theft; and fines up to $3.5 million dollars. The charges against Grudijev, the Tsois and Jevgenov carry a maximum of up to 15 years in prison for each count and a fine of up to $250,000. The indictment also seeks criminal forfeiture of $9.4 million from the defendants.

“Through the diligent efforts of the victim company and multiple law enforcement agencies within the United States and around the world, the leaders of a technically advanced computer hacking group were identified and indicted in Atlanta, sending a clear message to cyber-criminals across the globe, said FBI Atlanta Field Office Special Agent-in-Charge Greg Jones. “Justice will not stop at international borders, but continue with the on-going cooperation between the FBI and other agencies such as the Estonian Central Criminal Police and the Netherlands Police Agency.”

Don't miss