Russian National Admits Role In Largest Known Data Breach Conspiracy Ever Charged

Hackers Targeted Major Payment Processors, Retailers and Financial Institutions Around the World

CAMDEN, N.J. – A Russian national today admitted his role in a worldwide hacking and data breach scheme that targeted major corporate networks, compromised more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses –  the largest such scheme ever prosecuted in the United States.

The guilty plea was announced by New Jersey U.S. Attorney Paul J. Fishman, U.S. Secret Service Director Joseph P. Clancy and Assistant Attorney General Leslie Caldwell.

Vladimir Drinkman, 34, of Syktyvkar, Russia, and Moscow, pleaded guilty before Chief U.S. District Judge Jerome B. Simandle of the District of New Jersey to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud.  Drinkman was arrested in the Netherlands on June 28, 2012, and was extradited to the District of New Jersey on Feb. 17, 2015.

“Defendants like Vladimir Drinkman, who have the skills to break into our computer networks and the inclination to do so, pose a cutting edge threat to our economic well-being, our privacy and our national security,” U.S. Attorney Fishman said. “The crimes to which he admitted his guilt have a real, practical cost to our privacy and our pocketbooks. Today’s guilty plea is a tribute to the skill and perseverance of the agents and prosecutors who brought him to justice.”

“This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the U.S.,” said Assistant Attorney General Caldwell.  “As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cyber criminals who attack America – wherever in the world they may be.  As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal.”

“This cyber case highlights the effectiveness of global law enforcement partnerships in the detection and dismantling of criminal enterprises targeting United States citizens,” Director Clancy said.  “The support of U.S. Attorney’s offices and the resulting plea enhances the Secret Service’s commitment to vigorously pursue transnational threats to the U.S. financial infrastructure”.

According to documents filed in this case and statements made in court:

Drinkman and four co-defendants hacked into the networks of corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information that the conspirators could exploit for profit, including the computer networks of NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

The five defendants each played specific roles in the scheme. Drinkman and Alexandr Kalinin, 28, of St. Petersburg, Russia, specialized in penetrating network security and gaining access to the corporate victims’ systems. Drinkman and Roman Kotov, 34, of Moscow, also a hacker, specialized in mining the networks to steal valuable data. The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 28, of Odessa, Ukraine. Dmitriy Smilianets, 32, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Drinkman and Kalinin were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 34, of Miami, Florida, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported. Gonzalez is currently serving 20 years in federal prison for those offenses. Kalinin is also charged in two federal indictments in the Southern District of New York: the first charges Kalinin in connection with hacking certain computer servers used by NASDAQ and the second charges him and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information from U.S.-based financial institutions. Rytikov was previously charged in the Eastern District of Virginia with an unrelated scheme.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Smilianets was extradited Sept. 7, 2012, and remains in federal custody. Kalinin, Kotov and Rytikov remain at large.

The Attacks

The five defendants penetrated the computer networks of several of the corporate victims and stole user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. The conspirators allegedly acquired more than 160 million card numbers through hacking.

The initial entry was often gained using a “SQL injection attack.” SQL, or Structured Query Language, is a type of programing language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants placed malicious code, or malware, in the system. This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network.  In some cases, the defendants lost access to the system due to companies’ security efforts, but were able to regain access through persistent attacks.

Instant message chats obtained by law enforcement revealed the defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway. The defendants had malware implanted in multiple companies’ servers for more than a year.

The defendants used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

After acquiring the card numbers and associated data – which they referred to as “dumps” – the conspirators sold it to resellers around the world. The buyers then sold the dumps through online forums or directly to individuals and organizations. Smilianets was in charge of sales, selling the data only to trusted identity theft wholesalers. He charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data – offering discounted pricing to bulk and repeat customers. Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by withdrawing money from ATMs or making purchases with the cards.

Covering Their Tracks

The defendants used a number of methods to conceal the scheme. Unlike traditional Internet service providers, Rytikov allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants communicated through private and encrypted communications channels to avoid detection. Fearing law enforcement would intercept even those communications, some of the conspirators attempted to meet in person.

To protect against detection by the victim companies, the defendants altered the settings on victim company networks to disable security mechanisms from logging their actions. The defendants also worked to evade existing protections by security software.

*          *          *

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses – including more than $300 million in losses reported by just three of the corporate victims – and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges. The charges and allegations contained in indictments against the remaining defendants are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The count of conspiracy to commit wire fraud in a manner affecting a financial institution to which Drinkman pleaded guilty carries a maximum potential penalty of 30 years in prison and a fine of the greatest of $1 million or twice the gain or loss from the offense. The count of conspiracy to gain unauthorized access to computers to which Drinkman pleaded guilty carries a maximum potential penalty of five years in prison and a fine of the greatest of $250,000 or twice the gain or loss from the offense. Sentencing is scheduled for Jan. 15, 2016.

U.S. Attorney Fishman credited the special agents of the U.S. Secret Service, Criminal Investigations, under the direction of Director Clancy, and the Newark Division, under the direction of Special Agent in Charge Carl Agnelli, for the ongoing investigation leading to today’s guilty plea.

The government is represented by Gurbir S. Grewal, Chief of the U.S. Attorney’s Office Economic Crimes Unit, and Assistant U.S. Attorney Andrew S. Pak of the Computer Hacking and Intellectual Property Section of the Economic Crimes Unit, Trial Attorneys Richard Green of the Criminal Division’s Computer Crime and Intellectual Property Section, and Judith Friedman of the Office of International Affairs.

U.S. Attorney Fishman also thanked public prosecutors with the Dutch Ministry of Security and Justice and the National High Tech Crime Unit of the Dutch National Police.

Defense counsel: Florian Miedel Esq., New York; Bart Stapert Esq., Amsterdam, Netherlands