Russian Cyber-Criminal Sentenced To 14 Years In Prison For Role In Organized Cybercrime Ring Responsible For $50 Million In Online Identity Theft And $9 Million Bank Fraud Conspiracy

A Russian cyber-criminal was sentenced today to 14 years in prison for his role in a $50 million cyberfraud ring and for defrauding banks of $9 million through a hacking scheme.

Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division, Acting U.S. Attorney Steven W. Myhre of the District of Nevada, U.S. Attorney Byung J. Pak of the Northern District of Georgia, Assistant Special Agent in Charge Michael Harris of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (ICE HSI), Special Agent in Charge Brian Spellacy of the U.S. Secret Service in Las Vegas, and FBI Special Agent in Charge David J. LeValley in Atlanta made the announcement.

Roman Valeryevich Seleznev aka Track2, Bulba and Ncux, 33, was sentenced by U.S. District Judge Steve C. Jones of the Northern District of Georgia to serve 168 months in prison for one count of participation in a racketeering enterprise pursuant to an indictment returned in the District of Nevada, and to 168 months in prison for one count of conspiracy to commit bank fraud pursuant to an indictment returned in the Northern District of Georgia, with the sentences to run concurrent to one another. In both cases, Seleznev was ordered three years of supervised release to run concurrently.  He was also ordered restitution in the amount of $50,893,166.35 in the Nevada case and $2,178,349 in the Georgia case. Seleznev pleaded guilty to the charges on Sept. 7.

In connection with his guilty plea in the Nevada case, Seleznev admitted that he became associated with the Carder.su organization, an identify theft and credit card fraud ring, in January 2009.  According to Seleznev’s admissions in his plea agreement, Carder.su was an Internet-based, international criminal enterprise whose members trafficked in compromised credit card account data and counterfeit identifications and committed identity theft, bank fraud, and computer crimes.  Seleznev admitted that the group tried to protect the anonymity and the security of the enterprise from both rival organizations and law enforcement.  For example, members communicated through various secure and encrypted forums, such as chatrooms, private messaging systems, encrypted email, proxies and encrypted virtual private networks. Gaining membership in the group required the recommendation of two current members in good standing.

Seleznev further admitted that he sold compromised credit card account data and other personal identifying information to fellow Carder.su members.  The defendant sold members such a large volume of product that he created an automated website, which he advertised on the Carder.su organization’s websites.  His automated website allowed members to log into and purchase stolen credit card account data.  The defendant’s website had a simple interface that allowed members to search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information.  Payment of funds was automatically deducted from an established account funded through L.R., an online digital currency payment system.

Seleznev further admitted that he sold each account number for approximately $20.  The Carder.su organization’s criminal activities resulted in loss to its victims of at least $50,893,166.35.

In connection with his guilty plea in the Northern District of Georgia case, Seleznev admitted that he acted as a “casher” who worked with hackers to coordinate a scheme to defraud an Atlanta-based company that processed credit and debit card transactions on behalf of financial institutions.  Seleznev admitted that pursuant to the scheme, in November 2008, hackers infiltrated the company’s computer systems and accessed 45.5 million debit card numbers, certain of which they used to fraudulently withdraw over $9.4 million from 2,100 ATMs in 280 cities around the world in less than 12 hours.

Fifty-five individuals were charged in four separate indictments in Operation Open Market, which targeted the Carder.su organization. To date, 33 individuals have been convicted and the rest are either fugitives or are pending trial.

The cases were investigated by HSI, the U.S. Secret Service, and FBI.  The Nevada case was prosecuted by Trial Attorney Catherine K. Dick of the Criminal Division’s Organized Crime and Gang Section and Assistant U.S. Attorney Kimberly M. Frayn of the District of Nevada.  The Northern District of Georgia case was prosecuted by Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia.

Seleznev is also a defendant in a wire fraud and computer hacking case brought by the Department of Justice in the U.S. District Court for the Western District of Washington.  On Aug. 25, 2016, a federal jury convicted Seleznev of 38 counts related to his role in a scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld.  On April 21, Seleznev was sentenced to 27 years in prison for those crimes, which will run concurrent to his sentences today.    

Russian Cyber-Criminal Pleads Guilty To Role In Organized Cybercrime Ring Responsible For $50 Million In Online Identity Theft

The U.S. Justice Department released the below information:

A Russian cyber-criminal who sold stolen credit card data and other personal information through the identity theft and credit card fraud ring known as “Carder.su” pleaded guilty yesterday in two separate criminal cases to one count of participation in a racketeering enterprise and one count of conspiracy to commit bank fraud.

Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division, Acting U.S. Attorney Steven W. Myhre of the District of Nevada, U.S. Attorney John A. Horn of the Northern District of Georgia, Assistant Special Agent in Charge Michael Harris of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (ICE HSI) and Special Agent in Charge Brian Spellacy of the U.S. Secret Service in Las Vegas made the announcement.

Roman Valeryevich Seleznev, aka Track2, aka Bulba, aka Ncux, 33, entered guilty pleas in both criminal cases at a hearing before U.S. District Judge Steve C. Jones of the Northern District of Georgia.  Seleznev pleaded guilty to one count of participation in a racketeering enterprise pursuant to an indictment returned in the District of Nevada, and one count of conspiracy to commit bank fraud pursuant to an indictment returned in the Northern District of Georgia.  He will be sentenced on December 11.

In connection with his guilty plea in the Nevada case, Seleznev admitted that he became associated with the Carder.su organization in January 2009. According to Seleznev’s admissions in his plea agreement, Carder.su was an Internet-based, international criminal enterprise whose members trafficked in compromised credit card account data and counterfeit identifications and committed identity theft, bank fraud and computer crimes. Seleznev admitted that the group tried to protect the anonymity and the security of the enterprise from both rival organizations and law enforcement. For example, members communicated through various secure and encrypted forums, such as chatrooms, private messaging systems, encrypted email, proxies and encrypted virtual private networks. Gaining membership in the group required the recommendation of two current members in good standing.

Seleznev further admitted that he sold compromised credit card account data and other personal identifying information to fellow Carder.su members. The defendant sold members such a large volume of product that he created an automated website, which he advertised on the Carder.su organization’s websites. His automated website allowed members to log into and purchase stolen credit card account data. The defendant’s website had a simple interface that allowed members to search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information. Payment of funds was automatically deducted from an established account funded through L.R., an on-line digital currency payment system. Seleznev admitted that he sold each account number for approximately $20.  The Carder.su organization’s criminal activities resulted in loss to its victims of at least $50,983,166.35.

In connection with his guilty plea in the Northern District of Georgia case, Seleznev admitted that he acted as a “casher” who worked with hackers to coordinate a scheme to defraud an Atlanta-based company that processed credit and debit card transactions on behalf of financial institutions.  Seleznev admitted that pursuant to the scheme, in November 2008, hackers infiltrated the company’s computer systems and stole 45.5 million debit card numbers, certain of which they used to fraudulently withdraw over $9.4 million from 2,100 ATMs in 280 cities around the world in less than 12 hours.

Fifty-five individuals were charged in four separate indictments in Operation Open Market, which targeted the Carder.su organization. To date, 33individuals have been convicted and the rest are either fugitives or are pending trial.

The cases were investigated by HSI and the U.S. Secret Service.  The Nevada case is being prosecuted by Trial Attorney Catherine Dick of the Criminal Division’s Organized Crime and Gang Section and Assistant U.S. Attorney Kimberly M. Frayn of the District of Nevada.  The Northern District of Georgia case is being prosecuted by Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia.

Seleznev is also a defendant in a wire fraud and computer hacking case brought by the Department of Justice in the U.S. District Court for the Western District of Washington.  On Aug. 25, 2016, a federal jury convicted Seleznev of 38 counts related to his role in a scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld.  On April 21, Seleznev was sentenced to 27 years in prison for those crimes.    

Russian Cyber-Criminal Sentenced To 27 Years In Prison For Hacking And Credit Card Fraud Scheme

The U.S. Justice Department released the below information:

A 32-year-old Vladivostok, Russia, man was sentenced today to 27 years in prison for his computer hacking crimes that caused more than $169 million in damage to small businesses and financial institutions, announced Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington.

Roman Valeryevich Seleznev, aka Track2, was convicted in August 2016, of 38 counts related to his scheme to hack into point-of-sale computers to steal credit card numbers and sell them on dark market websites.  U.S. District Judge Richard A. Jones of the Western District of Washington imposed the sentence.

“This investigation, conviction and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize U.S. citizens and companies from afar,” said Acting Assistant Attorney General Blanco.  “And we will not tolerate the existence of safe havens for these crimes – we will identify cybercriminals from the dark corners of the Internet and bring them to justice.”

“Today is a bad day for hackers around the world,” said U.S. Attorney Annette L. Hayes. “The notion that the Internet is a Wild West where anything goes is a thing of the past.  As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind.  Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”

According to evidence presented at trial, between October 2009 and October 2013, Seleznev hacked into retail point-of-sale systems and installed malicious software (malware) that allowed him to steal millions of credit card numbers from more than 500 U.S. businesses and send the data to servers that he controlled in Russia, the Ukraine and McLean, Virginia.  Seleznev then bundled the credit card information into groups called “bases” and sold the information on various criminal “carding” websites to buyers who used them for fraudulent purchases, according to evidence introduced during the trial of this case.

Many of the businesses targeted by Seleznev were small businesses, and included restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.  Testimony at trial revealed that Seleznev’s scheme caused approximately 3,700 financial institutions more than $169 million in losses.

Seleznev was taken into custody in July 2014 in the Maldives, and the laptop in his custody at that time contained more than 1.7 million stolen credit card numbers, including some from businesses in Western Washington.  The laptop also contained additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the scheme.  Evidence presented at trial showed that Seleznev earned tens of millions of dollars from his criminal activity.

Seleznev was convicted on Aug. 25, 2016, of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft. 

“Mr. Seleznev’s criminal enterprise was both sophisticated and expansive, with transnational implications.  This investigation exemplifies the ability of the U.S. Secret Service and our law enforcement partners to hold accountable those who perpetrate such crimes,” said Special Agent in Charge Robert L. Kierstead of the U.S. Secret Service.  “The ultimate success of this case is the result of an extraordinary collaborative effort by the Secret Service, the U.S. Attorney’s Office of the Western District of Washington, the Criminal Division’s Computer Crime and Intellectual Property Section and the Seattle Police Department.”

“Crime has no borders,” said Seattle Police Chief Kathleen O’Toole.  “This individual is responsible for defrauding victims out of millions of dollars in Seattle alone, and we are proud to work with our federal partners to bring him to justice.”

Seleznev is also charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization, as well as two counts of possession of 15 or more counterfeit and unauthorized access devices.  Additionally, Seleznev is charged in the Northern District of Georgia with conspiracy to commit bank fraud, one count of bank fraud and four counts of wire fraud.  An indictment is merely an allegation, and the defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

The U.S. Secret Service Electronic Crimes Task Force investigated the case.  Assistant U.S. Attorneys Norman M. Barbosa and Seth Wilkinson of the Western District of Washington and Trial Attorneys Harold Chun and Ethan Arenson of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) prosecuted the case.  The CCIPS Cyber Crime Lab, and its Director, Ovie Carroll, provided substantial support for the prosecution.  The Office of International Affairs and the U.S. Attorney’s Office for the District of Guam also provided assistance in this case.

Romanian Hacker “Guccifer” Sentenced To 52 Months In Prison For Computer Hacking Crimes

The U.S. Justice Department released the below information:

Marcel Lehel Lazar, 44, of Arad, Romania, a hacker who used the online moniker “Guccifer,” was sentenced today to 52 months in prison for unauthorized access to a protected computer and aggravated identity theft.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Dana J. Boente of the Eastern District of Virginia, Assistant Director in Charge Paul M. Abbate of the FBI’s Washington Field Office, Director Bill A. Miller of the U.S. Department of State’s Diplomatic Security Service (DSS) and Special Agent in Charge Brian J. Ebert of the U.S. Secret Service’s Washington Field Office made the announcement.

