Two men plead guilty to hacking hundreds of Subway POS computers

Two Romanian nationals pleaded guilty today to participating in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ computers.

Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, and Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud.

The defendants admitted that between 2009 and 2011 they participated in Romanian-based conspiracies with co-conspirator Adrian-Tiberiu Oprea (who is in U.S. custody and awaiting trial) to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data that belonged to U.S. cardholders and then use the stolen payment card data to make unauthorized charges on, and/or transfers of funds from those cardholders’ accounts (or alternatively to transfer the stolen payment card data to other co-conspirators who would do the same).

At the plea hearings on Monday, federal prosecutors noted that the conspiracies involved more than 146,000 compromised cards and more than $10 million in losses.

Dolan admitted that he, along with Oprea, remotely hacked into U.S. merchants’ POS computer systems, where customers’ payment card data was electronically stored.

Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install keyloggers onto the POS systems, which would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data.

Dolan periodically remotely hacked back into the compromised merchants’ POS system to retrieve the customers’ payment card data and then electronically transferred the payment card data to various electronic storage locations that Oprea had set up. Dolan knew that Oprea later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. He also knew that Oprea attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators for them to use in a similar manner.

During the course of the conspiracies, the co-conspirators hacked into several hundred U.S. merchants’ POS systems. Dolan stole payment card data belonging to approximately 6,000 cardholders and was aware that Oprea was engaged in similar conduct. Dolan received approximately $5,000 – $7,500 in cash and personal property from Oprea for his efforts.

In his plea agreement, Butu admitted that he repeatedly asked Oprea to provide him with stolen payment card data and that Oprea provided him with instructions for how to access the website where Oprea had stored a portion of the stolen payment card data. Butu later attempted to use the stolen payment card data to make unauthorized charges on, or transfers of funds from, the accounts. He also attempted to sell, or otherwise transfer, the stolen payment card data to other co-conspirators for them to use in a similar manner. Butu acquired stolen payment card data from Oprea belonging to approximately 140 cardholders.

In his plea agreement, Dolan has agreed to be sentenced to seven years, and Butu has agreed to be sentenced to 21 months in prison.

The case was investigated by the U.S. Secret Service, with the assistance of the New Hampshire State Police and Romanian authorities.