For their roles in what US prosecutors have called "one of the largest" known cybercrime schemes, two Russian nationals have been handed lengthy prison terms.
The pair were found guilty of a worldwide data breach scheme which resulted in hundreds of millions of dollars in losses for targeted firms, the US Department of Justice (DoJ) said in a statement released on Thursday (15 Feb). In one heist, the men stole 160m credit card numbers.
Vladimir Drinkman, 37, was sentenced to 12 years in prison after pleading guilty to one count of conspiracy to commit unauthorised access of protected computers and one count of conspiracy to commit wire fraud.
The second suspect, Dmitriy Smilianets, 34, of Moscow, was handed just over four years in prison.
Both men first pleaded guilty in September 2015 in a New Jersey federal court.
They admitted hacking into Nasdaq, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
Alongside three co-defendants, the Russian pair penetrated computers to steal usernames and passwords, credit card numbers and personal details via a technique known as an 'SQL injection'.
They would install malware – known as a "backdoor" - and lurk in networks to steal more data. The DoJ said that, in one case, the group had access to a server for more than a year. After scooping up swathes of sensitive information they would sell it via murky online forums.
Prosecutors said Smilianets was in charge of sales, advertising US credit card numbers for as little as $10. He would allegedly offer discounted pricing to bulk and repeat customers. Officials claimed that the fallout for the targeted financial institutions, credit card companies and US consumers was massive, with just three victims alone totalling roughly $300m in losses.
"These defendants operated at the highest levels of illegal hacking and trafficking of stolen identities," commented first assistant US attorney William Fitzpatrick.
"They used their sophisticated computer skills to infiltrate computer networks, steal information and sell it for a profit. Perpetrators of some of the largest data breaches in history, these defendants posed a real threat to our economy, privacy and national security, and cannot be tolerated."
In addition to the prison terms, judge Jerome Simandle sentenced Drinkman to three years of supervised release and Smilianets to five years of supervised release.
The DoJ said co-conspirators in the hacking scheme – named as Alexandr Kalinin, 31, Roman Kotov, 36, and Mikhail Rytikov, 30 - remain at large.
Law enforcement first named Drinkman and Kalinin in a 2009 indictment which charged another American - Albert Gonzalez, 34 – with five corporate data and financial breaches.
Gonzalez is currently serving 20 years in federal prison for those offences, the DoJ release said.
"Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information," said acting assistant AG John Cronan.
"While mega breaches like these continue to affect millions of individuals around the world, hackers and would-be hackers should know that the DoJ will use all available tools to identify, arrest, and prosecute anyone who attacks the networks on which businesses and their customers rely."