Three indicted over $15 million identity theft spree

Cards. Image courtesy of Shutterstock.

Cards. Image courtesy of Shutterstock.Three men have been indicted in a New Jersey court, charged with participating in an identity theft conspiracy which could have cost its victims upwards of $15 million.

Two Ukrainian nationals, Oleksiy Sharapka, 33, and Leonid Yanovitsky, 39, both from Kiev, are accused of heading the gang, with Sharapka said to have “directed” it while Yanovitsky merely “assisted”.

The third, New York native Richard Gunderson, is thought to have been further down the command chain, helping move around stolen funds.

Eight members of the gang were originally charged in June 2013, including these three. One of the others has had his charges dismissed, while the remaining four have either pleaded guilty or still have charges to come.

The exact nature of the gang’s activities is a little confused thanks to conflicting reports, but it is thought that their identity theft and fraud campaigns hit customers of a range of US financial institutions including Citibank, JP Morgan Chase Bank, Nordstrom, Paypal, and even the US DoD Defense Finance and Accounting Service.

Initial statements issued last year by the US Department of Justice imply the gang had actually hacked into the networks of all these institutions, a feat which would have required considerable skill and determination.

Conspiring hackers gained unauthorized access to the computer networks of more than a dozen global financial institutions, including: Aon Hewitt; Automated Data Processing Inc.; Citibank N.A.; E-Trade; Electronic Payments Inc.; Fundtech Holdings LLC, iPayment Inc.; JP Morgan Chase Bank N.A.; Nordstrom Bank; PayPal; TD Ameritrade; U.S. Department of Defense, Defense Finance and Accounting Service; TIAA-CREF; USAA; and Veracity Payment Solutions Inc.

The latest DoJ release tones things down considerably though, rephrasing things to say the gang had “gained unauthorized access to the bank accounts of customers”, which seems more likely.

Such account access data could be obtained through phishing or banking malware, with no need for the advanced hacking skills required to properly penetrate the networks of numerous major banks.

Once the accounts were accessed, funds were transferred to other accounts or to pre-paid cards, which were then cashed out by crews across the US and elsewhere.

The crooks even had the nerve to file tax returns on behalf of their stolen identities, in hopes of obtaining refund cash.

The wire fraud charges the men face carry sentences of up to 20 years, with extra time possible for the identity theft and access device fraud counts and heavy fines also available.

Neither Sharapka nor Yanovitsky are yet in custody however, with both described as “fugitives” and unlikely to be in easy reach of the US authorities.

In another case, international efforts have managed to track down a fugitive, with Bangkok police reporting the arrest of “infamous international hacker” Farid Essebar, aka Diabl0.

Morrocan-born Essebar, now holding Russian citizenship, is best known for his involvement with the Zotob worm back in 2005, for which he served time.

His latest arrest is at the request of Swiss authorities, who are after him in connection with hacking incidents at Swiss banks said to have caused $4 billion worth of damage.

He’s expected to be extradited to Switzerland within the next few months.

The US has a strong record of tracking wanted fugitives across the world, so it’s likely the Feds will eventually get their men in this case too.

Image of bank cards courtesy of Shutterstock.