Lazar pleaded guilty before U.S. District Judge James C. Cacheris of the Eastern District of Virginia on May 25, 2016. 

According to admissions made in connection with his plea agreement, from at least October 2012 to January 2014, Lazar intentionally gained unauthorized access to personal email and social media accounts belonging to approximately 100 Americans, and he did so to unlawfully obtain his victims’ personal information and email correspondence.  Lazar’s victims included an immediate family member of two former U.S. presidents, a former member of the U.S. Cabinet, a former member of the U.S. Joint Chiefs of Staff and a former presidential advisor, he admitted.  In many instances, Lazar publically released his victims’ private email correspondence, medical and financial information and personal photographs, according to the statement of facts filed with his plea agreement.

The FBI, DSS and the Secret Service investigated the case.  Senior Counsel Ryan K. Dickey and Peter V. Roman of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Maya D. Song and Jay V. Prabhu of the Eastern District of Virginia are prosecuting the case.  The Criminal Division’s Office of International Affairs provided significant assistance.  The Justice Department thanks the government of Romania for their assistance in this matter.

New Hampshire Man Pleads Guilty To Computer Hacking And “Sextortion” Scheme Involving Multiple Female Victims

The U.S. Justice Department released the below information:

A New Hampshire man pleaded guilty today to remotely hacking into the online accounts of almost a dozen female victims and sending them threatening online communications, in some instances containing sexually explicit photos, in order to force the victims to send him sexually explicit photos of themselves. 

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Emily Rice of the District of New Hampshire and Resident Agent in Charge Holly Fraumeni of the U.S. Secret Service’s Manchester, New Hampshire, Field Office made the announcement. 

Ryan J. Vallee, 22, formerly of Belmont and Franklin, New Hampshire, pleaded guilty to a 31-count superseding indictment charging him with 13 counts of making interstate threats, one count of computer hacking to steal information, eight counts of computer hacking to extort, eight counts of aggravated identity theft and one count of cyberstalking.  On March 16, 2016, while Vallee was awaiting trial, he was re-arrested on new criminal charges and has remained in custody since then.  He is scheduled to be sentenced on Dec. 1, 2016, in the U.S. District Court for the District of New Hampshire

According to admissions made in connection with his plea, from 2011 through March 2016, Vallee, using various aliases that included “Seth Williams” and “James McRow,” engaged in a computer hacking and “sextortion” campaign designed to force numerous victims to provide him with sexually explicit photographs of themselves and others.

Vallee admitted that he employed a variety of techniques to force his victims to cede to his “sextortionate” demands.  For example, according to the plea agreement, he repeatedly hacked into and took control over the victims’ online accounts, including their email, Facebook and Instagram accounts.  Once he had control of these accounts, Vallee locked the victims out of their own accounts and, in some cases, defaced the contents of the accounts, he admitted.  According to the plea, in at least one instance, Vallee hacked into a victim’s Amazon.com account, which stored her payment information and shipping address, then ordered items of a sexual nature and had them shipped to the victim’s home.  Vallee also admitted that in some instances, he obtained sexually explicit photos of the victims and their friends and distributed them to the victims, their friends and their family members.  With at least one victim, Vallee created a Facebook page using an account name that was virtually identical to the victim’s real Facebook account name, with one letter misspelled, he admitted.  He then posted sexually explicit photos of the victim on this fake Facebook page and issued “friend requests” to the victim, her friends and her family members, according to the plea agreement.

Vallee admitted that he repeatedly sent threatening electronic communications to his victims, usually by using spoofing or anonymizing text message services, in which he threatened his victims that unless they gave him sexually explicit photographs of themselves, he would continue with the above-described conduct.  According to the admissions in the plea agreement, when most of the victims refused to comply with Vallee’s demands and begged him to leave them alone, Vallee responded with threats to inflict additional harm.

The U.S. Secret Service investigated the case with substantial assistance from the Belmont Police Department.  Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Arnold H. Huftalen of the District of New Hampshire are prosecuting the case.

Victims of “sextortion” schemes such as this often may be hesitant to come forward.  The Justice Department encourages individuals who may be the victims of similar schemes to contact their local law enforcement agencies to report this conduct. 

FBI: Preparing For The Pope

The FBI website offers a report on how the FBI and the other government agencies are preparing for the Pope's visit to the U.S.

Pope Francis’ visit to three major metropolitan areas during his first visit to the United States presents special security challenges. But federal agencies—working closely with state and local law enforcement—have a well-rehearsed template to follow.

The pope’s six-day visit to Washington, D.C., New York City, and Philadelphia—which begins September 22—has been designated a national special security event (NSSE) by the Department of Homeland Security (DHS). An NSSE is a significant national or international event determined by DHS to be a potential target for terrorism or criminal activity. Under the designation, the U.S. Secret Service is placed in charge of event security and the FBI has the lead on collecting intelligence and—should a crisis occur—managing the response. Examples of past NSSEs include State of the Union addresses, party conventions, United Nations General Assembly meetings, inaugural events, and the Winter Olympics and Super Bowl in 2002.

Agencies have been coordinating and training together for months for the pope’s visit, including holding tabletop exercises in each of the cities. Agency leaders briefed the media a week before the pope’s arrival after a dry-run exercise in New York City.

“Preparations for events such as this are a cooperative effort,” said Diego Rodriguez, assistant director in charge of the FBI’s New York Field Office. “No one federal, state, or local agency alone can carry out the measures necessary to secure the event.”

You can read the rest of the report via the below link:

https://www.fbi.gov/news/stories/2015/september/preparing-for-the-pope  

Russian National Admits Role In Largest Known Data Breach Conspiracy Ever Prosecuted

The U.S. Justice Department released the below information:

A Russian national today admitted his role in a worldwide hacking and data breach scheme that targeted major corporate networks, compromised more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses –  the largest such scheme ever prosecuted in the United States.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Paul J. Fishman of the District of New Jersey and Director Joseph P. Clancy of the U.S. Secret Service made the announcement.

Vladimir Drinkman, 34, of Syktyvkar, Russia, and Moscow, pleaded guilty before Chief U.S. District Judge Jerome B. Simandle of the District of New Jersey to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud.  Drinkman was arrested in the Netherlands on June 28, 2012, and was extradited to the District of New Jersey on Feb. 17, 2015.  Sentencing is scheduled for Jan. 15, 2016.

“This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the United States,” said Assistant Attorney General Caldwell.  “As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cyber criminals who attack America – wherever in the world they may be.  As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal.”

“Defendants like Vladimir Drinkman, who have the skills to break into our computer networks and the inclination to do so, pose a cutting edge threat to our economic well-being, our privacy and our national security,” said U.S. Attorney Fishman.  “The crimes to which he admitted his guilt have a real, practical cost to our privacy and our pocketbooks.  Today’s guilty plea is a tribute to the skill and perseverance of the agents and prosecutors who brought him to justice.”

“This cyber case highlights the effectiveness of global law enforcement partnerships in the detection and dismantling of criminal enterprises targeting U.S. citizens,” said Director Clancy.  “The support of U.S. Attorney’s offices and the resulting plea enhances the Secret Service’s commitment to vigorously pursue transnational threats to the U.S. financial infrastructure.”

According to documents filed in this case and statements made in court, Drinkman and four co-defendants allegedly hacked into the networks of corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information that the conspirators could exploit for profit, including the computer networks of NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

According to the indictment in this case and statements made in court, the five defendants each played specific roles in the scheme.  Drinkman and Alexandr Kalinin, 28, of St. Petersburg, Russia, allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems.  Drinkman and Roman Kotov, 34, of Moscow, allegedly specialized in mining the networks to steal valuable data.  The hackers hid their activities using anonymous web-hosting services allegedly provided by Mikhail Rytikov, 28, of Odessa, Ukraine.  Dmitriy Smilianets, 32, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Drinkman and Kalinin were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 34, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported.  Gonzalez is currently serving 20 years in federal prison for those offenses.  Kalinin is also charged in two federal indictments in the Southern District of New York: the first charges Kalinin in connection with hacking certain computer servers used by NASDAQ and the second charges him and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information from U.S.-based financial institutions.  Rytikov was previously charged in the Eastern District of Virginia in an unrelated scheme.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012.  Smilianets was extradited on Sept. 7, 2012, and remains in federal custody.  Kalinin, Kotov and Rytikov remain at large.

The Attacks

According to documents filed in this case and statements made in court, the five defendants penetrated the computer networks of several of the corporate victims and stole user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders.  The conspirators allegedly acquired more than 160 million card numbers through hacking.

The initial entry was often gained using a “SQL injection attack.”  SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases; the hackers allegedly identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network.  Once the network was infiltrated, the defendants allegedly placed malicious code (malware) in the system.  This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network.  In some cases, the defendants lost access to the system due to companies’ security efforts, but were allegedly able to regain access through persistent attacks.

Instant message chats obtained by law enforcement revealed that the defendants allegedly targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway, sometimes leaving malware implanted in multiple companies’ servers for more than a year.

The defendants allegedly used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks.  The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

According to documents filed in this case and statements made in court, after acquiring the card numbers and associated data – which they referred to as “dumps” – the conspirators sold it to resellers around the world.  The buyers then sold the dumps through online forums or directly to individuals and organizations.  Smilianets was allegedly in charge of sales, selling the data only to trusted identity theft wholesalers.  He allegedly charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data – offering discounted pricing to bulk and repeat customers.  Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by withdrawing money from ATMs or making purchases with the cards.

Covering Their Tracks

According to documents filed in this case and statements made in court, the defendants allegedly used a number of methods to conceal the scheme.  Unlike traditional Internet service providers, Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection.  Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions.  The defendants also allegedly worked to evade existing protections by security software.

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions of dollars in losses – including more than $300 million in losses reported by just three of the corporate victims – and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The charges and allegations contained in indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The case is being investigated by the U.S. Secret Service’s Criminal Investigations Division and Newark, New Jersey, Division.  The case is being prosecuted by Trial Attorney Richard Green of the Criminal Division’s Computer Crime and Intellectual Property Section, Chief Gurbir S. Grewal of the District of New Jersey’s Economic Crimes Unit and Assistant U.S. Attorney Andrew S. Pak of the District of New Jersey.  The Criminal Division’s Office of International Affairs, public prosecutors with the Dutch Ministry of Security and Justice and the National High Tech Crime Unit of the Dutch National Police also provided valuable assistance.

Vietnamese National Sentenced To 13 Years In Prison For Operating A Massive International Hacking And Identity Theft Scheme

The U.S. Justice Department released the below information:

A Vietnamese national was sentenced to 13 years in prison for hacking into U.S. businesses’ computers, stealing personally identifiably information (PII), and selling to other cybercriminals his fraudulently-obtained access to PII belonging to approximately 200 million U.S. citizens.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting U.S. Attorney Donald Feith of the District of New Hampshire and Director Joseph P. Clancy of the U.S. Secret Service made the announcement.

Hieu Minh Ngo, 25, was sentenced today by U.S. District Court Judge Paul J. Barbadoro of the District of New Hampshire.  Ngo previously pleaded guilty to federal charges brought in the District of New Hampshire and the District of New Jersey, including wire fraud, identity fraud, access device fraud and four counts of computer fraud and abuse.

“From his home in Vietnam, Ngo used Internet marketplaces to offer for sale millions of stolen identities of U.S. citizens to more than a thousand cyber criminals scattered throughout the world,” said Assistant Attorney General Caldwell.  “Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition.  Identifying and prosecuting cybercriminals like Ngo is one of the ways we're working to change that cost-benefit analysis.”

“This case demonstrates that identity theft is a worldwide threat that has the potential to touch every one of us,” said Acting U.S. Attorney Feith.  “I want to acknowledge the excellent work of the United States Secret Service in identifying and capturing Mr. Ngo.  This case proves that the United States Attorney’s Office for the District of New Hampshire will work with law enforcement to investigate and prosecute identity thieves, even if they are halfway around the world.”

“The sentencing of this transnational cybercriminal illustrates another example of Secret Service success in the disruption and dismantling of global criminal networks,” said Director Clancy.  “This investigation and the resulting prosecution and sentencing should serve as a warning to criminals that we will relentlessly investigate, detect, and defend the Nation’s financial infrastructure.  This sentencing joins a long list of successes in combating financial crimes over our 150 year history.”

According to admissions made in connection with his guilty plea, from 2007 to 2013, Ngo operated online marketplaces from his home in Vietnam, including “superget.info” and “findget.me,” to sell packages of stolen PII.  These packages, known as “fullz,” typically included a person’s name, date of birth, social security number, bank account number and bank routing number.  Ngo also admitted to acquiring and offering for sale stolen payment card data, which typically included the victim’s payment card number, expiration date, CVV number, name, address and phone number.  Ngo admitted that he obtained some of the stolen PII by hacking into a New Jersey-based business and stealing customer information.

In addition to selling the “fullz,” Ngo admitted to offering buyers the ability to query online databases for the stolen PII of specific individuals.  Specifically, Ngo admitted that he offered access to PII for 200 million U.S. citizens, and that more than 1,300 customers from around the world conducted more than three million “queries” through the third-party databases maintained on his websites.

Ngo made nearly $2 million from his scheme.  The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.  

The case was investigated by the U.S. Secret Service’s Manchester Resident Office.  The case is being prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Arnold H. Huftalen of the District of New Hampshire.

The case out of the District of New Jersey was investigated by the FBI, and is being prosecuted by the U.S. Attorney’s Office of the District of New Jersey.

Alleged Mastermind Of Global Cybercrime Campaigns Extradited To The United States To Face Charges

Earlier today, an indictment was unsealed in a Brooklyn, New York federal court charging Ercan Findikoglu, a Turkish citizen also known as “Segate,” with organizing three worldwide cyberattacks that inflicted $55 million in losses on the global financial system in a matter of hours. 

The defendant’s organization used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data and eliminate withdrawal limits.  The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe.  The charges announced today follow charges previously brought against other members of the organization, including members of a New York City cell charged in May 2013 in connection with their roles in two of the attacks.  The defendant is scheduled to be arraigned at 11 a.m. today before U.S. Magistrate Judge Lois Bloom at the U.S. Courthouse, 225 Cadman Plaza East, Brooklyn, New York.

The charges were announced by Acting U.S. Attorney Kelly T. Currie for the Eastern District of New York and Special Agent in Charge Robert J. Sica of the U.S. Secret Service New York Field Office.

“Cybercriminals, and especially hackers as this defendant is alleged to be, wreak havoc and steal millions of dollars by breaching our information systems and networks with clicks and keystrokes from the perceived anonymity of their computers at locations all over the globe,” said Acting U.S. Attorney Currie.  “However, in doing so they leave traces in digital space that allow law enforcement to identify, apprehend and ultimately hold them accountable for their crimes.”

Acting U.S. Attorney Currie praised the extraordinary efforts of the Secret Service in investigating these complex network intrusions and thanked the authorities in Germany for their assistance in effecting the defendant’s extradition.  

“For the past twenty years, Special Agents assigned to the Secret Service New York Electronic Crimes Task Force have worked closely with our law enforcement partners, the business community and our partners in academia to pursue cybercriminals who have taken aim at our homeland’s financial infrastructure.  Today, we recognize our international law enforcement partners who were instrumental in the extradition of Ercan Findikoglu,” said Special Agent in Charge Sica.  “The significance of this case cannot be understated as Findikoglu is the alleged mastermind behind the global ATM cashout operations which plagued the financial services sector from 2010 until his capture in late 2013.  The Secret Service and its international partners remain committed to solving complex financial crimes as well as tracking down and bringing to justice significant cybercriminals who pose a threat to payment systems worldwide.”

As detailed in the indictment and other court filings, Findikoglu gained unauthorized access to, or “hacked,” the computer networks of at least three payment processors for various types of credit and debit card transactions (the Victim Processors).  He then targeted Visa and MasterCard prepaid debit cards serviced by the Victim Processors, breached the security protocols that enforce withdrawal limits on those cards, and then dramatically increased the account balances on those cards to allow withdrawals far in excess of the legitimate card balances.

Findikoglu allegedly managed a trusted group of co-conspirators who disseminated the stolen debit card information to leaders of “cashing crews” around the world; they, in turn, used the stolen information to conduct tens of thousands of fraudulent ATM withdrawals.  During these operations, Findikoglu allegedly maintained access to the computer networks of the Victim Processors in order to monitor the withdrawals.  These coordinated, calculated cyberattacks are known in the cyber-underworld as “Unlimited Operations,” because the manipulation of withdrawal limits enables the withdrawal of literally unlimited amounts of cash until the operation is shut down.

In one operation on Feb. 27 and 28, 2011, cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.  In a second operation on Dec. 22, 2012, cashing crews withdrew approximately $5 million through more than 4,500 ATM in approximately 20 countries.  In a third operation on Feb. 19 and 20, 2013, cashing cells in 24 countries executed approximately 36,000 transactions and withdrew approximately $40 million from ATMs.  During this third operation, in New York City alone, cashing crews withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals over the course of less than 11 hours.
Once the funds were extracted, Findikoglu and high-ranking members of the conspiracy allegedly received the proceeds from other co-conspirators in various forms, including by wire transfer, electronic currency and the personal delivery of U.S. and foreign currency. 

On one occasion, members of a New York City cashing crew transported approximately $100,000 to co-conspirators in Romania.  Findikoglu directed a co-conspirator to destroy evidence of their criminal activities after learning that a member of a New York cashing crew had been arrested.
On Dec. 18, 2013, Findikoglu was arrested in Frankfurt, Germany, and yesterday was extradited to the United States.                      

The government’s case is being handled by the U.S. Attorney’s Office of the Eastern District of New York’s National Security & Cybercrime Section.  Assistant U.S. Attorneys Hilary Jager, Douglas M. Pravda, Richard M. Tucker and Saritha Komatireddy are in charge of the prosecution.  Assistant U.S. Attorney Brian Morris of the Office’s Civil Division is responsible for the forfeiture of assets.  Additional assistance was provided by Marcus Busch and Cristina M. Posa of the Justice Department’s Office of International Affairs.

Three Defendants Charged With One Of The Largest Reported Data Breaches In U.S. History

The U.S. Justice Department released the below information:

An indictment was unsealed yesterday against two Vietnamese citizens who resided in the Netherlands, for their roles in hacking email service providers throughout the United States.  The guilty plea of one of the defendants was also unsealed at the same time.  In addition, a federal grand jury returned an indictment this week against a Canadian citizen for conspiring to launder the proceeds obtained as a result of the massive data breach.

Assistant Attorney General Leslie R. Caldwell of the Criminal Division, Acting U.S. Attorney John A. Horn of the Northern District of Georgia, Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Field Office, Special Agent in Charge Reginald Moore of the United States Secret Service’s (USSS) Atlanta Field Office and Special Agent in Charge Veronica F. Hyman-Pillot with the Internal Revenue Service-Criminal Investigation’s (IRS-CI) made the announcement.

“These men — operating from Vietnam, the Netherlands, and Canada — are accused of carrying out the largest data breach of names and email addresses in the history of the Internet,” said Assistant Attorney General Caldwell.   “The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers.  This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States.”

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

“Large scale and sophisticated international cyber hacking rings are becoming more problematic for both the law enforcement community that is faced with the challenges of identifying them and laying hands on them, but also the fortune 500 companies that are so often their targets,” said Special Agent in Charge Johnson.  “The federal indictments, apprehensions and extraditions in this case represents several years of hard work as the FBI and its cadre of cyber trained agents and technical experts acted quickly to stop the ongoing damage to the numerous victim companies as a result of these individuals’ hacking activities. 

In August 2012, the FBI, with the assistance of its legal attaches stationed abroad and in conjunction with Dutch law enforcement officials, executed a search warrant in the Netherlands that disrupted continued compromises of those companies while allowing U.S. authorities to advance its investigation.  That investigation targeted not only the hackers but the businesses that helped monetize the data that was stolen from those victim companies.  This case further reflects the productive partnership of the FBI and the U.S. Secret Service in aggressively addressing this 21st century crime problem.”

“Our success in this case and other similar investigations is a result of our close work with our law enforcement partners,” said Special Agent in Charge Moore.  “The Secret Service worked closely with the Department of Justice and the FBI to share information and resources that ultimately brought these cyber criminals to justice.  This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.”

“Those individuals who line their pockets with money gained through deceiving others should know they will not go undetected and will be held accountable,” said Special Agent in Charge Hyman-Pillot.  “IRS Criminal Investigation is committed to unraveling financial transactions to ensure that those who engage in these illegal activities are vigorously investigated and brought to justice.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses.  Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients.  The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011.

David-Manuel Santos Da Silva, 33, of Montreal, Canada, was also indicted by a federal grand jury on March 4, 2015, for conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the “spam” and launder the proceeds.

According to allegations in the indictments, Da Silva, the co-owner, president and a director of 21 Celsius Inc., a Canadian corporation that ran Marketbay.com, entered into an affiliate marketing arrangement with Nguyen that allowed the defendants to generate revenue from the computer intrusions and data thefts.

As an affiliate marketer, Nguyen allegedly received a commission on sales generated from Internet traffic that he directed to websites promoting specific products.  Nguyen allegedly used the information stolen from the ESPs to send “spam” emails to tens of millions of customers and provided hyperlinks to allow the purchase of the products.  These products were marketed by Da Silva’s Marketbay.com.

Between approximately May 2009 and October 2011, Nguyen and Da Silva received approximately $2 million for the sale of products derived from Nguyen’s affiliate marketing activities.

Vu was arrested by Dutch law enforcement in Deventer, Netherlands, in 2012 and extradited to the United States in March 2014.  On Feb. 5, 2015, Vu pleaded guilty to conspiracy to commit computer fraud.  He is scheduled to be sentenced on April 21, 2015, before U.S. District Judge Timothy C. Batten Sr. of the Northern District of Georgia.  Nguyen is a fugitive.

Da Silva was arrested based upon charges set forth in a criminal complaint at Ft. Lauderdale International Airport on Feb. 12, 2015, and is scheduled to be arraigned today in Atlanta before Magistrate Judge E. Clayton Scofield III.

The charges contained in an indictment are merely accusations, and defendants are presumed innocent unless and until proven guilty.

This case is being investigated by the FBI with the assistance of the USSS and IRS-CI.  Law enforcement in the Netherlands and the Criminal Division’s Office of International Affairs also provided valuable assistance.  This case is being prosecuted by Trial Attorney Peter Roman of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Steven D. Grimberg of the Northern District of Georgia.

Russian National Charged In Largest Known Data Breach Prosecution Extradited To United States

The U.S. Justice Department released the below link:

A Russian national appeared in federal court in Newark today after being extradited from the Netherlands to face charges that he conspired in the largest international hacking and data breach scheme ever prosecuted in the United States, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Secretary Jeh Johnson of the Department of Homeland Security, U.S. Attorney Paul J. Fishman of the District of New Jersey and Acting Director Joseph P. Clancy of the U.S. Secret Service.

Vladimir Drinkman, 34, of Syktyykar and Moscow, Russia, was charged for his alleged role in a data theft conspiracy that targeted major corporate networks, stole more than 160 million credit card numbers, and caused hundreds of millions of dollars in losses.  Prior to his extradition, he had been detained by the Dutch authorities since his arrest in the Netherlands on June 28, 2012.

Drinkman appeared today before U.S. Magistrate Judge James B. Clark and entered a plea of not guilty to all 11 counts charged in the indictment and was ordered detained without bail.  Trial before U.S. District Judge Jerome B. Simandle was scheduled for April 27, 2015.

“Cyber criminals conceal themselves in one country and steal information located in another country, impacting victims around the world,” said Assistant Attorney General Caldwell.  “Hackers often take advantage of international borders and differences in legal systems, hoping to evade extradition to face justice.  This case and today's extradition demonstrates that through international cooperation, and through great teamwork between the Department of Justice and the Department of Homeland Security, we are able to bring cyber thieves to justice in the United States, wherever they may commit their crimes.”

“Drinkman’s extradition on the indictment this office brought more than a year and a half ago shows how relentlessly we will pursue those who are charged with these serious crimes,” said U.S. Attorney Fishman.  “The incredibly sophisticated work with our partners at the U.S. Secret Service to uncover this enormous, far-reaching scheme demanded an equal effort by our colleagues at the Department of Justice Criminal Division in Washington and our law enforcement partners overseas to bring the defendant back to face these charges.”

“This case demonstrates our commitment to fulfilling an important part of our integrated mission; that of protecting our Nation’s critical financial infrastructure,” said Acting Director Clancy.  “Our success in this investigation and other similar investigations is a credit to our skilled and relentless cyber investigators.  Our determination, coupled with our network of foreign law enforcement partners, ensures that our investigative reach can expand beyond the borders of the United States.”

According to the second superseding indictment, unsealed on July 25, 2013, and other court filings, Drinkman and four co-defendants each served particular roles in the scheme. Drinkman and Alexandr Kalinin, 28, of St. Petersburg, Russia, each allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems.  Roman Kotov, 33, of Moscow, allegedly specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data.

 According to allegations in the indictment, the hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 27, of Odessa, Ukraine.  Dmitriy Smilianets, 31, of Moscow, then allegedly sold the stolen information and distributed the proceeds of the scheme to the participants.

Drinkman and his co-defendants are charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.  It is not alleged that the NASDAQ hack affected its trading platform.

Drinkman and Kalinin were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 33, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported.  Gonzalez is currently serving 20 years in federal prison for those offenses.  Kalinin is also charged in two federal indictments in the Southern District of New York: one charges Kalinin in connection with hacking certain computer servers used by NASDAQ and the second charges him and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information from U.S.-based financial institutions.  Rytikov was previously charged in the Eastern District of Virginia with an unrelated scheme.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012.  Smilianets was extradited on Sept. 7, 2012, and remains in federal custody.  Kalinin, Kotov and Rytikov remain at large.  All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.

The Attacks

According to allegations in the indictment, the five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals.  They allegedly took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. The conspirators allegedly acquired at least 160 million card numbers through hacking.

The initial entry was often gained using a “SQL injection attack.”  SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases.  The hackers allegedly identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network.  Once the network was infiltrated, the defendants allegedly placed malicious code, or malware, on the system.  This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network.  In some cases, the defendants lost access to the system due to companies’ security efforts, but were allegedly able to regain access through persistent attacks.

Instant message chats obtained by law enforcement reveal that the defendants allegedly targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway, sometimes leaving malware implanted for more than a year.

The defendants allegedly used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

After acquiring the card numbers and associated data—which they referred to as “dumps”—the conspirators allegedly sold it to resellers around the world.  The buyers then sold the dumps through online forums or directly to individuals and organizations.  Smilianets was allegedly in charge of sales, selling the data only to trusted identity theft wholesalers.  He allegedly charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data, offering discounted pricing to bulk and repeat customers.  Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by either withdrawing money from ATMs or making purchases with the cards.

Covering Their Tracks

The defendants allegedly used a number of methods to conceal the scheme.  Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection.  Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions.  The defendants also allegedly worked to evade existing protections by security software.

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses—including more than $300 million in losses reported by just three of the corporate victims—and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The charges and allegations contained indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The ongoing investigation is being conducted by the U.S. Secret Service.  The case is being prosecuted by Trial Attorney Rick Green of the Criminal Division’s Computer Crime and Intellectual Property Section, Chief Gurbir S. Grewal of the District of New Jersey’s Economic Crimes Unit, and Assistant U.S. Attorney Andrew S. Pak of the Computer Hacking and Intellectual Property Section of the District of New Jersey’s Economic Crimes Unit.

The Criminal Division’s Office of International Affairs assisted with the case, as did public prosecutors with the Dutch Ministry of Security and Justice and the National High Tech Crime Unit of the Dutch National Police.

Criminal Charges Filed Against U.S. Citizen In Connection With A Multi-Million Dollar International Cyber Counterfeiting Scheme Based In Uganda

The U.S. Justice Department released the below information:

U.S. Attorney David J. Hickton for the Western District of Pennsylvania and U.S. Secret Service Special Agent in Charge Eric P. Zahren of the Pittsburgh Field Office today announced the filing of a criminal complaint in Pittsburgh charging a U.S. citizen with leading an international counterfeit currency operation headquartered in the Republic of Uganda. 

Ryan Andrew Gustafson, aka Jack Farrel, aka Willy Clock, 27, a U.S. citizen currently residing in Kampala, Uganda, was charged with conspiracy and counterfeiting acts committed outside of the U.S.  When he lived in the United States, he mainly resided in Texas and Colorado.

“This complicated, international cyber counterfeiting conspiracy was broken as a result of expert investigation by the Secret Service and a total commitment of all cooperating law enforcement to reject the premise that criminals committing cybercrimes in the U.S. – but who reside outside our borders – cannot be reached,” stated U.S. Attorney Hickton.  “We will hold cyber criminals accountable and bring them to justice no matter where they reside.”

“This investigation involves the manufacture of counterfeit U.S. currency, which has been the Secret Service’s core mission since 1865,” said Special Agent in Charge Zahren.  “Add to that the modern elements of an international counterfeiting conspiracy utilizing new-age, cyber technology, and it represents the full evolution and unique investigative capabilities of today’s Secret Service.”

As detailed in the affidavit in support of the criminal complaint, in December 2013, the Secret Service began investigating the passing of counterfeit Federal Reserve Notes (FRNs), believed to be manufactured in Uganda, at Pittsburgh-area retail stores and businesses.  Agents determined that an individual identified as J.G. had passed these notes and was renting a postal box at The UPS Store on Pittsburgh’s South Side.  On Feb 19, 2014, law enforcement learned that J.G. received three packages addressed from Beyond Computers, located in Kampala, Uganda.  Agents executing a search warrant on the packages found $7,000 in counterfeit $100, $50 and $20 FRNs located in two hidden compartments within the packaging envelopes.  A fingerprint on a document inside one of the packages was identified as belonging to Ryan Andrew Gustafson.

