Ringleader Arrested In $200 Million Online-Retailer Card Breach

Authorities have arrested one of the ringleaders of a cybercrime gang that stole payment card information from online retailers and cashed it out to the tune of $200 million, according to Reuters.

Federal prosecutors in New Jersey said they filed charges against 23-year-old Duy Hai Truong on May 29, accusing him and unnamed co-conspirators of running an international ring that stole information related to more than a million credit cards, then reselling it to criminal customers through two websites. Truong is being held in Vietnam. Ten other accomplices were also charged.

Reuters reported that according to the criminal complaint, starting in 2007 Truong hacked into websites that sold goods and services over the Internet and collected personal credit card information from the sites' customers. The victims' credit cards incurred a total of more than $200 million in fraudulent charges, the complaint said.

This is an unusual case for a few reasons. One is its size—at $200 million, it dwarfs incidents like the one in February that cost a Middle East bank $40 million after thieves hacked into a debit-card processor. Still more unusual is the fact that one of the alleged ringleaders was actually caught. In most recent cases, U.S. authorities have only managed to arrest street-gang members who were helping to cash out the stolen card numbers by making fraudulent withdrawals from ATMs.

And the fact that the retailers attacked were online merchants? That certainly points to common knowledge about cyberthieves: When retailers harden up one attack vector, thieves look for softer targets. But no one is saying what kind of retailers were hit. Was it one or more major chains? Smaller merchants in a big marketplace run by someone like Amazon (NASDAQ:AMZN) or eBay (NASDAQ:EBAY)? A handful of e-tailers all using shopping-cart software with the same security hole? This million-card breach continued over more than five years, so the gang may have collected an average of only about 500 cards per day. What that means won't be clear until (and unless) prosecutors start naming the victims.

For more:

- See this Reuters story

Related stories:

Sure You Know Who's Processing Your Payment Cards? $45 Million Breach Says Maybe Not
Was Your Card Processor The One Hit In A $40 Million Breach?
C-Store Chain Mapco Express Hit With Remote Access Breach