Digital Transactions Authoritative, insightful and timely information for payments professionals
An indictment handed down on Tuesday against a gang of hackers in the RBS WorldPay Inc. case sheds more light on the sophistication and intricate coordination with which criminal groups worldwide are attacking payment processors, particularly those in the U.S. More than a year after cybercriminals broke into the computer system at RBS WorldPay, the U.S. payment-processing subsidiary of the Royal Bank of Scotland PLC, a federal grand jury has indicted eight Russian and Eastern European computer hackers in the massive data breach. Using the stolen data, the alleged hackers cloned prepaid payroll cards, which were then used to withdraw more than $9.5 million in cash from 2,100 ATMs from 280 cities worldwide, beginning Nov. 8, 2008, and continuing for about 12 hours (Digital Transactions News, Feb. 4). The 16-count indictment, handed down by a federal grand jury in Atlanta, Ga., charges Sergei Tsurikov of Tallinn, Estonia; Viktor Pleshchuk of St. Petersburg, Russia; Oleg Covelin of Chisinau, Moldova; and a person identified as “Hacker 3” with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access-device fraud, and aggravated identity theft. The indictment also charges Igor Grudijev, Ronald Tsoi, Evelin Tsoi, and Mihhail Jevgenov, all of Tallin, Estonia, with access-device fraud. “This investigation has broken the back of one of the most sophisticated computer hacking rings in the world,” Acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia, said in a statement. The indictment describes an elaborate scheme in which the hackers broke into the computer system of Atlanta-based RBS WorldPay, stealing encrypted data and manipulating information at will. The vulnerability in RBS WorldPay's system was discovered by Tsurikov, who was responsible for reconnaissance of the processor's computer network, according to the indictment. On or about Nov. 4, Pleshchuk, Tsurikov, and others allegedly used the vulnerability to gain unauthorized access to the RBS network, where they stole encrypted data on prepaid payroll cards and PINs. Pleshchuk and Tsurikov then allegedly developed a method to decrypt the PIN codes using reverse engineering. After obtaining the information, the hackers distributed about 44 prepaid payroll card numbers and PIN codes to networks of so-called cashers throughout the world, including 42 accounts issued by Palm Desert National Bank, the indictment states. Pleshchuk, Tsurikov, and others allegedly accessed the RBS WorldPay computer network again to modify data, raising the amount of funds available on the cards. They also raided the limits that could be withdrawn from ATMs using the cloned cards. The hackers then allegedly notified cashers to begin withdrawing the funds, which Pleshchuk and Tsurikov monitored by again accessing the RBS WorldPay computer network. After the withdrawals were completed, Pleshchuk and Tsurikov then sent computer commands to destroy the data on the RBS WorldPay computer network in an attempt to conceal their unauthorized access and fraud. Cashers were permitted to retain between 30% and 50% of the funds, with the remainder returned to the hackers via WebMoney accounts and Western Union, the indictment charges. Tsurikov, Pleshchuk, Covelin, and Hacker 3 each face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud, up to five years in prison for conspiracy to commit computer fraud; up to five or 10 years in prison for each count of computer fraud; a two-year mandatory minimum sentence for aggravated identity theft; and fines up to $3 million to $5 million. The charges against Grudijev, the Tsois, and Jevgenov carry a maximum sentence of up to 15 years in prison for each count and a fine of up to $250,000. The indictment also seeks criminal forfeiture of $9.4 million. RBS discovered the breach on Nov. 10, 2008, and immediately reported it to law enforcement. It disclosed the data breach publicly on Dec. 23, 2008, when it announced that personal information on about 1.5 million cardholders, including Social Security numbers, had been compromised. RBS WorldPay said in a statement yesterday that “it has been and will continue to cooperate with law- enforcement agencies involved with the investigation.”
