Jury in Atlanta indicts East Europeans indicted in high-tech theft ring

A federal grand jury in Atlanta has indicted members of an alleged East European crime ring on charges they tapped into companies’ payroll debit systems and stole $9.4 million.

“Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted,"  acting U.S. Attorney Sally Quillian Yates said in a news release Tuesday.

The 16-count indictment was returned in Atlanta because a computer the seven tapped into was at the Atlanta office of the payment processing division of the Royal Bank of Scotland Group PLC.

The indictment charges Viktor Pleshchuk, 28, of St. Petersburg, Russia; Sergei Tsurikov, 25, of Tallinn, Estonia; and Oleg Covelin, 28, of Chisinau, Moldova, along with another unidentified person with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud and identity theft. Four others, Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, all of Tallinn, Estonia, are charged with access device fraud.

Tsurikov is in custody but officials declined to say where. They also declined to release the whereabouts of the others.

Federal authorities said the “highly sophisticated international hacking ring”  compromised RBS WorldPay’s computers'  data encryption system, which was supposed to protect information connected to payroll debit cards that companies use to pay employees via ATM withdrawals.

Hackers allegedly raised the account limit and provided “cashers” with 44 counterfeit payroll debit cards that they used to withdraw more than $9 million in just 12 hours. The money was withdrawn from more than 2,100 ATMs in 280 cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.

The “cashers” kept 30 to 50 percent of what they withdrew and  sent the rest to the Eastern Eurpeans via WebMoney accounts and Western Union, federal authorities said. Pleshchuk and Tsurikov allegedly could monitor the money movement as it was happening.

And once all the withdrawals were made, prosecutors said, the hackers then tried to hide evidence of their work by destroying data stored on the card-processing network.

The indictment says Tsurikov also gave the fraudulently obtained debit card account numbers and the personal identification numbers to Grudijev. Grudijev in turn gave the information to the others in the ring and they withdrew about $289,000 from ATMs in Tallinn. Charges are also pending in Estonia.

If convicted in the United States, some of the suspects could be sentenced to as much as 20 years in prison.

“Through the diligent efforts of the victim company and multiple law enforcement agencies within the United States and around the world, the leaders of a technically advanced computer hacking group were identified and indicted in Atlanta, sending a clear message to cyber criminals across the globe,” said Gregory Jones, the FBI special agent in charge in Atlanta.