Four Russians and a Ukrainian national have been charged with running a Byzantine hacking organization that over almost seven years penetrated computer networks of more than a dozen major American and international corporations, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars for those that fell victim to the attacks.

hacking

Indictments and charges were announced Thursday in Newark, New Jersey, where U.S. Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States.

Hackers picked the wrong people to mess with

The list of victims is long and includes a number of high-profile companies and institutions including Nasdaq; 7-Eleven; JCPenney; the New England supermarket chain Hannaford Brothers; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; French retailer Carrefour; and  Belgium bank Dexia Bank Belgium.

The indictment says the suspects sent each other instant messages from numerous platforms as they took control of each targeted site’s data, telling each other, for example: “NASDAQ is owned.” At least one man told others that he used Google news alerts, a company they didn’t target,  to learn whether his hacks had been discovered, according to the court filing.

The defendants were identified as Russians Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and Ukrainian Mikhail Rytikov. Authorities say one suspect is in the Netherlands and another is due to appear in U.S. District Court in New Jersey next week. The indictment wasn’t clear about the locations of the other three, but one can imagine that they wouldn’t divulge their location if the suspects were on the run.

You can run, but you can’t hide

The prosecution built on a case that resulted in a 20-year prison sentence in 2010 for Albert Gonzalez of Miami, who often used the screen name “soupnazi” and is identified in the new complaint as an un-indicted co-conspirator. Other un-indicted co-conspirators were also named through indictments gained from a massive investigation.

Mark Rasch, a former federal cyber crimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cyber crimes.

“They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing [or] disseminating credit card numbers,” said Rasch, who was not involved in bringing the case.

More news and indictments are certain to follow in the coming days as arrests are made.