CONCORD, N.H. (AP) — Two Romanian computer hackers who stole credit card information from more 800 U.S. merchants and more than 150,000 credit and debit card holders have been given lengthy prison sentences by a federal judge in New Hampshire.
Prosecutors said the mastermind of the scheme was Adrian-Tiberiu Oprea, who has a criminal record in Romania for hacking into credit card databases. He is the first cyber-criminal Romania extradited to the United States, prosecutors said.
Oprea was sentenced to 15 years in prison Wednesday. His top deputy, Iulian Dolan, received a seven-year sentence the same day.
"It's a great result," U.S. Attorney John Kacavas said Thursday. "It serves notice to the cyber-criminals that you can keystroke from the obscurity of your home half a world away, but we're going to get you."
Prosecutors say the two-year scheme that ended with the men's arrests in 2011 cost merchants, banks and cardholders more than $17 million. The Subway restaurant chain was hit hardest, with credit card information stolen from more than 250 franchises, including one in Plaistow, N.H.
"Oprea essentially wreaked havoc on Subway, both at the corporate level and at the individual franchise level," prosecutors wrote in their sentencing memorandum. Subway, they say, spent more than $5 million to investigate the source of the data leaks and make changes to its computer systems.
The two men pleaded guilty to hacking into the "point-of-sale" systems that link merchants' computers to credit card payment companies.
Once he hacked into the point-of-sale systems, prosecutors said, Oprea installed keystroke logging software to record credit card payment data and imported that information to computer "dump sites" he set up in the U.S. and Cyprus. He would use the stolen credit card data to make purchases for himself and sold some of it on the black-market.
"These cyber criminals are very clever and have the ability to reach into American commerce from half a world away," Kacavas said.
Dolan's role, prosecutors said, was to identify vulnerable merchant systems that had certain remote desktop software applications installed on them. Among Dolan's targets was the Plaistow Subway, where he stole the credit card information for hundreds of customers.
During the latter stages of their scheme, prosecutors said, Secret Service agents were able to monitor their exploits and to notify banks that issued the compromised cards before the credit card info could be abused.
Oprea supervised various sellers of the stolen credit card data, including Cezar Butu, who worked with a team of crooks in a rented house in Lille, France, to encode the stolen data onto blank plastic cards. Butu was sentenced in January to two years in prison.