The head of a sophisticated cybercrime ring which stole over $9 million from payment processor Worldpay back in 2008 has been sentenced to a hefty 11 years behind bars.
Sergei Nicolaevich Tšurikov, who was extradited from Russia to the US, is said to have been the ringleader of a group which hacked what was then RBS Worldpay – the US payment processing division of RBS, based in Atlanta.
The gang compromised the data encryption used by the firm to protect customer data on payroll debit cards. These are cards used by some US companies to pay their employees, and can be used at ATMs.
Once the encryption had been cracked, the group raised the withdrawal limits on the compromised accounts and created 44 counterfeit payroll debit cards, according to a statement from the US Attorney’s Office.
A network of ‘cashiers’ working for the group were then instructed to use the cards to withdraw the funds – in total some $9.4m from over 2,100 ATMs in at least 280 cities worldwide, from Hong Kong to Estonia.
These cashiers were apparently allowed to keep 30-50% of their ill-gotten gains and told to transfer the remainder to Tšurikov and his co-defendants, who were watching the ATM transactions from inside Worldpay’s systems.
This all took place in less than 12 hours and the hackers then tried to destroy data on the processing network to hide their tracks
As well as an 11-year jail term, Tšurikov, 30, from the Estonian capital of Tallin, was ordered to pay $8.4m in ‘restitution.’
He pleaded guilty in 2012.
“In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organized computer fraud attacks ever conducted,” said US attorney Sally Quillian Yates in a statement.
“Almost exactly one year later, the leaders of this attack were charged. This prosecution was successful because of the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide.”
Security experts, including Brian Honan, security consultant and special advisor to Europol’s Cybercrime Center (EC3), welcomed the tough sentencing.
“Hopefully it will send a strong and clear message to those involved in cybercrime that there will be a high price to pay should they be caught,” he told Infosecurity.
“Of course, we also need to increase the likelihood of criminals being caught and governments need to spend more time, money, and commit the right resources so that law enforcement agencies can do their job more effectively.”