US prosecutors have charged five men responsible for a hacking and credit card fraud spree that cost companies more US$300 million, in the biggest cyber crime case filed in US history.
The group of five men from Russia and Ukraine are estimated to have helped steal at least 160 million payment card numbers, resulting in losses in excess of US$300 million.
Companies targeted by the hackers include a Visa licensee, J.C. Penney, JetBlue Airways and French retailer Carrefour SA, according to an indictment unveiled in New Jersey.
Prosecutors also disclosed a new security breach against Nasdaq, but few details were provided.
Authorities have been pursuing the hackers for years.
Today they charged that each of the defendants had specialised tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.
Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits. Prosecutors said he charged US$10 for US cards, US$15 for Canadian cards and US50 for European cards.
The five hid their efforts by disabling their victims' anti-virus software and storing data on multiple hacking platforms, prosecutors said. They sold payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards.
The indictment cited Albert Gonzalez as a co-conspirator. He is already serving 20 years in prison after pleading guilty to helping mastermind the theft of more than 130 million credit card numbers from US payment processor Heartland Payment Systems beginning in December 2007, which resulted in approximately US$200 million of losses.
That case was the largest case of its kind before the latest indictments.
Prosecutors say the defendants worked with Gonzalez before his arrest in Miami, then continued on a crime spree after his capture.
Drinkman and Smilianets were arrested in June 2012, while traveling in the Netherlands, at the request of US authorities. Smilianets was extradited last September and is expected to appear in New Jersey Federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.
Prosecutors declined comment on the whereabouts of the other three defendants.
Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Gonzalez in connection with five breaches.
The US Attorney's Office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.
The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.
A source with knowledge of the breach said the indictment was not related to a 2010 attack that Nasdaq had previously disclosed, which was targeted against Directors Desk, a service used by corporate boards to share documents and communicate with executives, among other things.
The source said hackers appear to have used their access to the firm's network to create their own landing page on a Nasdaq website, where users were directed when they wanted to change their passwords.
The second indictment filed against Kalinin in Manhattan, which was unsealed on Thursday, charged that he worked with a sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank account information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in the theft of millions of dollars.