An alleged carder arrested earlier this month in France has been added to a long list of defendants charged with participating in the coordinated $9.5 million global heist against Atlanta-based card processing company RBS WorldPay, in a revised federal indictment issued in Georgia last week.
Vladislav Anatolievich Horohorin, 27, aka BadB, was charged with one count each of wire fraud and access device fraud for his alleged role in the caper authorities have called “perhaps the most sophisticated and organized computer fraud attack ever conducted.” On Nov. 8, 2008, an army of cashers armed with cloned payroll cards simultaneously hit more than 2,000 ATMs around the world, looting them of $9.5 million in less than a day.
Horohorin’s indictment comes as U.S. law enforcement is enjoying once-unheard of success in targeting overseas cybercrime suspects. Another RBS WorldPay suspect, Sergei Tsurikov, 25, was extradited to the United States from Estonia earlier this month. And last month the FBI worked with international authorities to win the arrest of a suspected creator of the Mariposa botnet in Slovenia, and three alleged bot herders in Spain.
According to the superseding indictment (.pdf) filed Aug. 24, Horohorin used a prepaid payroll card with an RBS account number and associated PIN to hit cash machines around Moscow, where $125,000 of the ATM fraud occurred.
Horohorin, who holds dual citizenship in Ukraine and Israel, was already facing extradition to the United States on charges of access device fraud and identity theft from a separate indictment (.pdf) filed in Washington, D.C. last November. He was arrested in Nice, France, while boarding a flight to Russia, where he had been living.
Horohorin was allegedly one of the earliest members of CarderPlanet, a first of its kind Russian-language carding forum that was launched around 2002 by a group of East Europeans. CarderPlanet was shuttered in 2004, and BadB had more recently been selling his stolen goods at carder.su and on his own websites, dumps.name and badb.biz, where he promoted his product in lighthearted Flash cartoons like the one above.
According to authorities, Horohorin bragged online that he was one of the biggest sellers of “dumps” (account and other data stored on a bank card’s magnetic stripe) and had been a card seller for about eight years. Undercover agents from the U.S. Secret Service negotiated purchases of stolen data from him and worked with French authorities to arrest him.
But according to the new indictment in Georgia, Horohorin’s profits came not just from selling stolen card data but from cashing out compromised accounts as well. Horohorin is now one of nine suspects identified so far as participants in the RBS WorldPay heist, though his role in that attack appears to have been minor compared to his fellow defendants.
The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking.
RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a number of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), prepaid cards, credit card and ATM-processing services. The processor discovered in November 2008 that it had been hacked and that the intruders had accessed account details for 100 payroll cards — offered by some employers as a paperless alternative to paychecks.
The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards, and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000. They allegedly developed a method for reverse engineering the encrypted PINs on the accounts.
Once the hackers raised the account limits, they provided their cashers with 44 cards programmed with the account details. On Nov. 8 of that year, the cashers — Horohorin allegedly among them — simultaneously hit more than 2,000 ATMs, netting about $9.5 million in under 12 hours.
The hackers were able to observe the withdrawals of funds from ATMs in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals. Once the mission was completed, the hackers tried to erase their tracks on the RBS network.
Viktor Pleshchuk, 28, of St. Petersburg, was the alleged mastermind of the hack. He was arrested by the Russian Federal Security Service, earlier this year.
Pleshchuk was indicted in the United States last November with Sergei Tsurikov, 25, of Tallinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3.” Igor Grudijev, 32, Ronald Tsoi, 32, Evelin Tsoi, 21, and Mihhail Jevgenov, 34, all of Tallinn, Estonia, were also indicted on access device fraud charges related to the hack.
Tsurikov, Grudijev, Jevgenov and both Ronald and Evelin Tsoi were convicted in Estonia of fraud. Tsurikov was extradited to the United States earlier this month.
Horohorin was already facing a maximum sentence of 10 years in prison and a $250,000 fine if convicted on the access device fraud charge in Washington, D.C. as well as an additional 2 years in prison and a fine of up to $250,000 if convicted of the identity theft charge. He faces similar maximum sentences for the new charges in Georgia.
(Story updated 15:45 EDT)
See also:
