Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 1 of 38 PageID: 398 REDACTED DOCUMENT Docket# 25 Date Filed: 7/19/13 Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 2 of 38 PageID: 399 EUGS0/2009R00080 UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY UNITED STATES OF AMERICA v. Hon. Jerome B. Simandle Criminal No. 09-626 (JBS) (S-2) VLADIMIR DRINKMAN, 18 U.S.C. §§ 371, 1030, 1343, 1349, and 2 a/k/a a/kla a/k/a a/k/a ALEKSANDR KALININ, alkla a/k/a a/k/a a/k/a a/kla ROMAN KOTOV, a/k/a a/k/a alkla M1KHAIL RYTIKOV, a/k/a a/k/a a/k/a a/k/a alkla DMITRIY SMILIANETS, a/kla a/k/a a/k/a a/k/a a/k/a a/k/a SECOND SUPERSEDING INDICTMENT Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 3 of 38 PageID: 400 The Grand Jury in and for the District of New Jersey, sitting at Newark, charges: COUNT ONE (Computer Hacking Conspiracy) 1. At various times relevant to this Second Superseding Indictment: The Defendants Defendant VLADIMIR DRINKMAN, a/k/a • a. ("~RINK.MAN''), a/k/a a/k/a a/k/a resided in or near Syktyvkar, Russia, and Moscow, Russia. As set forth more fully below, DRINKMAN was a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions and payment processors; harvesting data, including, among other things, credit card, debit card, and other customer account information, from within the compromised networks; and exfiltrating that data out of the compromised networks. b. Defendant ALEKSANDR KALININ, a/kla a/k/a a/k/a a/k/a a/k/a ("KALININ"), resided in or near St Petersburg, Russia. As set forth more fully below, KALININ was a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions and payment processors. After gaining access to· such networks, KALININ and bis co-conspirators stole data, including, among other things, credit card, debit card, and other customer account information, from the compromised networks. c. Defendant ROMAN KOTOV, a/kla a/k/a a/k/a ("KOTOV''), resided in or near Moscow, Russia. KOTOV specialized in harvesting data from within the computer networks that DRINKMAN and KALININ had penetrated, and exfiltrating that data. -2- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 4 of 38 PageID: 401 d. .Defendant MIKHAIL RYTIKOV, a/k/a a/k/a a/k/a a/k/a a/kJa ("RYTIKOV"), resided in or near Odessa, Ukraine. As set forth more fully below, RYTIKOV provided anonymous webhosting services to DRINKMAN, KALININ, KOTOV, and others, that they used to both hack into the computer networks of a number of victim companies, and exfiltrate (that is, covertly remove) data from the networks of those victims. e. a/k/a DMITRIY SMILIANETS, a/k/a a/k/a a/k/a a/k/a ("SMILIANETS''), resided in or near a/k/a Moscow, Russia. As set forth more fully below, SMILIANETS was responsible for selling the information that DRINKMAN, KALININ, KOTOV, and others obtained through their hacking activities, and for disbursing the proceeds from the sale of that information to DRINK.MAN, KALININ, KOTOV, and others. Co-conspiraton f. Albert Gonzalez, a/k/a "segvec," a/k/a "soupnazi," a/k/a "j4guarl 7" ("Gonzalez"), a co-conspirator who is not charged as a defendant herein, resided in or near Miami, Florida. g. Damon Patrick Toey ("Toey"), a co-conspirator who is not charged as a defendant herein, resided in or near Virginia Beach, Virginia, and in or near Miami, Florida. h. Vladislav Anatolievich Horohorin ("Horohorin"), a/k/a "BadB," resided in or near Moscow, Russia. i. Co-conspirator- I ("CC# 1"), a co-conspirator who is not charged as a defendant herein, resided in or near Kiev, Ukraine. -3- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 5 of 38 PageID: 402 Overview of the Hacking Conspiracy j. From at least as early as August 2005 through at least July 2012, defendants DRINKMAN, ~ININ, KOTOV, RYTIK.OV, and SMILIANETS (collectively the ''Defendants"), together with their co-conspirators, operated a prolific hacking organization that was responsible for several of the largest known data breaches. Among other exploits during that period, the Defendants and their co-conspirators penetrated the secme computer networks of several of the largest payment processing companies, retailers, and financial institutions in the world, and stole the personal identifying information of others, such as user names and passwords ("Log-In Credentials"), means of identification ("Personal Data"), credit and debit card numbers ("Card