Justice News

Department of Justice
Office of Public Affairs

FOR IMMEDIATE RELEASE
Tuesday, February 17, 2015

Russian National Charged in Largest Known Data Breach Prosecution Extradited to United States

Defendant Brought From Netherlands

After Fighting Extradition for Over Two Years

A Russian national appeared in federal court in Newark today after being extradited from the Netherlands to face charges that he conspired in the largest international hacking and data breach scheme ever prosecuted in the United States, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Secretary Jeh Johnson of the Department of Homeland Security, U.S. Attorney Paul J. Fishman of the District of New Jersey and Acting Director Joseph P. Clancy of the U.S. Secret Service.

Vladimir Drinkman, 34, of Syktyykar and Moscow, Russia, was charged for his alleged role in a data theft conspiracy that targeted major corporate networks, stole more than 160 million credit card numbers, and caused hundreds of millions of dollars in losses.  Prior to his extradition, he had been detained by the Dutch authorities since his arrest in the Netherlands on June 28, 2012.

Drinkman appeared today before U.S. Magistrate Judge James B. Clark and entered a plea of not guilty to all 11 counts charged in the indictment and was ordered detained without bail.  Trial before U.S. District Judge Jerome B. Simandle was scheduled for April 27, 2015.

“Cyber criminals conceal themselves in one country and steal information located in another country, impacting victims around the world,” said Assistant Attorney General Caldwell.  “Hackers often take advantage of international borders and differences in legal systems, hoping to evade extradition to face justice.  This case and today's extradition demonstrates that through international cooperation, and through great teamwork between the Department of Justice and the Department of Homeland Security, we are able to bring cyber thieves to justice in the United States, wherever they may commit their crimes.”

“Drinkman’s extradition on the indictment this office brought more than a year and a half ago shows how relentlessly we will pursue those who are charged with these serious crimes,” said U.S. Attorney Fishman.  “The incredibly sophisticated work with our partners at the U.S. Secret Service to uncover this enormous, far-reaching scheme demanded an equal effort by our colleagues at the Department of Justice Criminal Division in Washington and our law enforcement partners overseas to bring the defendant back to face these charges.”

“This case demonstrates our commitment to fulfilling an important part of our integrated mission; that of protecting our Nation’s critical financial infrastructure,” said Acting Director Clancy.  “Our success in this investigation and other similar investigations is a credit to our skilled and relentless cyber investigators.  Our determination, coupled with our network of foreign law enforcement partners, ensures that our investigative reach can expand beyond the borders of the United States.”

According to the second superseding indictment, unsealed on July 25, 2013, and other court filings, Drinkman and four co-defendants each served particular roles in the scheme. Drinkman and Alexandr Kalinin, 28, of St. Petersburg, Russia, each allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems.  Roman Kotov, 33, of Moscow, allegedly specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data.  According to allegations in the indictment, the hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 27, of Odessa, Ukraine.  Dmitriy Smilianets, 31, of Moscow, then allegedly sold the stolen information and distributed the proceeds of the scheme to the participants.

Drinkman and his co-defendants are charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.  It is not alleged that the NASDAQ hack affected its trading platform.

Drinkman and Kalinin were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 33, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported.  Gonzalez is currently serving 20 years in federal prison for those offenses.  Kalinin is also charged in two federal indictments in the Southern District of New York: one charges Kalinin in connection with hacking certain computer servers used by NASDAQ and the second charges him and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information from U.S.-based financial institutions.  Rytikov was previously charged in the Eastern District of Virginia with an unrelated scheme.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012.  Smilianets was extradited on Sept. 7, 2012, and remains in federal custody.  Kalinin, Kotov and Rytikov remain at large.  All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.

The Attacks

According to allegations in the indictment, the five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals.  They allegedly took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. The conspirators allegedly acquired at least 160 million card numbers through hacking.

The initial entry was often gained using a “SQL injection attack.”  SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases.  The hackers allegedly identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network.  Once the network was infiltrated, the defendants allegedly placed malicious code, or malware, on the system.  This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network.  In some cases, the defendants lost access to the system due to companies’ security efforts, but were allegedly able to regain access through persistent attacks. 

Instant message chats obtained by law enforcement reveal that the defendants allegedly targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway, sometimes leaving malware implanted for more than a year.

The defendants allegedly used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

After acquiring the card numbers and associated data—which they referred to as “dumps”—the conspirators allegedly sold it to resellers around the world.  The buyers then sold the dumps through online forums or directly to individuals and organizations.  Smilianets was allegedly in charge of sales, selling the data only to trusted identity theft wholesalers.  He allegedly charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data, offering discounted pricing to bulk and repeat customers.  Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by either withdrawing money from ATMs or making purchases with the cards.

Covering Their Tracks

The defendants allegedly used a number of methods to conceal the scheme.  Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement. 

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection.  Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions.  The defendants also allegedly worked to evade existing protections by security software.

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses—including more than $300 million in losses reported by just three of the corporate victims—and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The charges and allegations contained indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The ongoing investigation is being conducted by the U.S. Secret Service.  The case is being prosecuted by Trial Attorney Rick Green of the Criminal Division’s Computer Crime and Intellectual Property Section, Chief Gurbir S. Grewal of the District of New Jersey’s Economic Crimes Unit, and Assistant U.S. Attorney Andrew S. Pak of the Computer Hacking and Intellectual Property Section of the District of New Jersey’s Economic Crimes Unit.

The Criminal Division’s Office of International Affairs assisted with the case, as did public prosecutors with the Dutch Ministry of Security and Justice and the National High Tech Crime Unit of the Dutch National Police.

Drinkman et al Indictment                                                   

15-191
Updated February 18, 2015