NEW YORK, (Reuters) – U.S. law enforcement officials on Tuesday said 24 suspected hackers had been arrested in a sting operation spanning four continents that targeted online financial fraud of stolen credit card and bank information.
In a two-year investigation, FBI agents posed as hackers on Internet forums, watching as other hackers swapped methods for breaching data security walls and creating fake credit cards that would work for Internet and in-person purchases.
The probe prevented $205 million in possible losses on over 411,000 compromised consumer credit and debit cards, U.S. authorities in New York said.
Eleven people were arrested in the United States, the Federal Bureau of Investigation and the Manhattan U.S. Attorney’s office said. The thirteen others were arrested in countries from Britain to Japan, the authorities said. Officials in Australia also conducted searches.
“Clever computer criminals operating behind the supposed veil of the Internet are still subject to the long arm of the law,” Manhattan U.S. Attorney Preet Bharara said.
During the operation, the FBI said, it not only monitored the hackers’ activities but also contacted “multiple” people and institutions hit by the hackers and showed them how to repair their security breaches and protect themselves in the future.
No credit card companies or banks were named in Tuesday’s court documents.
The 24 people arrested were all men aged 18 to 25. Some face up to 40 years or more in prison if convicted on conspiracy to commit wire fraud charges and access device fraud charges.
The FBI operation centered around a “carding forum” that it had secretly created in June 2010, and was in charge of running unbeknownst to its participants, authorities said.
The forum, called “Carder Profit,” was essentially an online market for registered users to exchange stolen account numbers. It was shut down in May.
Two people were arrested in the New York area and were later released on bail after appearing in Manhattan federal court.
One of the men, Mir Islam, known online as “JoshTheGod,” was charged with trafficking in 50,000 stolen credit card numbers. Authorities said Islam had admitted to helping emerging hacker outfit UgNazi, which said it had launched a cyber attack against the microblogging platform Twitter last week. [ID: nL1E8HLIDA]
Islam, 18, who lives in the New York borough of the Bronx, appeared before U.S. Magistrate Judge James Francis in flip-flop sandals and jeans. His parents, who are from Pakistan, watched the proceeding from a back bench. Islam was released on a $50,000 bond.
Fellow Bronx resident Joshua Hicks, 19, also known as “OxideDox,” was charged with one count of access device fraud. Wearing red basketball shorts, Hicks was released on a $20,000 bond after a brief hearing before the same judge.
Meanwhile on Tuesday, the U.S. Federal Trade Commission filed a complaint against Wyndham Worldwide Corp and three subsidiaries, alleging that the hotel operator failed to keep customer data secure.
That failure resulted in the theft of hundreds of thousands of consumers payment card numbers, which were sent to an Internet address registered in Russia and $10.6 million in fraudulent charges, according to the complaint.
The cases are U.S. v Joshua Hicks and U.S. v. Mir Islam, U.S. District Court for the Southern District of New York, Nos 12-1639 and 12-1701