Identity Theft Case Said to be the Largest and Most Complex Ever Charged in the U.S.

Photo: U.S. Attorney General Michael B. Mukasey

Eleven perpetrators allegedly involved in what U.S. Attorney General Michael B. Mukasey termed "the single largest and most complex identity theft case ever charged in this country" have been arrested.

The global cast of characters come from the U.S., Estonia, Ukraine, China and Belarus. The extent of their alleged offenses, while still unknown, includes the theft and sale of at least 40 million credit and debit card numbers from mainstream retail chains such as Barnes and Noble, Sports Authority, Office Max and others.

But while the extent appears huge, the techniques allegedly used to gather confidential data are almost laughable in their simplicity. Wardriving -- driving around looking for unsecured wireless networks -- was the entrée, and lack of common sense security measures allowed the building of a short-lived empire on fraud and theft.

In an indictment returned yesterday by a federal grand jury in Boston, ringleader Albert "Segvec" Gonzalez, of Miami, was charged with multiple offenses. Gonzalez, according to media reports, while previously working as a confidential informant for the Secret Service, was arrested in 2003 for access device fraud and was found to be criminally involved in the case he was working on. Because of the size and scope of his recent alleged criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted on all the charges alleged in the Boston indictment.

The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States and later sold some of the credit and debit card numbers, via the Internet, to other individuials in an international distribution ring. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs. Gonzalez and others were allegedly able to conceal and launder their fraudulent proceeds by using "anonymous Internet-based currencies" both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.

"The people accused of carrying out this scheme worked out of several different countries, and targeted retail operations without regard to jurisdiction," said Mukasey. "That sort of international conspiracy is increasingly common. With the worldwide reach of the Internet, criminals can now operate from almost anywhere on the globe to steal personal information from our citizens. And when they do, there are international online marketplaces where they can peddle that stolen information."

In May 2008, Gonzalez and the other defendants were also charged in a related indictment in the Eastern District of New York. The New York charges allege that they were engaged in a sophisticated scheme to hack into computer networks run by the Dave & Buster's restaurant chain, and stole credit and debit card numbers from at least 11 locations. Specifically, the indictment alleges that the defendants gained unauthorized access to the cash register terminals and installed at each restaurant a "packet sniffer," a computer code designed to capture communications on a computer network. The packet sniffer was configured to capture credit and debit card numbers as this information was processed by the restaurants. At one restaurant location, the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards.

"Cases like this send a clear message to those who might be tempted to abuse our computer networks to steal information and harm law-abiding people and businesses: If you do, we will track you down wherever you are in the world, we will arrest you, and we will send you to