Two Russian men were sentenced Wednesday in Camden for their roles in an “extraordinary” cybercrime that federal officials said was the largest credit card scheme of its kind ever prosecuted.
According to prosecutors, the scheme was “without precedent — the volume of material stolen; the damage caused; the number of major corporate victims exceeded that of any other hacking cases charged in the United States.”
More than 160 million credit card numbers were stolen in attacks on 17 large financial institutions and retailers, starting in 2007 and continuing into 2012.
The victims included Visa Inc., Discover Financial Services, Nasdaq, 7-Eleven, JC Penney, JetBlue, European grocer Carrefour S.A., and New England supermarket chain Hannaford. Total losses to the businesses have never been fully calculated, but the government estimated that three of the institutions alone lost a total of $311 million.
The scheme was more than triple the number of credit cards exposed by either of the more recent Home Depot and Target Corp. breaches, prosecutors said.
Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, both of Moscow, previously pleaded guilty to conspiracy counts before U.S. District Judge Jerome B. Simandle. On Wednesday, Simandle sentenced Drinkman to 12 years in federal prison and sentenced Smilianets to 53 months, or time served.
Drinkman and Smilianets met online and were keen on computer games, including one called Counter-Strike. It’s a series of first-person shooter video games, in which terrorists battle to commit an act of terror while counter-terrorists try to prevent it, according to Bloomberg News. Drinkman, Smilianets and three other co-defendants broke into the computer networks using “SQL injection attacks” to insert malicious code, court records say.
Drinkman, whom prosecutors described as a “gifted hacker,” specialized in penetrating network security and mining the networks. Sometimes the attacks took months to bypass company security systems. But once installed, Drinkman’s malware created “backdoors” that allowed the men to maintain access to the networks. The men often were surprised at the immense quantities of data the scheme generated, prosecutors said.
The men trafficked the credit card data to resellers around the world. Smilianets, who was in charge of sales, dealt directly to wholesalers. He charged about $10 for each stolen American credit card number, $15 for Canadian credit card numbers, and about $50 for each European number. Prosecutors said he offered bulk discounts and special deals for repeat customers. End users took the data, encoded the information onto magnetic strips affixed to blank plastic cards, and withdrew money from ATMs or used the cards to buy retail items.
Drinkman’s sentencing hearing Wednesday took place out of public view in a locked courtroom due to what Simandle described as “sensitive” and “exceptional circumstances.” He did not elaborate other than to say it was for “the benefit of law enforcement and the defendant.” Drinkman did not make a public statement of contrition.
Portions of Smilianets’ sentencing hearing were also held behind locked doors.
Asked by Simandle how much the scheme had netted for himself, Smilianets said “$100 million.” The burly Russian, dressed in a seersucker jacket, then took the opportunity to apologize for his crimes.
“There is no excuse for what I have done. I was driven by greed and my own selfishness. Nothing I say will change that, but I ask for forgiveness,” Smilianets said. “People said it was a victimless crime, that only banks suffer. I fell into the deception.”