Estonian Hacker Extradited to the United States to Face Computer Hacking Charges

WASHINGTON - Sergei Tšurikov, 26, of Tallinn, Estonia, has been extradited to the United States to face charges of hacking into a computer network operated by an Atlanta-based credit card processing company, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney Sally Quillian Yates of the Northern District of Georgia. Tšurikov was arraigned today before U.S. Magistrate Judge E. Clayton Scofield III in the Northern District of Georgia.

Tšurikov; Viktor Pleshchuk, 29, of St. Petersburg, Russia; Oleg Covelin , 29, of Chişinãu, Moldova; and a person known only as "Hacker 3" were charged in a Nov. 10, 2009, indictment with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud and aggravated identity theft. The indictment also charged Igor Grudijev, 32; Ronald Tsoi, 32; Evelin Tsoi, 21; and Mihhail Jevgenov, 34; each of Tallinn, Estonia, with access device fraud offenses.

 "Computer hackers who steal from American financial networks must be held accountable for their crimes, whether they operate here or abroad," said Assistant Attorney General Breuer. "The Department of Justice, working hand in hand with our international law enforcement partners, is committed to vigorously prosecuting these crimes and to ensuring that these criminals are extradited and brought to justice."

"In November 2008, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted. Almost exactly one year later, the leaders of this attack were charged," said U.S. Attorney Yates. "With cooperation from law enforcement partners around the world, and most particularly in Estonia, we have now extradited to Atlanta one of the leaders of this ring. This success would not have been possible without the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide."

According to court documents, in November 2008, Pleshchuk, TšurikovandCovelin allegedly obtained unauthorized access into the computer network of RBS WorldPay, the U.S. payment processing division of the Royal Bank of Scotland Group PLC, located in Atlanta. The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards. Payroll debit cards are used by various companies to pay their employees. By using a payroll debit card, employees are able to withdraw their regular salaries from an ATM.

Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of "cashers" with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from over 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours.

The hackers then allegedly sought to destroy data stored on the card processing network in order to conceal their hacking activity. The indictment alleges that the "cashers" were allowed to keep 30 to 50 percent of the stolen funds, but transmitted the bulk of those funds back to Tšurikov, Pleshchuk and other co-defendants, using means such as WebMoney accounts and Western Union. Throughout the duration of the cash-out, Pleshchuk and Tšurikov allegedly monitored the fraudulent ATM withdrawals in real-time from within the computer systems of RBS WorldPay. Upon discovering the unauthorized activity, RBS WorldPay immediately reported the breach, and has substantially assisted in the investigation.

Tšurikov also distributed fraudulently obtained debit card account numbers and PIN codes to Grudijev, who, in turn, allegedly distributed the information to defendants Ronald Tsoi, Evelin Tsoi and Jevgenov in Estonia. Together, Ronald and Evelin Tsoi and Mihhail Jevgenov allegedly withdrew approximately $289,000 in U.S. funds from ATMs in Tallinn, Estonia.

"Complex cyber based criminal investigations such as this are becoming all too prevalent. The advances in technology, while aiding the corporate world and the consumer, also aid the criminal in conducting well coordinated fraud or theft based schemes, often across international borders," said Atlanta FBI Special Agent in Charge Brian D. Lamkin. "The FBI extends its gratitude to those international partners who assisted not only with this investigation but also with the extradition to the United Statesof one of its chief ring leaders in this multimillion dollar, multi-national theft ring."

The indictment charging Tšurikov and his co-defendants seeks forfeiture of over $9.4 million of proceeds of the crimes.

Tšurikov, Pleshchuk, Covelin, and "Hacker 3" each face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and for each wire fraud count; up to five years for conspiracy to commit computer fraud; up to five or 10 years for each count of computer fraud; a two year mandatory minimum for aggravated identity theft; and fines up to $3.5 million dollars. The charges against Grudijev, the Tsois, and Jevgenov carry a maximum of up to 15 years in prison for each count and a fine of up to $250,000.

An indictment is merely an accusation and is not evidence of guilt.  The defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt.