X

Alleged TJX hackers charged

Eleven people have been charged with hacking eight major U.S. retailers, including TJX, but only three are currently in custody.

Tom Espiner Special to CNET News
3 min read
Credit cards

Eleven people have been charged with hacking major U.S. retailers, including TJX.

The hacks compromised more than 40 million people's credit and debit card details.

The defendants are based internationally: three from the U.S., one from Estonia, three from the Ukraine, two from the People's Republic of China, and one from Belarus. One individual is known only by an online alias, and his place of origin is unknown, the U.S. Department of Justice said Tuesday.

Albert "Segvec" Gonzalez, from Miami, was charged on Tuesday with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy. Christopher Scott and Damon Patrick Toey, also from Miami, were indicted on related charges by a Boston court on Tuesday.

The Department of Justice alleges that Gonzalez and co-conspirators obtained the credit and debit card numbers by "wardriving," or touring around and testing wireless computer networks for vulnerabilities, then hacking into them.

Eight major U.S. retailers were allegedly hacked by members of the gang. TJX Companies, which owns businesses including TK Maxx in the U.K. (T.J. Maxx in the U.S.), admitted in a Securities and Exchange Commission filing in March 2007 that 45.7 million payment-card details had been stolen by unknown intruders.

However, according to the Department of Justice, card details were also stolen by the gang from other retailers, including BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21, and DSW.

Once inside the companies' networks, the alleged hackers installed "sniffer" programs that would capture card numbers, as well as password and account information, as the numbers were processed. According to a report in The Wall Street Journal in March 2007, the hackers left encrypted messages in the TJX systems to tell each other which files had been copied. The newspaper also reported that TJX had used the Wireless Encryption Protocol (WEP) to encrypt transaction information. WEP has been repeatedly shown to be insecure.

The Department of Justice indictment alleges that, after the gang collected the information from the different chains, members concealed the data in encrypted computer servers in Eastern Europe and the U.S. They allegedly sold some of the credit and debit card numbers via the Internet to other criminals in the U.S. and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards; the defendants then used these cards to withdraw tens of thousands of dollars at a time from bank machines, according to the Department of Justice.

Watch this: Daily Debrief: International hackers nabbed

Gonzalez and others were also allegedly able to conceal and launder the fraud proceeds by using anonymous, Internet-based currencies both within the U.S. and abroad, and by channeling funds through bank accounts in Eastern Europe.

Indictments against the eight other alleged members of the gang were unsealed in San Diego, Calif., on Tuesday.

Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia, were accused of "trafficking in unauthorized access devices"--which includes payment cards--the sale of the stolen payment card data, and identity theft.

Hung-Ming Chiu and Zhi Zhi Wang of China, along with a person known only by the online nickname "Delpiero," were charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting.

Sergey Pavolvich of Belarus and Dzmitry Burak and Sergey Storchak, both of the Ukraine, were charged with conspiracy to traffic in unauthorized access devices. The Department of Justice said it believes all to be foreign nationals residing outside of the U.S.

Only Gonzalez, Yastremskiy, and Suvorov are currently in custody. Gonzalez was working as an informant for the U.S. Secret Service when he was arrested. He became an informant after being arrested in 2003 on a different access-device fraud charge. Gonzalez faces life imprisonment if found guilty.

Yastremskiy was arrested in July 2007 by Turkish officials when he traveled to Turkey on holiday. He has been held in Turkey since then, pending the resolution of related charges there. The U.S. has made a formal request for his extradition.

Suvorov was apprehended by the German Federal Police in Frankfurt in March 2008 when he traveled there on holiday. He was apprehended at the request of the Department of Justice. He is currently being held during extradition proceedings to the U.S.

The remaining members of the alleged gang remain at large.

Tom Espiner of ZDNet UK reported from London.