Romanian hacker sentenced in multimillion-dollar Subway heist

Cezar Butu, 27, of Ploiesti, Romania, was sentenced to 21 months in prison by Judge Steven J. McAuliffe in US District Court for the District of New Hampshire.

Butu plead guilty back in September to one count of conspiracy to commit access device fraud, part of an operation to steal US credit, debit and payment account numbers from hundreds of merchants' point-of-sale (PoS) systems, including more than 150 Subway restaurant locations and 50 other retailers. The ring operated from 2009 to 2011, compromising the credit cards of more than 80,000 customers. Millions of dollars in fraudulent charges were the result.

According to the court documents obtained by the New Hamphire Union Leader, the ring remotely logged onto the targeted systems, all of which had remote desktop (RDP) enabled, either by guessing the passwords or using password-cracking software programs. Then, they installed keylogging software as well as backdoor trojans to keep the connection open for subsequent, undetected use.

According to the US Justice Department, Butu admitted he repeatedly asked an alleged co-conspirator to provide him with stolen payment card data and that the alleged co-conspirator furnished him with instructions on how to access a website where a portion of the stolen payment card data was stored.

Butu later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. According to Butu’s plea agreement, he also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators. Butu admitted to acquiring stolen payment card data belonging to approximately 140 cardholders during the course of the scheme.

Co-conspirator Iulian Dolan plead guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud. According to his plea agreement, he will serve seven years in prison. His sentencing is set for April 4.

Another participant, Adrian-Tiberiu Oprea, is scheduled for trial on Feb. 20.

What’s hot on Infosecurity Magazine?