Two dozen people in 13 countries, including the U.S., Bosnia and Japan, were arrested in a global undercover sting operation targeting credit-card hackers said to have affected hundreds of thousands of customers.
The investigation involved computer breaches at dozens of companies and educational institutions, U.S. Attorney Preet Bharara said in a statement. Two New York suspects caught through an undercover website set up by the Federal Bureau of Investigation were charged yesterday in Manhattan federal court.
The allegations unsealed yesterday “chronicle a breathtaking spectrum of cyber schemes and scams,” Bharara said. “Individuals sold credit cards by the thousands and took the private information of untold numbers of people,” he said.
Bharara’s office said the arrests were part of the largest-ever international enforcement action targeting online trafficking in stolen cards and financial information. They are the result of a two-year undercover operation led by the FBI.
The two New York men, Joshua Hicks and Mir Islam, were presented in federal court yesterday. Hicks, 19, who is charged with access-device fraud, was released on a $20,000 bond. Islam, 18, who is charged with access-device fraud and attempted access-device fraud, was released on a $50,000 bond.
Their lawyers declined to comment on the charges after the hearing.
The FBI established the website, called “Carder Profit,” in June 2010 “as an online meeting place where the FBI could locate cybercriminals, investigate and identify them and disrupt their activities,” prosecutors said in a criminal complaint unsealed yesterday.
The undercover operation prevented potential losses of more than $205 million, according to the statement from Bharara’s office. The FBI notified credit card companies of more than 411,000 compromised credit and debit cards. The agency informed 47 businesses, government entities and schools that their computer networks had been breached, according to the statement.
Hicks, who used the online name OxideDox, passed 15 stolen credit card numbers to an undercover agent in exchange for a camera and $250, according to the complaint. Assistant U.S. Attorney Thomas Brown said in the hearing that Hicks admitted to additional computer crimes, including so-called SQL injection attacks, a technique to access customers’ financial data through a firm’s website, and infecting computers with malicious software.
The government claims Islam, who used names including “JoshTheGod” and “Ijew,” trafficked in stolen credit card data and possessed information for more than 50,000 cards. He claimed to be a member of the hacking group UGNazi and a founder of Carders.Org, a forum for people who deal in stolen credit cards, according to the government.
In addition to Hicks and Islam, U.S. authorities arrested nine people, in California, Georgia, New Mexico, Florida, Arizona, Massachusetts and Wisconsin, Bharara’s office said in the statement. Six people were arrested in the U.K., two in Bosnia and one each in Bulgaria, Norway, Germany, Italy and Japan. Four defendants remain at large, according to prosecutors.
Authorities in the U.S. and other countries yesterday executed more than 30 search warrants and interviewed more than 30 subjects, according to the statement.
The website set up by the FBI allowed users to discuss topics relating to “carding,” or stealing credit and debit card data and other financial information to get money, services and merchandise, according to the complaint against Hicks.
The FBI monitored discussions and recorded the Internet addresses of the users’ computers, according to the complaint. The site was taken offline in May, prosecutors said in the statement.
According to the complaint, Hicks on Feb. 22 agreed to trade stolen data from the credit cards for a digital single-lens reflex camera. A FBI agent sent the money electronically to a website user who acted as an escrow agent, according to the complaint.
The FBI agent then agreed to meet OxideDox in lower Manhattan on Feb. 28 and provide the camera, according to the complaint.
Later, the agent chatted online with OxideDox, asking him if he liked the camera, according to the complaint.
“Hey, a free camera is a free camera,” OxideDox replied, according to the complaint.
The case is U.S. v. Hicks, 12-mg-1639, U.S. District Court, Southern District of New York (Manhattan).