Nearly two dozen Americans have been indicted in connection with a card-cloning scam that targeted a national retail chain headquartered in Chicago, Illinois.
In 2016 and 2017, a malicious software program was installed on multiple computers belonging to the unnamed retailer, which sold clothing, electronics, toys, furniture and home decor.
This malware allowed a co-conspirator to capture the data of more than three million credit cards, debit cards and gift cards that were used in-store at 400 of the retailer's branches.
Data stolen using the card-skimming software was then sold by the co-conspirator to another individual for $4m in Bitcoin. The money was transferred over the course of approximately 66 transactions.
This next link in the criminal chain offered the stolen information for sale on two different websites to over 3,000 users.
An indictment unsealed May 25 in the Northern District of Illinois accuses 22 individuals from nine different states of purchasing that data. Most of the defendants are in their late 20s or early 30s and reside in California or New York state.
It is alleged that the defendants used the data they purchased to buy items at businesses across America, including gas stations, hotels and restaurants. The illegal activity allegedly occurred between August 2016 and July 2020. At least 80 people living in Illinois were victimized as a result.
All but two of the defendants named in the indictment were arrested this month and have entered the federal court system. The defendants who remain at large are believed to have moved overseas.
The Department of Justice said that the investigation into the card-skimming scam remains ongoing.
Typically, the defendants are accused of purchasing the payment card data of between 1,000 and 2,000 skimmed cards. However, one defendant, 35-year-old Barry Shi of Rosemead, California, allegedly bought the data of at least 18,742 payment cards, including at least 13,249 that were used at the Chicago retailer's stores, in exchange for around $507,273 in Bitcoin.
Wire fraud is punishable by up to 20 years in federal prison, while aggravated identity theft carries a mandatory, consecutive prison sentence of two years.