Five men from Russia and Ukraine have been charged for their supposed role in the mass theft of 160 million credit card numbers in a US federal court in New Jersey.
The group is accused of causing more than $300m (£200m) of losses through the scheme, with one of their number, Vladimir Drinkman, 34, of Syktyvkar and Moscow, having to be extradited from the Netherlands in order to stand trial.
Leslie Caldwell, assistant attorney general at the US Justice Department, said: "Hackers often take advantage of international borders and differences in legal systems, hoping to evade extradition to face justice.
"This case and today’s extradition demonstrates that through international cooperation, and through great teamwork between the
Department of Justice and the Department of Homeland Security, we are able to bring cyber-thieves to justice in the United States, wherever they may commit their crimes."
According to court filings, the co-defendants each had a particular role in the scheme, which targeted the NASDAQ stock exchange and financial companies such as Global Payment and Euronet as well as retailers such as Carrefour and JCP.
Drinkman and Alexandr Kalinin, 28, of St. Petersburg , were said to have focused on penetrating networks to gain access to corporate systems, while Roman Kotov, 33, of Moscow, was said to have been responsible for mining the networks for data.
Content from our partners
Their activities were allegedly obscured by anonymous web-hosting services from Mikhail Rytikov, 27, of Odessa, Ukraine, with the stolen data said to have been sold by Dmitriy Smilianets, 31, of Moscow.
"This case demonstrates our commitment to fulfilling an important part of our integrated mission; that of protecting our nation’s critical financial infrastructure," said Joseph Clancy, acting director of the US Secret Service.
"Our determination, coupled with our network of foreign law enforcement partners, ensures that our investigative reach can expand beyond the borders of the United States."
Among the information claimed to have been stolen were passwords, means of identification and payment cards, with the initial entry into systems often achieved through SQL injection, which allows hackers to send instructions into vulnerable databases.
Victims were thought to have been targeted by the hackers over a number of months in what is known as an advanced persistent threat (APT). Some companies were said to have been able to eject the attackers from their systems, but the attackers often returned.
Prices for the stolen card numbers are said to have ranged from $10 (£6.50) for a US card number, $15 (£9.70) for a Canadian card number or $50 (£32) for a European card number, with end users either withdrawing money from cash points or buying items with the credentials.
Losses from the scheme have been difficult to quantify, but three corporate victims claim the attacks cost them in excess of $300m. The trial continues.