Numbers"), and corresponding personal identification information of cardholders (collectively the "Stolen Data''). k. Conservatively, the Defendants and their co-conspirators unlawfully acquired over 160 million Card Numbers through their hacking activities. After acquiring this information, which they referred to as "dumps" - hacker shorthand for Card Numbers and associated data, the Defendants and their co-conspirators sold the dumps to "dumps resellers" around the world, who, in turn, sold them either through on-line forums or directly to individuals and organizations ("cashers"). Ultimately, the cashers encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by either withdrawing money from A TMs (in the case of a debit card dump), or incurring charges and purchasing goods (in the case of a credit card dump). I. As a result of this conduct, financial institutions, credit card companies, and consumers suffered hundreds of millions in losses, including losses in excess of $300 million -4- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 6 of 38 PageID: 403 by just three of the Corporate Victims, and immeasurable losses to the identity theft victims due to the costs associated with stolen identities and fraudulent charges. Selected Methods of Hacking Utilized by Defendants m. Structured Query Language ("SQL'') was a computer programming language designed to retrieve and manage data in computer databases. n. "SQL Injection Attacks" were methods of backing into and gaining unauthorized access to computers connected to the Internet o. "SQL Injection Strings" were a series of instructions to computers used by hackers in furtherance of SQL Injection Attacks. p. "Malware" was malicious computer software programmed to, among other things, gain unauthorized access to computers; to identify, store, and export information from hacked computers; and to evade detection of intrusions by anti-virus programs and other security features running on those computers. q. "Tunneling" was a method employed to create a connection between a hacked computer and an attacking computer to facilitate the transmission of, among other things, commands from the attacking computer to the hacked computer, and data from the hacked computer to the attacking computer. The Corporate Victims of Computer Hacking 2. At various times relevant to this Second Superseding Indictment: a. NASDAQ was the largest United States electro~c stock market, and the primary market for trading in the stocks of approximately 3,200 public companies. NASDAQ offered its customers access to on-line accounts over the Internet, and its computer network was -5- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 7 of 38 PageID: 404 located in, among other places, Middlesex County, New Jersey. Beginning in or about May 2007, NASDAQ was the victim of a SQL Injection Attack that resulted in the placement of malware on its network, and the theft of Log-in Credentials. b. 7-Eleven, Inc. C'7-Eleven") was headquartered in Dallas, Texas, and was the corporate parent of a convenience store chain by the same name. 7-Eleven processed credit and debit card transactions through its computer networks. Beginning in or about August 2007, 7-Eleven was the victim of a SQL Injection Attack that resulted in malware being placed on its network and the theft of an undetennined number of Card Numbers. c. Carrefour ~.A. ("Carrefour") was a French multinational retailer headquartered in Greater Paris, France, and was one of the largest retailers in the world in terms of revenue and profit Beginning as early as October 2007, Carrefour's computer networks were breached and approximately 2 million credit Card Numbers were subsequently exfiltrated. d. JCPenney, Inc. ("JCP") was a major national retailer with its headquarters in Plano, Texas. JCP processed credit card payments for its retail stores through its computer network. Beginning on or about October 23, 2007, JCP was the victim of a SQL Injection Attack that resulted in the placement of malware on its network. e. Hannaford Brothers Co. ("Hannaford") was a regional supermarket chain with stores located in Maine, New Hampshire, Vermont, Massachusetts, and New York that processed credit and debit card transactions through its computer network. In or about early November 2007, a related company of Hannaford was the victim of a SQL Injection