July 25, 2013 – Manhattan, New York – The United States Attorney for the Southern District of New York, Preet Bharara, and the Assistant Director in Charge of the New York Office of the Federal Bureau of Investigation, George Venizelos, jointly announced today the unsealing of two separate indictments against Russian hackers, Aleksandr Kalinin and Nikolay Nasenkov. The pair stands accused of having hacked NASDAQ servers and several other financial institutions to steal millions of dollars from individuals in the US over the course of several years.
Kalinin, 26, of St. Petersburg, went by the aliases “Grig,” “g,” and “tempo” and is alleged to have hacked multiple computer servers used by NASDAQ between November 2008 and October 2010. Over the course of those two years, he installed malicious software onto the stock exchange’s servers which allowed him to execute commands to retrieve, alter, or delete data.
The manipulation of NASDAQ data could have very easily been used to Kalinin’s financial benefit, however, more concrete information is presently available on how he stole money with his partner, Nasenkov, in a separate scheme.
Nasenkov, 31, of St. Petersburg, worked with Kalinin from December 2005 to November 2008 to hack into financial institutions and steal account information. The duo was able to obtain bank account numbers, PINs, customer identification numbers, and card verification values from financial institutions such as PNC Bank and Citibank. Stolen account data was encoded onto magnetic strips placed on blank plastic ATM cards, which were in turn used to access individual accounts and withdraw millions of dollars. Accounts were accessed in the United States, the United Kingdom, Canada, Estonia, Russia, Turkey, and elsewhere. In all, more than 800,000 accounts were compromised and used to procure roughly $7.8 million through attacks on PNC in 2006, and on Citibank in 2007 and 2008.
Kalinin is charged with one count of computer hacking for the NASDAQ attack, as well as four counts of bank fraud, one count of conspiracy to commit bank fraud, one count of aggravated identity theft, one count of conspiracy to commit access device fraud, and one count to commit computer intrusion. If convicted on all charges, he could face a maximum sentence of nearly 175 years in prison.
Nasenkov is charged with four counts of bank fraud, one count of conspiracy to commit bank fraud, one count of conspiracy to commit access device fraud, one count of computer intrusion to obtain information, one count of computer intrusion to further fraud, one count of aggravated identity theft, one count of conspiracy to commit money laundering, and one count of conspiracy to commit computer intrusion. He could receive a maximum prison sentence of nearly 195 years if found guilty on all counts.
“As today’s allegations make clear, cyber criminals are determined to prey not only on individual bank accounts, but on the financial system itself. But would-be cyber thieves should take note: Because of the close and growing collaboration between the US government and the private sector on issues of cyber security, our ability to unmask and prosecute the anonymous perpetrators of cyber crimes—wherever they may be located—has never been stronger,” said US Attorney Bharara.
Two co-conspirators of the Russian hackers were arrested in the Netherlands last June and one has been extradited, however Kalinin and Nasenkov remain at large.