Two Romanians plead guilty to point-of-sale hacking

Two Romanian men have pleaded guilty to participating in a US$10 million scheme to hack into the computers of hundreds of Subway restaurants in the U.S. and steal payment card data, the U.S. Department of Justice said.

Iulian Dolan, 28, of Craiova, Romania, pleaded guilty Monday to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud, the DOJ said.

Dolan and Butu were two of four Romanians charged in December in U.S. District Court for the District of New Hampshire with hacking Subway point-of-sale computers.

In his plea agreement, Dolan has agreed to be sentenced to seven years, and Butu has agreed to be sentenced to 21 months in prison.A

The two men, in their guilty pleas, acknowledged participating in a Romanian-based conspiracy, lasting from 2009 to 2011, to hack into hundreds of U.S. point-of-sale (POS) computers, the DOJ said. Co-conspirator Adrian-Tiberiu Oprea is in U.S. custody and awaiting trial in New Hampshire. The group used stolen payment card data to make unauthorized charges or to transfer funds from the cardholders’ accounts, the DOJ said.

The scheme involved more than 146,000 compromised payment cards and more than $10 million in losses, the DOJ said.

During the conspiracy, Dolan remotely scanned the Internet to identify vulnerable POS systems in the U.S. with certain remote desktop software applications (RDAs) installed on them, the DOJ said. Using these RDAs, Dolan logged onto the targeted POS systems over the Internet.A The systems were often password-protected and Dolan attempted to crack the passwords to gain administrative access.A

He then installed keystroke logging software onto the POS systems and recorded all of the data that was keyed into or swiped through the POS systems, including customers’ payment card data, the DOJ said.

Dolan electronically transferred the payment card data to various electronic storage locations, called dump sites, that Oprea had set up, the DOJ said. Oprea later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts, the DOJ alleged, and he attempted to sell the stolen payment card data to other co-conspirators.A

Dolan stole payment card data belonging to approximately 6,000 cardholders, the DOJ said.A Dolan received $5,000 to $7,500 in cash and personal property from Oprea for his efforts, the DOJ alleged.

In his plea agreement, Butu said he repeatedly asked Oprea to provide him with stolen payment card data and that Oprea provided him with instructions for how to access the website where Oprea had stored a portion of the stolen payment card data, the DOJ alleged.

Butu later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts.A He also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators. Butu acquired stolen payment card data from Oprea belonging to approximately 140 cardholders, the DOJ alleged.A

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is grant_gross@idg.com.