Three men from Eastern Europe have been named in a 16-count indictment for allegedly hacking into the computer network of an Atlanta-based credit card processing company and transferring $9.4 million dollars to co-conspirators around the world.
The indictment, announced Tuesday, alleges that the men used sophisticated hacking techniques to defeat data encryption safeguards used by RBS WorldPay, a subsidiary of the Royal Bank of Scotland (RBS).
The illegal operation was discovered on Nov. 10, 2008. The criminal plan was executed with clockwork precision, law enforcement officials said.
The hackers focused on payroll debit cards which allow employees to withdraw their salaries from a bank ATM.
After defeating the encryption safeguards, they were allegedly able to raise the funding limits on certain compromised accounts. At the same time, they had provided a network of co-conspirators around the world with 44 counterfeit payroll debit cards.
Within a 12-hour span, the hacking ring withdrew $9.4 million from 2,100 ATMs in 280 cities worldwide. Withdrawals took place in cities in the US, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.
Once the transactions were complete, the hackers tried to destroy data stored on the debit card processing network to conceal their illicit activities. According to the indictment, co-conspirators acting as "cashiers" were allowed to keep from 30 to 50 percent of the stolen money. The rest of the funds were rerouted to the three organizers and another individual identified in the indictment only as "Hacker 3."
"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," said Sally Quillian Yates, acting US Attorney in the Northern District of Georgia, in a statement. "Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."
The three were indicted by a federal grand jury in Atlanta on charges of conspiring to commit wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud, and aggravated identity theft. If convicted, the men face up to 20 years in prison for wire fraud, five years for computer fraud, and two years for identity theft. They face $3.5 million in fines and criminal forfeiture of $9.4 million.
Four other men from Tallinn, Estonia are also charged in the indictment for access device fraud. They each face up to 15 years in prison and up to $250,000 in fines.
When the hacking was detected last year, RBS WorldPay warned that the financial account information of 1.5 million customers and the social security numbers of 1.1 million individuals may have been accessed by the ring.
At the time, RBS advised its customers to review bills and credit reports carefully for up to two years as a precaution.
The case is being investigated by the Federal Bureau of Investigation. Agencies working the case overseas include the Estonian Central Criminal Police, the Hong Kong Police Force, and the Netherlands Police Agency National Crime Squad High Tech Crime Unit.
Follow us on Twitter.