The Secret Service subsequently worked with Ugandan authorities to identify the source of the counterfeit FRNs.  Their efforts led to A.B., who admitted to sending the packages, explaining that an American named “Jack Farrel,” and another person, provided him the counterfeit notes to ship.  Based on information provided by A.B., the Secret Service used facial recognition to identify Jack Farrel as Ryan Andrew Gustafson.

According to the affidavit, J.G. met “Willy Clock” on an online criminal forum called Tor Carding Forum.  Through private messaging, J.G. and Clock discussed counterfeit currency and J.G. agreed to purchase counterfeit FRNs. 

In January 2014, Clock told J.G. that he had established his own online forum called Community-X, a website dedicated to the selling of counterfeit reserve notes.  The forum requires a username and password to access the site, and individuals must be invited and approved by Clock to become members. Secret Service used an undercover operative to communicate with Clock through the website, to purchase additional counterfeit $100 FRNs, and to become a re-shipper of counterfeit notes.

In November 2014, the Secret Service executed a search warrant at the residence of another re-shipper, who had been an active member of Community-X.  This person cooperated and provided information that a forum member had traveled to Uganda and brought back more than $300,000 in counterfeit notes.

The Secret Service, working with Ugandan authorities, engaged yet another confidential informant, in Uganda, who had knowledge of Jack Farrel and his counterfeiting operations.  On Dec. 11 2014, this confidential informant called Farrel to arrange to purchase counterfeit FRNs.  The informant met Farrel’s associate and made the buy.  Two trusted sources followed the associate back to Farrel’s home and reported the location to the Secret Service who turned it over to the Uganda Special Investigations Unit.  Their search of Farrel’s residence netted two million Ugandan shillings from the buy; $180,420 in counterfeit FRNs; counterfeit Euros, Indian Rupees, Ugandan Shillings, Congo Francs, and Ghana Cedis; computers and printers; inks and ink jet cartridges; paper cutters; glue sticks; “Give a Child Hope Today” pamphlets with counterfeit FRNs in between glued together pages; and a pair of “Anon Hands.”  Anon Hands are life-like rubber molds that fit like gloves over the user’s hands and are meant to conceal the wearer’s fingerprints.  As noted above Farrel has been identified as Gustafson.  Evidence collected at the scene also allowed investigators to identify Gustafson as Willy Clock.

Gustafson was charged by Ugandan authorities on Dec. 16 with conspiracy, possession of counterfeit, selling/dealing in counterfeit, and unlawful possession of ammunition.  He was brought before the court that day to be informed about the charges; he also is being represented by counsel in Uganda.

U.S. Secret Service estimates $1.8 million in counterfeit FRNs have been seized and passed in Uganda.  The total amount of Ugandan-made counterfeit FRNs seized or passed domestically was approximately $270,000.  This amount was limited due to early detection by the Secret Service.

U.S. law provides for a maximum total sentence of 25 years in prison, a fine of $500,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offense and the prior criminal history, if any, of the defendant. 

U.S. Attorney Hickton commended numerous agencies and organizations for conducting the investigation leading to charges in this case, including the Directorate of Public Prosecution, the Criminal Investigations and Intelligence Department, the Special Investigations and Intelligence Unit, and Stanbic Bank in Uganda; various domestic and foreign Secret Service Field Offices, including the Rome, Italy, Field Office and the Criminal Investigative Division in Washington, D.C.; the U.S. State Department; the U.S. Postal Inspection Service; the Federal Bureau of Investigation; Homeland Security Investigations; U.S. Customs and Border Protection and the National Cyber-Forensics & Training Alliance.

Assistant U.S. Attorney Shardul S. Desai is prosecuting this case on behalf of the government.

A criminal complaint contains charges and is not evidence of guilt.  A defendant is presumed to be innocent until and unless proven guilty.

FBI And Secret Service Team Up To Educate Private Sector On Cyber Crime

The FBI web site offers the below piece:

“Partnership is the key to any type of [long-lasting] cyber investigation and cyber team work,” said Executive Assistant Director Robert Anderson during a joint FBI/U.S. Secret Service presentation in Washington, D.C. on October 20, 2014 before the Financial Services Roundtable (FSR), an advocacy organization for the U.S. financial services industry. The event was held as part of National Cyber Security Awareness Month."

And Anderson wasn’t just talking about our growing partnership with the Secret Service—with whom the Bureau works collaboratively on cyber crime matters. He was also referring to the importance of collaborating with private sector companies, many of whom were represented in the audience.

During the event, joint teams of FBI and Secret Service agents discussed a number of various cyber-related topics to educate and raise awareness of the cyber threat. Those topics included the extent of the problem (more than 500 million personal records stolen over the past 12 months, according to public sources), various stages of a hack (from reconnaissance efforts to the actual data theft), our outreach efforts to the private sector (e.g., InfraGard, National Cyber Forensics and Training Alliance), and Operation Clean Slate (the Bureau’s innovative and collaborative approach against the most serious botnet threats).

Also discussed were several significant cyber investigations—including operations Trident Breach, Coreflood, Ghost Click, and GameOver Zeus—that owed much of their success to the assistance provided by our private sector partners.

Other key players in these investigations—and in many of our cyber investigations overall—are our international law enforcement partners. Their support is vital because many of the cyber criminals that victimize American financial institutions, other businesses, and the American public operate outside of the U.S. Said FBI Assistant Director Joseph Demarest, Jr., “Wherever these actors sit in the world, we’re going after them.”

Demarest also warned financial industry representatives that a cyber intrusion “is going to happen” to their company at some point and he advised them to “have a plan” before it happens. That plan should include an internal response team and an already-established cyber point of contact with the U.S. government.

Note: You can read my interview with FBI Special Agent and InfraGard coorinater John Cheeson via the below link:

http://www.pauldavisoncrime.com/2011/11/fbis-infragard-program-teams-with-small.html