Two Romanian men admitted that they remotely targeted 150 Subway locations and other stores to steal credit card information from 146,000 customers between 2009 and 2011. The US Department of Justice said the effort allegedly stole as much as $10 million from unwitting shoppers and sandwich aficionados.
Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud.
According to the DoJ, the two are a means to a bigger fish. They admitted to working with fellow Romanian Adrian-Tiberiu Oprea, who is awaiting trial in New Hampshire on charges related to stealing credit, debit and payment account numbers from hundreds of computers, making unauthorized charges and transfering funds from cardholders’ accounts.
The efforts exploited vulnerabilities in remote desktop access ports, which allowed him to target POS systems over the internet to gain administrative access and install malware, which logged all credit swipes and keystrokes at the terminal.
If convicted, Oprea faces a maximum of five years in prison for each count of conspiracy to commit computer related fraud, 30 years in prison for each count of conspiracy to commit wire fraud and five years in prison for each count of conspiracy to commit access device fraud. He also faces fines up to twice the amount of the fraud loss and restitution.
In their plea agreements, the DoJ said Dolan, who hacked the devices, agreed to a seven-year prison sentence, while Butu agreed to 21 months in prison.
In August, authorities said that the same Eastern European fraud syndicate is likely responsible for stealing a half-million credit cards from an unidentified Australian company. The Australian Federal Police estimated that the theft could result in more than $25 million in fraudulent transactions.