Crooks net 160 million payment card numbers in raids on Citibank, PNC, NASDAQ, PNC, retailers and other financial firms

In what U.S. officials are calling the largest hacking and data-breach scheme ever prosecuted stateside, five men from Russia and the Ukraine allegedly seized at least 160 million credit and debit card numbers from various institutions.

Just three of the corporate victims lost more than $300 million, authorities allege.

The NASDAQ breach allowed “for the manipulation and theft of sensitive data.”

From November 2008 through October 2010, the perpetrators “hacked various computer servers used by the NASDAQ to conduct its business operations. During the course of the hack, [they] installed on certain NASDAQ servers malicious software, or malware, which [them] to surreptitiously access the infected NASDAQ servers and execute commands on those servers, including commands to delete, change or steal data," according to the U.S. Justice Department. 

The trading platform that allows NASDAQ customers to buy and sell securities was not among the affected servers.

In another scheme, two of the suspects stole hundreds of thousands of bank account numbers, PINs, and other codes to withdraw money from victim accounts.

From December 2005 through November 2008, the hackers allegedly obtained bank account numbers, customer identification numbers -- the unique number embossed or printed on the front of an ATM card, card verification values, and PINs for victims’ accounts at financial institutions, including Citibank and PNC Bank.

They then input the stolen account data onto the magnetic strips of blank ATM cards so that those cards could be used to obtain money from victims’ bank accounts.

In January 2006, the PINs for hundreds of customer accounts were obtained by penetrating PNC Bank’s online banking website. The co-conspirators ransacked about $1.3 million from victims’ accounts by combining various stolen information.

In 2007, they allegedly placed credential-stealing malware on a computer network that processed ATM transactions for Citibank and other financial institutions. The pilfered account information was used to withdraw approximately $2.9 million from Citibank customers’ accounts.

In 2008, they allegedly “used a computer program to mount an attack against Citibank’s online banking website that resulted in the theft of account information for more than 300,000 accounts. The stolen account information was used to create ATM cards that in turn were used to withdraw approximately $3.6 million from the compromised accounts.”

The crime ring hit up individual victims’ accounts through ATMs located around the world, including in the United States, Estonia, Canada, Great Britain, Russia, and Turkey.