Drinkman and Smilianets were arrested at the request of the DOJ while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. Kalinin, Kotov and Rytikov remain at large.
The five defendants allegedly conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions, stealing the personal identifying information of individuals. They allegedly took user names and passwords, other means of identification and credit and debit card numbers, the DOJ said.
The attackers often gained initial entry into a corporate network through an SQL injection attack, the DOJ alleged. The hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malware on a network, creating a back door that allowed further access. In some cases, the defendants lost access to the system due to companies' security efforts, but they were able to regain access through persistent attacks.
The defendants often targeted victim companies for many months, with the DOJ saying they waited "patiently" as their efforts to bypass security were underway.
After acquiring the card numbers and related data, the conspirators allegedly sold it to resellers around the world, the DOJ alleged. The buyers then allegedly sold the so-called dumps through online forums or directly to individuals and organizations. Smilianets was allegedly in charge of sales charging approximately $10 for each stolen U.S. credit card number and associated data and approximately $50 for each European credit card number and approximately $15 for each Canadian credit card number.
If convicted, the maximum penalties for each of the counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.