Aug 06 2008

International hacker ring steals 40 million credit and debit card numbers

Published by at 4:21 am under Hacking for money,US attacks

US law enforcement busted a gang of 11 international hackers that stole 40 million credit and debit card numbers. Three things stand out for me in this report:

  1. Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
  2. In addition, an indictment against Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China, and a person known only by the online nickname “Delpiero,” was also unsealed in San Diego today. Chiu, Wang and Delpiero are charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting. Also in San Diego, Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine, were charged in a criminal complaint with conspiracy to traffic in unauthorized access devices. All are believed to be foreign nationals residing outside of the United States.
  3. The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand. The indictments allege that each of the defendants sold stolen credit and debit card information for personal gain.

First, I’m struck by the diversity of the group. They seem to come from all over the globe and my question is how did these people get together?

Second, and any help from someone familiar with the legal system would be greatly appreciated, the report states that several of the people indicted, lived outside of the US. Does this mean they were taken into custody in their respective countries or just named in the indictment? My guess is just indicted but I would like clarification if anyone knows.

Third, did the PRC cooperate in this investigation? The news has made its way into major Chinese news outlets and the Chinese hacker community but so far without comment. And yes, we are trying to find more information on Chiu and Wang.

Finally, major kudos to the Department of Justice for breaking the case.

UPDATE: We did warn you to watch these types of connections back in March.

5 responses so far

5 Responses to “International hacker ring steals 40 million credit and debit card numbers”

  1. CBRP1R8on 06 Aug 2008 at 7:07 am

    One of the Ukraine guys got taken down in Turkey on turkish charges…my guess drugs….but U.S. has asked for extradition pending completion of Turkish charges. One of the others got taken down in Germany on vacation, he is up for 2 sets of charges I think one in San Diego and one in Boston if I recall. But we have extradition treaties with both of those Nato countries…..

    It’s unlikely we’ll get the 2 chinese, and hard to say on the others.

  2. Heikeon 06 Aug 2008 at 7:54 am

    CBRP1R8,

    My guess is that one of the three US guys arrested gave up all the others on the list in order to get a lighter sentence.

    Really curious to see if China will cooperate on this case or not. I’ve never heard of Chinese nationals being indicted for cyber crimes in the US before, have they been?

  3. jumperon 06 Aug 2008 at 10:18 am

    I wonder how he was able to “give up” all of the others though. I wouldn’t guess that they threw around their real names. Maybe they were tracked down through money transfers.

  4. Heikeon 06 Aug 2008 at 11:17 am

    Jumper,

    Good point! Could they have learned the names by transfers between each other?

  5. jumperon 06 Aug 2008 at 2:40 pm

    It isn’t necessary to know a person’s name to transfer funds to them. If the informant knew the account details, law enforcement could have gotten the account holder’s name (even in most foreign countries).