Eleven people accused of hacking nine major U.S. retailers and stealing more than 40 million credit and debit card numbers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, according to federal officials.
The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the Department of Justice.
Three of those charged are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People's Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
The indictment returned by a federal grand jury in Boston charges Albert "Segvec" Gonzalez, of Miami with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme. Criminal information also was released on related charges against Christopher Scott and Damon Patrick Toey, both of Miami.
The Boston indictment alleges that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers. They are alleged to be responsible for the TJX Companies data breach, as well as BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Once inside the networks, they installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks.
The indictment maintains that after they collected the data, the conspirators concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States. They allegedly sold some of the credit and debit card numbers, via the Internet, to other criminals in the United States and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards.
The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs. Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.
Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. During the course of this investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case.
Because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all charges.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said U.S. Attorney General Michael Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."