Eleven people have been charged with hacking major US retailers, including TJX.
The hacks compromised over 40 million people's credit- and debit-card details.
The defendants are based internationally: three from the US, one from Estonia, three from the Ukraine, two from the People's Republic of China and one from Belarus. One individual is known only by an online alias, and his place of origin is unknown, the US Department of Justice said on Tuesday.
Albert 'Segvec' Gonzalez, from Miami, was charged on Tuesday with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy. Christopher Scott and Damon Patrick Toey, also from Miami, were indicted on related charges by a Boston court on Tuesday.
The Department of Justice alleges that Gonzalez and co-conspirators obtained the credit- and debit-card numbers by 'wardriving', or touring around testing wireless computer networks for vulnerabilities, then hacking into them.
Eight major US retailers were allegedly hacked by members of the gang. TJX Companies, which owns businesses including TK Maxx in the UK, admitted in a Securities and Exchange Commission filing in March 2007 that 45.7 million payment-card details had been stolen by unknown intruders, including details belonging to UK customers.
However, according to the Department of Justice, card details were also stolen by the gang from other retailers, including BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21 and DSW.
Once inside the companies' networks, the alleged hackers installed 'sniffer' programs that would capture card numbers, as well as password and account information, as the numbers were processed. According to a report in The Wall Street Journal in March 2007, the hackers left encrypted messages in the TJX systems to tell each other which files had been copied. The newspaper also reported that TJX had used the Wireless Encryption Protocol (WEP) to encrypt transaction information. WEP has been repeatedly shown to be insecure.
The Department of Justice indictment alleges that, after the gang collected the information from the different chains, they concealed the data in encrypted computer servers in Eastern Europe and the US. They allegedly sold some of the credit- and debit-card numbers via the internet to other criminals in the US and Eastern Europe. The stolen numbers were 'cashed out' by encoding card numbers on the magnetic strips of blank cards; the defendants then used these cards to withdraw tens of thousands of dollars at a time from bank machines, stated the Department of Justice.
Gonzalez and others were also allegedly able to conceal and launder the fraud proceeds by using anonymous, internet-based currencies both within the US and abroad, and by channelling funds through bank accounts in Eastern Europe.
Indictments against the eight other alleged members of the gang were unsealed in San Diego, California, on Tuesday.
Maksym 'Maksik' Yastremskiy, of Kharkov, Ukraine, and Aleksandr 'Jonny Hell' Suvorov, of Sillamae, Estonia, were accused of "trafficking in unauthorised access devices" — which includes payment cards — the sale of the stolen payment-card data, and identity theft.
Hung-Ming Chiu and Zhi Zhi Wang of the People's Republic of China, along with a person known only by the online nickname 'Delpiero', were charged with conspiracy to possess unauthorised access devices, trafficking in unauthorised access devices, trafficking in counterfeit access devices, possession of unauthorised access devices, aggravated identity theft, and aiding and abetting.
Sergey Pavolvich, of Belarus, Dzmitry Burak and Sergey Storchak, of the Ukraine, were charged with conspiracy to traffic in unauthorised access devices. The Department of Justice said it believes all to be foreign nationals residing outside of the US.
Only Gonzalez, Yastremskiy and Suvorov are currently in custody. Gonzalez was working as an informant for the US Secret Service when he was arrested. He became an informant after being arrested in 2003 on a different access-device fraud charge. Gonzalez faces life imprisonment if found guilty.
Yastremskiy was arrested in July 2007 by Turkish officials when he travelled to Turkey on holiday. He has been held in Turkey since then, pending the resolution of related charges there. The US has made a formal request for his extradition.
Suvorov was apprehended by the German Federal Police in Frankfurt in March 2008 when he travelled there on holiday. He was apprehended at the request of the Department of Justice. He is currently being held during extradition proceedings to the US.
The remaining members of the alleged gang remain at large.
