Successful SQL injection attacks resulted in the loss of 160 million card details
Two Russian nationals were sentenced to more than 12 years in a US prison last week for their role in a hacking scam that saw 160 million credit card details stolen.
Vladimir Drinkman, 37, was jailed for 144 months for hacking into the networks of some of the biggest international corporations, including 7-Eleven, Carrefour, and Dow Jones.
His accomplice Dmitriy Smilianets, 34, was sentenced to time served and was released from the court in Camden, New Jersey.
The men were arrested in the Netherlands on June 8, 2012, and were extradited to the US to face charges.
In 2015, they both pleaded guilty – Drinkman to hacking into the systems and Smilianets to selling on the data.
The scam, which ran from 2005 until 2012, was the biggest US data breach in history, with 16 companies affected.
Drinkman hacked into the computer networks to steal their customers’ information, including card details, allegedly aided by Aleksandr Kalinin.
Smilianets was responsible for pricing and selling the details to a trusted reseller.
US card details were then sold on for $10 apiece, and European details for $50 each.
Their alleged co-conspirators Kalinin, Roman Kotov and Mikhail Rytikov are still at large.
Prosecutors claimed that the scheme cost three credit card companies alone more than $300 million.
Acting assistant Attorney General Cronan said: “Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information.
“While mega breaches like these continue to affect millions of individuals around the world, hackers and would-be hackers should know that the Department of Justice will use all available tools to identify, arrest, and prosecute anyone who attacks the networks on which businesses and their customers rely.”
The scam
The team reportedly used SQL injection to access the computer networks.
They then created a backdoor using malware, which enabled them to obtain and keep access without detection, sometimes for up to a year, according to court documents.
Kotov allegedly used a packet sniffer to find credit card information on the companies’ systems.
And Rytikov is accused of enabling the group to hide their activity through an anonymous web-hosting service.
The team allegedly used encrypted chat and spoke in person to evade detection. However, some of their online conversations were unearthed during their trial – one in which they discussed the 2008 Hannaford breach.
Around 4.2 million Hannaford customers’ details were exposed when the US supermarket chain was hit by a malware attack.
It is still not clear who was behind the incident.