Romanian carders plead guilty to Subway hack

Criminal gang linked to massive Australian fraud.

Two Romanian nationals thought to have been part of a gang that stole 500,000 credit cards from an Australian business have pleaded guilty to fleecing bank cards from 150 US Subway restaurants.

The pair admitted to participating in the “international, multimillion-dollar scheme” which saw them break into vulnerable merchant networks including Subway and swipe some 146,000 credit cards resulting in $10 million in losses.

The gang attacked both the unnamed Australian business and Subway by exploiting open remote desktop protocol (RDP) connections and implanting keyloggers on payment terminals.

It was suspected the attack on the Australian business could result in more than $25 million in fraudulent transactions.

Australian Federal Police Detective Superintendent Brad Marden told SC last month that the syndicate had moved into other countries to attack organisations using the same methodologies.

Iulian Dolan, 28, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, pleaded guilty to one count of conspiracy to commit access device fraud. 

A third man, Adrian-Tiberiu Oprea, is in US custody awaiting trial.

Dolan would attempt to crack password protected RDP connections and then install keyloggers into the payment systems. Stolen card data was transferred to online caches.

He was responsible for stealing data from 6000 cardholders and was paid between $US5000 ($A4802) to $US7500 from Oprea.

Butu admitted to selling payment card data belonging to 140 cardholders.

Dolan will receive no more than a seven year sentence and Butu will receive no more than 21 months in prison.

The case was investigated by the US Secret Service, with the assistance of the New Hampshire State Police and Romanian authorities.

The US Department of Justice has released a statement on the case.