Alleged mastermind behind $20m stolen-card site extradited to US

Cardplanet: it wasn’t just an underground market to buy credit card data. It was the underground service that sold stolen payment card data with a satisfaction guarantee: invalid card data? Have A Brand New Card!

That’s how the card shop is described in an 18-page indictment, filed in Eastern Virginia US District Court on Tuesday, that charges a 29-year-old Russian man, Aleksei Yurievich Burkov, with running what prosecutors say was a $20m stolen card trading ring. The Cardplanet site, which was public, operated from 2009 through most of 2013.

According to the US Department of Justice (DOJ), Burkov arrived in Dulles International Airport on Monday after Israel extradited him. He had been in the country, fighting extradition, since he was arrested at Ben-Gurion airport near Tel Aviv in December 2015.

Burkov has been charged with wire fraud, access device fraud, and conspiracy to commit wire fraud, access device fraud, computer intrusions, identity theft and money laundering. If convicted on all counts, he faces a maximum of 80 years in prison, though maximum sentences are rarely handed out.

Burkov was allegedly the mastermind behind Cardplanet, which sold stolen debit and credit card numbers that had primarily been hacked out of people’s computers. It’s estimated that the fraudulent purchases made on US credit card accounts alone total $20m.

After carders buy stolen payment card details, they can then put all the legitimate card details onto the fresh magnetic stripe of a blank card, thereby cloning the card and using the counterfeit to go on shopping sprees.

Cardplanet sold data from more than 150,000 compromised payment cards, including cards from the biggest credit card brands in the US. Burkov allegedly kept his inventory well-stocked by soliciting card details on carding forums. The price for each stolen card’s data – what’s known as a dump – started at $2.50 and went on up to $60, depending on card type, country of origin, and whether they came with PII such as the cardholder’s name and address.

There are plenty of card shops out there, but Cardplanet differentiated itself with stellar customer service. Burkov allegedly offered – for a fee – a service called “checker” that let buyers instantly validate the stolen card details that they’d purchased. Burkov allegedly promised to replace any numbers that turned out to be duds.

The DOJ says Burkov also had other money-making schemes. He allegedly ran another site, an invite-only club for “elite cybercriminals” to collaborate on their crimes and to flog all sorts of unsavory wares: malware and stolen goods that included personal identifying information (PII); plus services for crooks, such as botnets, money laundering and hacking.

To join the elite forum, you needed the blessings of three existing members who’d vouch for your fine criminal reputation. Plus, you needed to pony up some money as insurance: normally, $5,000. Then, all the members got to vote on whether you could join. Those safeguards were designed to keep law enforcement agents from infiltrating the forum, and to make sure that members didn’t renege on their transactions.

As far as Cardplanet goes, that house of cards fell apart in December 2013, when Burkov allegedly sold stolen data for six cards to an undercover agent.

He’s scheduled for a detention hearing on Friday at the federal courthouse in Alexandria, Virginia.