Estonian Bank Hacker Extradited To U.S.

Sergei Tsurikov charged with masterminding sophisticated, $9 million computer fraud of RBS Worldpay system.

Mathew J. Schwartz, Contributor

August 9, 2010

2 Min Read

Alleged hacker Sergei Tsurikov, 26, of Tallinn, Estonia, has been extradited to the United States and arraigned on numerous federal charges, including wire fraud, computer fraud, and "aggravated identity theft," according to the Department of Justice.

The charges relate to a November 2008 hack attack against the Royal Bank of Scotland's RBS Worldpay, which provides online payment and credit card processing services. In half a day, hackers played it for over $9 million.

According to a statement from U.S. Attorney Sally Quillian Yates, it was "perhaps the most sophisticated and organized computer fraud attack ever conducted."

Allegedly, Tsurikov and three other attackers --Viktor Pleshchuk, 29, of St. Petersburg, Russia; Oleg Covelin, 29, of Chisinau, Moldova; and another, unidentified individual -- obtained unauthorized access to the RBS Worldpay network, which is the Atlanta-based U.S. payment processing division for RBS. The attackers were then able to reverse reengineer personal identification numbers from a data feed, and defeat the credit card processing system's encryption.

Next, they raised account limits on compromised accounts and distributed 44 counterfeit payroll debit cards to a network of accomplices. These "cashers" withdrew more than $9 million from over 2,100 ATMs in at least 280 cities worldwide, including United States, Russian, Ukrainian, Estonian, Italian, Japanese, and Canadian cities, in less than 12 hours.

According to the Department of Justice, the cashers retained 30% to 50% of the take, while the rest allegedly flowed back to Tsurikov and Pleshchuk, among other defendants, via such avenues as WebMoney accounts and Western Union money transfers.

In November 2009, a federal grand journey returned a 16-count indictment, charging Tsurikov, Pleshchuk, Covelin, and the unnamed individual, as well as four accomplices in Estonia, and seeking the forfeiture of the more than $9.4 million stolen.

RBS detected the attacks quickly and notified authorities. From there, the investigation rapidly grew to include law enforcement officials in Estonia, Hong Kong, and the Netherlands. "This success would not have been possible without the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide," said Yates.

Given the borderless nature of many types of online attacks, law enforcement officials can expect even more of these types of cross-border cases. According to Brian D. Lamkin, FBI special agent in charge in Atlanta, "complex, cyber-based criminal investigations such as this are becoming all too prevalent."

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights