One of the alleged ringleaders behind the 2008 hack of RBS WorldPay has been extradited to the U.S., where he was arraigned Friday in the Northern District of Georgia on charges that he helped coordinate the global $9.5 million bank card heist.
Sergei Tsurikov, 26, of Tallinn, Estonia, has been charged in Atlanta with wire fraud, computer fraud, aggravated identity theft and two conspiracy charges involving wire and computer fraud.
Tsurikov was indicted in the U.S. last November with Viktor Pleshchuk, 28, of St. Petersburg; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ for what the government has called “perhaps the most sophisticated and organized computer fraud attack ever conducted.” Igor Grudijev, 32, Ronald Tsoi, 32, Evelin Tsoi, 21, and Mihhail Jevgenov, 34, all of Tallinn, Estonia, were also indicted on access device fraud charges related to the hack.
Tsurikov, Grudijev, Jevgenov and both Ronald and Evelin Tsoi were convicted in Estonia of fraud. Pleshchuk was arrested by the Russian Federal Security Service, or FSB, earlier this year, but because the U.S. lacks an extradition treaty with Russia, it’s unlikely Pleshchuk will follow Tsurikov’s footsteps to the U.S. Covelin was still a fugitive earlier this year; his current status is unknown. The U.S. Attorney’s office in Georgia has not yet responded to a call from Threat Level.
The hack of RBS involved cracking the PINs for payroll debit cards — the holy grail of bank card hacking.
RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a number of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), prepaid cards, credit card and ATM-processing services. The processor discovered in November 2008 that intruders had accessed account details for 100 payroll cards — offered by some employers as a paperless alternative to paychecks.
The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000.
According to the indictment, Tsurikov conducted reconnaissance of RBS’s computer network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleschuk allegedly developed the method for cracking the encrypted PINs.
Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. In a global coordinated heist, the cashers simultaneously hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million in less than 12 hours.
The hackers, still embedded in RBS’s network, were able to observe the withdrawals of funds from ATMs in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals. Once the mission was completed, the hackers tried to erase their tracks on the RBS network.
The four hacking suspects each face a maximum sentence of up to 20 years in prison in the U.S. for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.
By Kim Zetter