According to Russian newswire reports, 27-year-old Yevgeny Anikin was a member of an international cybercrime ring that copied merchant account information and, after boosting the daily cash withdrawal limits, drew the $10m over a lengthy period from ATMs around the world.
The Reuters newswire quoted him as saying: "I want to say that I repent and fully admit my guilt," asking the Siberian court judge for leniency and claiming he had started paying the money back.
Anikin was later handed down a five-year suspended prison sentence.
The case – which follows the September 2010 sentencing of another ringleader to six years in prison – has drawn consternation in security circles, mainly because of the fact that Anikin, who has been under house arrest, was handed down a suspended sentence.
Criticism from Phil Lieberman, president of identity management specialist Lieberman Software, was scathing.
"Not only did this guy manage to hack into WorldPay's systems back in 2008, but he then [apparently] altered the parameters of the merchant accounts and boosted their online daily limits. From there he withdrew large amounts of cash from ATMs as he travelled the world", he said.
"The case is a fascinating one as, by pleading guilty, it's unlikely we'll ever find out how this team of hackers managed to stiff the former RBS card processing division for an incredibly large sum of money", he added.
According to Lieberman, the only way that Anikin could have increased the withdrawal limits on the merchant accounts was by gaining access to an internal management account within the card processor.
The whole affair smacks of a lack of security on privileged accounts, which is an area of security in which we specialise, he explained.
As with all major card frauds of this type, however, this case involves the hacker ringleader pleading guilty, thereby preventing the actual processes used by the fraudsters(s) from being revealed in an open court.
"We've been through our fraud records and are finding it difficult to come up with a major card fraud case involving hacking where the fraudster(s) have pleaded not guilty, and the case has gone to court," he said, adding that time after time, the fraudsters mysteriously plead guilty, are sentenced and the financial institution gets away without revealing the chinks in their electronic armour.
The possibilities of this happening, he claims, are quite low, especially given that this case was heard in a Siberian court, in a country where all sorts of 'unusual' results come out of the courts, such as political rivals of President Putin mysteriously being incarcerated for years on end.
"The bottom line is that you don't have to be a conspiracy theorist to piece together what is happening: the card processing system is far from being infallible, and the banks are going to great lengths to avoid exposing how insecure their systems really are in an open court", he said.
"Of course, if I'm wrong, I'll be perfectly happy to discuss this issue with WorldPay or any other financial institution whose systems have been hacked and defrauded – and where the criminals have pleaded not guilty", he added.