Attack that resulted in the later placement of malware on Hannaford's network, the theft of approximately 4.2 million Card Numbers. -6- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 8 of 38 PageID: 405 f. Heartland Payment Systems, Inc. ("Heartland"), which was located in or near Princeton, New Jersey, and Plano, Texas, among other places, was one of the world's largest credit and debit card payment processing companies. Heartland processed millions of credit and debit transactions daily. Beginning on or about December 26, 2007, Heartland was the victim of a SQL Injection Attack on its corporate computer network that resulted in malware being placed on its payment processing system and the theft of more than approximately 130 million Card Numbers, and losses of approximately $200 million. g. Wet Seal, Inc. ("Wet Seal'') was a major national retailer with its headquarters in Foothill Ranch, California. Wet Seal processed credit and debit card payments for its retail stores through its computer network. In or about January 2008, Wet Seal was the victini of a SQL Injection Attack that resulted in the placement of malware on its network. h. Commidea Ltd. ("Commidea") was a European provider of electronic payment and transaction processing solutions for retailers, with its headquarters in the United Kingdom. From at least as early as March 2008 through in or about November 2008, malware used in other known network intrusions existed on Commidea's computer networks, and was communicating with known hacking platforms. In or about 2008, approximately 30 million Card Numbers were exfiltrated from Commidea's computer networks. i. Dexia Bank Belgium ("Dexia") was a consumer bank located in Belgium. Between in or about February 2008 and in or about February 2009, Dexia was the victim of SQL Injection Attacks that resulted in the placement of malware on its network and the theft of Card Numbers that resulted in approximately S1.7 million in loss. -7- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 9 of 38 PageID: 406 j. JetBlue Airways ("JetBlue") was an airline with its headquarters in Long Island City, New York. Between in or about January 2008 and in or about February 2011, JetBlue suffered an unauthorized intrusion resulting in the placement of malware on portions of its computer network that stored Personal Data of its employees. k. ·oow Jones, Inc. ("Dow Jones'') published news, business, and financial information worldwide in newspapers, on television and radio, over news wires, and on the Internet. Dow Jones's computer infrastructure was based largely in New Jersey, as well as in Minnesota, New York and elsewhere. In or before 2009, Dow Jones was the victim of unauthorized access to its computer network resulting in the placement of malware on its network and the theft of approximately 10,000 sets of Log-In Credentials. l. "Bank A" was one of the leading domestic banks in the United Arab Emirates, and was headquartered in Abu Dhabi. Between in or about December 2010 and in or about March 2011, malware was placed on Bank A's computer networks, and was used to facilitate the theft of Card Numbers. m. Euronet was a global provider of electronic payment and transaction processing solutions for financial institutions, retailers, service providers and individual consumers, with its headquarters in Leawood, Kansas. Between in or about July 2010 and in or about October 2011, Euronet was the victim of SQL Injection Attacks that resulted in the placement of malware on its network and the theft of approximately 2 million Card Numbers. n. Visa, Inc. ("Visa") was a global payments technology company that owned and managed the "Visa" brand. Visa did not directly issue credit or debit cards, extend credit, or set rates and fees for consumers. Rather, it provided processing services to its financial -8- Case 1:09-cr-00626-JBS Document 56 Filed 12/17/13 Page 10 of 38 PageID: 407 institution clients through "VisaNet" a centralized and modular payments network. Visa Jordan Card Services ("Visa Jordan'') was a Visa licensee, and Jordan's premier payment card processor. Between in or about ~ebruary 2011 and in or about March 2011, Visa Jordan was the victim of SQL Injection Attacks that resulted in the placement of malware on its network, and the theft of approximately 800,000 Card Numbers. o. Global Payment Systems ("Gl