German court blocks US extradition for “number two” hacker

Hacker. Image courtesy of Shutterstock

Hacker. Image courtesy of Shutterstock

A German court has put the brakes on efforts to extradite a suspected hacker to the US, arguing that the potential sentence of almost 250 years he faces there is excessive by German standards.

32-year-old Turkish national Ercan Findikoğlu has been held in Germany since his arrest at Frankfurt Airport in December 2013. Since then there have been several legal stages, with approval given to the extradition by a regional court in August of this year.

Now the country’s highest court, the Federal Constitutional Court of Germany or Bundesverfassungsgericht based in Karlsruhe, has overturned that decision, questioning both the extreme length of the sentence threatened by US authorities, and also the inclusion of a “conspiracy” charge not compatible with German law.

The decision was made on November 20th, and details were revealed this week by news magazine Der Spiegel, which played a major part in revealing the NSA secrets leaked by Edward Snowden.

Earlier Spiegel Online reports (in German) connect Findikoğlu to massive global card heists in late 2012 and early 2013, involving hacking of systems in India operated by payment processing firms EnStage and ElectraCard.

In lengthy penetrations the hackers were able to doctor accounts for prepaid debit cards, removing withdrawal limits so that a team of carders armed with stolen PINs and cloned cards could take out large sums in orchestrated cash-outs.

In separate swoops targeting the two companies, it’s believed at least $45 million was withdrawn from ATMs around the world, including over 140 in New York alone.

The first heist, involving cards from the National Bank of Ras Al-Khaima (RAKBANK), UAE, stolen in the ElectraCard hack, seems like something of a practice run, scoring a mere $5 million in December 2012.

The second targeted the Bank of Muscat, Oman, via its partner EnStage and scooped an epic $40 million, with 36,000 ATM transactions carried out in the space of 10 hours in February of last year.

Several of the low-level carders and cashers have already been brought to justice, including a crew in New York, and more recently a German mother-and-son team given over four years for nabbing 168,000 Euros from ATMs in Dusseldorf.

Now it looks like one of the ringleaders is making his slow way through the international justice system, complicated as ever by the complexities of international law.

It’s not the first time the US preference for extreme potential sentences, usually used as leverage to assure easy guilty pleas, have caused a snag in cybercrime extradition proceedings. Last year similar complaints of excessive sentencing held up the extradition from Latvia of a man suspected of being behind the Gozi Trojan.

In that case the matter was swiftly resolved, and it seems likely that this one will eventually go the same way, with a little flexibility and understanding on both sides.

Further complicating matters is a second extradition request from Turkey for Findikoğlu, again according to Der Spiegel.

Findikoğlu also has form in these struggles, with reports dating back to 2008 of involvement with a series of cyber thefts including a failed heist targeting over a million stolen card numbers.

He was described at the time as “the world’s number two hacker”, and was even then facing a possible 200 year sentence in the US but may have only served a couple of years in Turkey.

In this case, should he eventually make his way to the US, he’s likely to get a rather more serious sentence.

It should of course be appropriate for the scale of his crimes, but surely most people would agree that even for a repeat offender, more than three full lifetimes may be a little harsh.

Image of hacker courtesy of Shutterstock.