WASHINGTON, August 6 – Eleven people have been indicted in Boston for stealing and selling some 40 million credit and debit card numbers they obtained by hacking into the computers of nine major US retailers, the US Justice Department said.
In what the department believes is the largest hacking and identity theft case it has ever prosecuted, the stolen numbers were sold via the Internet to other criminals in the US and Eastern Europe and used to withdraw tens of thousands of dollars at a time from ATMs.
The eleven defendants include three US citizens, three from Ukraine, two from China, one from Belarus, one from Estonia and one whose place of origin is unknown, the department said in a statement.
The indictment was returned Tuesday by federal grand juries in Boston, Massachusetts, and San Diego, California.
It alleges that the conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers, including TJX Companies, BJ\’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Once inside the networks, they installed "sniffer" programs that captured card numbers, as well as password and account information.
The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that the defendants controlled in Eastern Europe and the United States.
From there, the stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards, and then used to extract cash from ATMs, the Justice Department said.
The defendants were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, it added.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said US Attorney General Michael Mukasey.
"While technology has made our lives much easier it has also created new vulnerabilities," said US Attorney for the District of Massachusetts Michael Sullivan.
"This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information," he added.