NEWARK — Five men from Russia and the Ukraine are alleged to have operated a global hacking network infiltrating the world's largest financial institutions and businesses, according to a indictment unsealed in federal court in New Jersey.

It’s the largest hacking and data-breach scheme ever prosecuted in the United States, the U.S. Attorney's Office says.

From 2005 to 2012, the men and four co-conspirators — including two who live in the U.S. — seized at least 160 million credit and debit card numbers from institutions including Dow Jones, NASDAQ, J.C. Penney, JetBlue, and 7-Eleven, according to the indictment, which was released by the U.S. Attorney’s Office in the District of New Jersey today just hours before the U.S. Attorney Paul Fisman held a news conference.

Just three of the corporate victims lost more than $300 million, authorities allege.

At Fishman’s news conference this morning in Newark, he said two of the defendants -- Vladimir Drinkman, 32, from Skytyykar and Moscow, Russia, and Dmitriy Smilianets, 29, also of Moscow -- are in custody. Drinkman is awaiting an extradition hearing in the Netherlands, and Smilianets is in the United States and will appear in federal court in New Jersey next week.

Both Drinkman and Smilianets were arrested at the request of U.S. officials on June 28, 2012, while traveling in the Netherlands, authorities said.

The remaining three defendants – Aleksandr Kalinin, 26, of St. Petersburg, Russia, Roman Kotov, 32, of Moscow, and Mikhail Rytikov, 26 of Odessa, Ukraine – are fugitives, he said.

“The losses in this case are staggering,” Fishman told a packed room of reporters. “The conspirators in this criminal enterprise breached the computer networks of at least 17 major retailers, financial institutions and payment processors,” he added, before explaining that $300 million in losses “is our conservative estimate.”

That loss amount, he said, is “the amount we have been able to confirm so far, and (was) suffered by only three of the victim companies. The actual loss figure may be much, much higher.”

The case grew out of the investigation into hacker Albert Gonzalez, a once-high living college dropout who became an informant for the FBI when

he was caught in a sweeping cybercrime case, federal sources close to the investigation said.



Gonzalez, who is named as a co-conspirator in the new indictment, initially helped law enforcement in a year-long sting operation to track and record transactions through the encrypted computer boards of a world-wide ring known as the "Shadowcrew" — all the while secretly working his own scheme to penetrate some of the nation's largest retail operations. Only later did the FBI learn he was stealing tens of millions from banks, consumers and businesses. He was caught in 2008 and is now serving a 20-year sentence in federal prison.

At the news conference, Fishman credited his office's persistence in continuing to investigate the hacking crimes and criminal connections learned of in the initial Gonzalez case. When asked today, he declined to say whether Gonzalez had cooperated with investigators who gathered information for the current indictment, but then the U.S. Attorney added, "I will say we had lots of access to his (computer) chats."



Fishman also said today, "The alleged scheme was sophisticated, and brought together some of the most experienced and skilled hackers in the world….

“Drinkman and Kalinin were the penetration experts; they possessed the skills and unique hacking tools to gain initial access to the victim companies. After getting in, it was the expertise of Drinkman and Kotov that located and retrieved credit and debit card information. With that sensitive and valuable data in hand, they turned to the broker, Smilianets, who set up the deals to sell the data throughout the world. Defendant Rytikov provided the conspirators with the hacking platforms – or computer servers – from which they could launch and execute their attacks and also store the data they stole.”

Fishman also pointed out that Heartland Payment Systems, Inc., a company located near Princeton, suffered the largest known losses, to date -- around $200 million. Heartland was one of the companies that Gonzalez, 32, of Miami, was charged with breaching in the 2009 indictment against him.

The five defendants in today’s unsealed indictment are accused of uploading malware into the huge companies’ computer systems – and then using those programs to gradually take the information, which they then resold in “dumps” to resellers around the world.

Officials said the resellers resold the data to people or organizations called “cashers” in the indictment. The “cashers” ultimately encoded each information dump onto the magnetic strip of a blank plastic card and cashed out its value by either withdrawing money from ATMs, or buying goods.

The alleged hackers worked cooperatively to target the companies, and strategized about their attacks with each other, authorities allege.

“NASDAQ is owned,” Kalinin allegedly told one of the U.S.-based co-conspirators in early 2008, referring to the suspects' access to the computer network.

“We frequently bring prosecutions of those who use the fruits of this kind of crime, such as the organizations of runners and cashers who go from ATM to ATM, or store to store, with stolen credit card information and ‘cash out’ millions of dollars in a matter of hours,” Fishman said today. “The individuals charged and arrested in this case are the ones at the top, those who steal the data that they sell to the cash-out crews. By arresting two of the key players and identifying the others, we have taken a major step toward dismantling this organization.”

If convicted on all 11 counts listed in the indictment, four of the defendants, including Drinkman and Smilianets, would face a maximum punishment of 70 years in prison, authorities said. The other defendant, Ryitkov, who is charged with two counts, would face up to 35 years in prison.

The indictment mentions that several of the financial institutions allegedly hacked are located in New Jersey, including NASDAQ, Dow Jones, and Heartland Payment Systems.

Along with his office, Fishman credited Justice Department investigators in Washington and elsewhere, as well as U.S. Secret Service investigators based in Newark, for their roles in uncovering the case.

Star-Ledger staff writers Ted Sherman and Jason Grant contributed to this report.

RELATED COVERAGE

•

Bulgarian hacker returned to N.J. in massive 2004 stolen credit card ring

• Computer hacker is sentenced to 20 years in prison for 3rd credit card theft case

• Florida man accused of hacking into N.J. company to steal credit, debit card information