One of the masterminds behind the $9 million hack into RBS WorldPay received a six-year suspended sentence in Russia, according to local reports Wednesday.

Viktor Pleshchuk, 29, who pleaded guilty to his role in the heist, also got four years of probation and was ordered to pay $8.9 million in restitution. He received a reduced sentence for cooperating with authorities.

Pleshchuk, of St. Petersburg, was a graduate of Tomsk State University of Control Systems and Radioelectronics and worked as a sales manager for an e-commerce company when he participated in what the U.S. has called “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The sentencing hearing was held behind closed doors out of security concerns, according to Fontanka. The defendant's family had received anonymous calls from someone trying to ascertain what information Pleshchuk had provided authorities. That information apparently included the names of his criminal associates – most of them mules whose sole task was withdrawing stolen funds from ATMs – as well as the location of about $60,000 that authorities found stashed in safety deposit boxes and luggage lockers at train stations.

Pleshchuk faces separate charges in the United Staes, where he and several others were indicted last November in Atlanta, Georgia, for the RBS hacks. Other defendants include Sergei Tsurikov, 26, of Talinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3."

Last month, Tsurikov was extradited from Estonia to the United States where he was arraigned in the Northern District of Georgia on charges that he helped coordinate the global bank card heist. Pleshchuk was arrested by the Russian Federal Security Service, or FSB, earlier this year, but because the United States lacks an extradition treaty with Russia was tried in Russia instead. It's unlikely he will have to face charges in the United States unless he travels outside Russia and is nabbed in a country that is more amenable to U.S. extradition requests.

The RBS WorldPay hack involved cracking PINs for bank cards and netted the culprits more than $9.5 million in less than 12 hours. Pleshchuk's role, according to a U.S. indictment against him, involved exploiting vulnerabilities in RBS's computer network.

RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a number of electronic payment processing services, including debit card transactions, electronic benefits transfer payments, prepaid cards, credit card and ATM-processing services. The processor discovered in November 2008 that intruders had accessed account details for 100 payroll cards — offered by some employers as a paperless alternative to paychecks.

The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000.

According to the U.S. indictment, Tsurikov conducted reconnaissance of RBS’s computer network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleshchuk allegedly developed the method for cracking the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. In a global coordinated heist, the cashers simultaneously hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million in less than 12 hours.

The hackers, still embedded in RBS’s network, were able to observe the withdrawals of funds from ATMs in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals. Once the mission was completed, the hackers tried to erase their tracks on the RBS network.

The four hacking suspects each face a maximum sentence of up to 20 years in prison in the United States for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.

Photo: Ell Brown/Flickr

See also: