Two Romanian nationals pleaded guilty today to participating in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ computers.
Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division; John P. Kacavas, U.S. Attorney for the District of New Hampshire; and Holly Fraumeni, Resident Agent in Charge of the U.S. Secret Service, Manchester, N.H., Resident Office, announced today that Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud.
In their guilty pleas, the defendants admitted that, from in or about 2009-2011, they participated in Romanian-based conspiracies with co-conspirator Adrian-Tiberiu Oprea, who is in U.S. custody and awaiting trial in the District of New Hampshire, to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data (collectively “payment card data”) that belonged to U.S. cardholders and then use the stolen payment card data to make unauthorized charges on, and/or transfers of funds from, those cardholders’ accounts (or alternatively to transfer the stolen payment card data to other co-conspirators who would do the same).
At the plea hearings today, federal prosecutors noted that the conspiracies involved more than 146,000 compromised cards and more than $10 million in losses.
Dolan admitted that he, along with Oprea, remotely hacked into U.S. merchants’ “point-of-sale” (POS) or “check out” computer systems, where customers’ payment card data was electronically stored. Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called “keystroke loggers” (or “sniffers”) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data.
Dolan periodically remotely hacked back into the compromised merchants’ POS system to retrieve the customers’ payment card data and then electronically transferred the payment card data to various electronic storage locations (“dump sites”) that Oprea had set up. Dolan knew that Oprea later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. He also knew that Oprea attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators for them to use in a similar manner. During the course of the conspiracies, the co-conspirators hacked into several hundred U.S. merchants’ POS systems. Dolan stole payment card data belonging to approximately 6,000 cardholders and was aware that Oprea was engaged in similar conduct. Dolan received approximately $5,000 - $7,500 in cash and personal property from Oprea for his efforts.
In his plea agreement, Butu admitted that he repeatedly asked Oprea to provide him with stolen payment card data and that Oprea provided him with instructions for how to access the website where Oprea had stored a portion of the stolen payment card data. Butu later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. He also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators for them to use in a similar manner. Butu acquired stolen payment card data from Oprea belonging to approximately 140 cardholders.
In his plea agreement, Dolan has agreed to be sentenced to seven years, and Butu has agreed to be sentenced to 21 months in prison.
The case was investigated by the U.S. Secret Service, with the assistance of the New Hampshire State Police and Romanian authorities.
The case is being prosecuted by Trial Attorney Mona Sedky in the Department of Justice’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Arnold H. Huftalen from the District of New Hampshire.