(August 6, 2008) Federal authorities on Tuesday announced 11 people from the U.S. and at least four other countries have been charged with numerous crimes stemming from computer intrusions at major retailers that resulted in the theft and sale of 40 million credit and debit card numbers. The vast scheme, with charges originating in Boston and San Diego, apparently involved the huge breach at off-price retailer TJX Cos. that was disclosed in early 2007 as well as other publicly known breaches.

Some of the defendants had been charged in other hacks, including a Miami man who seemed to have continued his criminal ways while working as a government informant. And one of the defendants is a person of unknown origin or name, identified only by his online nickname, “Delpiero.”

“So far as we know, this is the single largest and most complex identity-theft case ever charged in this country,” Attorney General Michael B. Mukasey said in a U.S. Department of Justice news release.

Technology and security analyst Avivah Litan of Stamford, Conn.-based research and consulting firm Gartner Inc. is encouraged that authorities apparently bagged suspects that were involved in multiple breaches, but cautions that taking them out of circulation doesn’t necessarily mean the cases are fully solved. “The big question is did they get the ringleaders, and how many of them are still out there?” she says.

Mukasey and other officials announced the charges in Boston, where a key figure in the case, Albert “Segvec” Gonzalez of Miami, was accused of computer fraud, wire fraud, access-device fraud, aggravated identity theft, and conspiracy. He faces possible life in prison if convicted on all charges. Gonzalez is already in jail on charges filed in May involving payment-data hacks at restaurant chain Dave & Buster’s Inc., and had trouble with the law even earlier. The U.S. Secret Service arrested him in 2003 for access-device fraud. “During the course of this investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case,” the DoJ release says.

The Boston indictment alleges that Gonzalez and two other Miami men, Christopher Scott and Damon P. Toey, obtained credit and debit card numbers by “wardriving”—driving around to find vulnerable wireless networks—and then breaking into the networks of retailers TJX Cos., BJ’s Wholesale Club Inc., OfficeMax Inc., Barnes & Noble Inc., The Sports Authority Inc., Forever 21 Inc., and DSW Inc., as well as restaurant chain Boston Market Corp.

Once inside the networks, they installed so-called “sniffer” software programs to capture card numbers, passwords, and account information as the data moved through the networks. They then reportedly encrypted the data in computer servers they controlled in the U.S. and Eastern Europe and sold some numbers on the Internet to other criminals in those locations. They also encoded numbers on magnetic stripes of blank cards and then used them to withdraw “tens of thousands of dollars” at a time from ATMs, the DoJ claims. The defendants allegedly concealed and laundered the proceeds from their fraud by using anonymous Internet currencies both in the U.S. and abroad, and by channeling funds through Eastern European bank accounts.

In San Diego, related indictments against Maksym “Maksik” Yastremskiy of Ukraine and Aleksandr “Jonny Hell” Suvorov of Estonia were unsealed. They are charged with crimes related to the sale of stolen card data obtained from Gonzalez and others. Also in San Diego, authorities unsealed an indictment against Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China, and the mysterious Delpiero. In addition, authorities filed criminal complaints against Sergey Pavolvich of Belarus and Dzmitry Burak and Sergey Storchak, both of Ukraine. The San Diego charges, the result of a three-year undercover Secret Service investigation, allege the eight ran an international ring for distributing stolen credit card data, with operations in Ukraine, Belarus, Estonia, China, the Philippines, and Thailand. Yastremskiy alone allegedly received proceeds of more than $11 million, the DoJ says.

In May, federal authorities in Brooklyn, N.Y., charged Gonzalez, Suvorov, and Yastremskiy in connection with hacks at Dave & Buster’s involving the placement of “packet-sniffer” applications in the restaurant’s network after first gaining unauthorized access to point-of-sale equipment. In one location alone, the resulting breach netted 5,000 stolen credit and debit card numbers and losses of $600,000 to the affected issuers. Gonzalez is in pre-trial confinement on the New York charges.

Based on the developing San Diego investigation, Turkish officials arrested Yastremskiy in July 2007 while he was vacationing in Turkey. He remains jailed there on related Turkish charges; U.S. authorities are requesting his extradition pending resolution of those. And at the request of the DoJ, German federal police in Frankfurt arrested Suvorov in March on the San Diego charges while he was there on vacation. He is jailed in Germany awaiting extradition to the U.S.

“It’s obviously a big coup for law-enforcement,” says Litan, noting the agencies that investigate computer fraud—including the Secret Service, the FBI, and the U.S. Postal Service—often have disputes during their probes. “It’s good that despite the turf wars they were able to get this done.”

Besides TJX, payment card data breaches or related security problems at some of the retailers noted by the DoJ have been in the public realm in recent years. In 2005, BJ’s Wholesale Club and shoe retailer DSW settled complaints brought by the Federal Trade Commission alleging lax card security.