Criminal Justice & the Rule of Law Cybersecurity & Tech

Cybercrime Roundup: WorldPay Update

Sarah Tate Chambers
Monday, September 18, 2017, 2:19 PM

On July 20, Judge Steven Jones of the Northern District of Georgia sentenced Evgeny Levitskyy (known by the moniker M.ur.d.e.r.e.r.) to 46 months in prison and three years of supervised release. Levitskyy must also pay restitution to the tune of $499,518.51. The sentence was based on Levitskyy’s guilty plea to one count of conspiracy to commit bank fraud.

Published by The Lawfare Institute
in Cooperation With

On July 20, Judge Steven Jones of the Northern District of Georgia sentenced Evgeny Levitskyy (known by the moniker M.ur.d.e.r.e.r.) to 46 months in prison and three years of supervised release. Levitskyy must also pay restitution to the tune of $499,518.51. The sentence was based on Levitskyy’s guilty plea to one count of conspiracy to commit bank fraud.

On October 13, 2015, Levitskyy was indicted on eight counts (including bank fraud, conspiracy to commit wire fraud, and wire fraud) relating to an elaborate and structured hacking scheme that defrauded an Atlanta company and yielded the cybercriminals over $9 million dollars.

The scheme centered on prepaid bank cards, which some employers issue to their employees in lieu of checks or direct deposits. In 2012, nearly 4.5 million US workers were paid via prepaid payroll cards. Employers prefer them because they cut down on overhead­—up to $5 million per year, for example, for the parent company of several large restaurant chains. Employees are not always fond of the cards; numerous fees deplete the income that is often already scarce in the industries where the cards are heavily used (retail and food service). As it turns out, fees are not the only headache the cards pose.

In order to facilitate making payroll with these cards, employers use companies like RBS WorldPay to handle payroll processing, as well as processing the transactions from the prepaid payroll cards. Oleg Covelin, a hacker in Moldova, learned of a vulnerability on the RBS WorldPay network that could be exploited for financial gain. Using this knowledge, a structured and organized group of cybercriminals worked in concert to defraud RBS WorldPay and its associated banks.

Covelin reached out to Sergei Tsurikov, a cybercriminal in Estonia, who acted as the bridge between those who found the vulnerability and those capable of exploiting it. In search of a cybercriminal with the requisite skills, Tsurikov contacted Viktor Pleshchuk, a hacker in St. Petersburg, Russia. Between November 4 and November 8, 2008, Pleshchuk (as well as Tsurikov and Evgeniy Anikin, another cybercriminal) gained access to RBS WorldPay’s network, from which he stole account numbers for prepaid payroll cards, then reverse-engineering the PINs for those accounts from RBS WorldPay’s encrypted data. He also raised the limits on those particular prepaid payroll cards. Armed with 44 such account numbers and pins, Pleshchuk turned the operation over to Anikin.

Anikin managed a network of cashers, people who used the prepaid payroll card account numbers and corresponding PINs to withdraw cash at ATMs. The network used lead cashers, including Levitskyy, who were each assigned at least one account number and PIN that they distributed to numerous cashers. Tsurikov operated his own network of cashers that operated solely in Estonia.

On November 8, 2008, the coordinated 12-hour blitz began. Cashers used the 44 prepaid payroll cards at 2,100 ATMs in 280 cities to withdraw over $9 million dollars. The ATM withdraws occurred in various countries; the indictment lists the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.

Tsurikov and Pleshchuk accessed RBS WorldPay’s network during these 12 hours to track the withdraws. After the operation was complete, they deleted (not entirely successfully) data of their crime from RBS WorldPay’s network.
After withdrawing the cash, each casher kept 30 to 50 percent of the funds they withdrew and sent the rest to the lead cashers. Anikin was responsible for dividing up the proceeds.

Covelin, the cybercriminal who found the vulnerability, received payment via a prepaid payroll card account number and PIN. He was able to withdraw substantial funds because his confederates raised the card limits.

Visually, the organization looked like this:

On November 10, 2009, the Department of Justice indicted Covelin, Tsurikov, Pleshchuk, and Anikin (listed as “Hacker 3”) on conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and identity theft. The same indictment charged the Estonian casher ring, including Igor Grudijev, Ronald Tsoi, Evelin Tsoi, and Mihhail Jevgennov, with access device fraud. That original indictment has been expanded to include additional co-conspirators. Others involved, including Levitskyy, have been charged in their own indictments.

Here is how each has fared:

  • Oleg Covelin: arrested in Russia, status of case unclear
  • Sergei Tsurikov: arrested in Estonia; turned over to the FBS in Russia before Estonia extradited him to the United States; sentenced to 11 years in prison, 3 years supervised release, $8,400,000 restitution, and $9,477,146.67 forfeiture
  • Victor Pleshchuk: arrested and tried in Russia, received a six-year suspended sentence, four years of probation, $8.9 million in restitution
  • Evgeniy Anikin: arrested and tried in Russia; received a five-year suspended sentence
  • Vladislav Horohorin: arrested in France and extradited to the United States; sentenced to 88 months in prison, 2 years supervised release, and $125,739 restitution
  • Ezenwa Chukukere: sentenced to 108 months, 3 years supervised release, joint and several restitution of $1,618,317.68
  • Sonya Martin: arrested in the United States; sentenced to 30 months in prison, 5 years supervised release, and $89,000 restitution

Visually, the charges and sentences look like this:

Roman Seleznev, no stranger to cybercrime prosecutions, pled guilty on September 7, 2017. He is scheduled for sentencing on December 11th.

Notably, there is a substantial disparity between the Russian and American sentences. While Covelin’s status is unclear, the other two who were tried in Russia did not face any time in jail. The co-conspirators tried in the United States have received substantial sentences—11 years at the high end and 30 months at the low end. When Sonya Martin was sentenced to 30 months, there was some outcry about the brevity of the sentence. In April 2017, the European Council of Foreign Relations released a policy brief on the Kremlin’s use of Russian criminal networks. According to the brief, “[a]lthough there is evidence that Russian security agencies are increasingly developing their own in-house hacking capabilities, Moscow still depends, to a considerable extent, on recruiting cybercriminals, or simply calling on them from time to time, in return for their continued freedom.

In an environment where the security of banking transactions is often questioned, “[t]his case demonstrates the Secret Service is committed to protecting our nation’s critical financial infrastructure and payment systems,” according to Special Agent in Charge Kenneth Cronin, of the US Secret Service.

With Levitskyy’s sentencing, the Department of Justice also demonstrates its dogged pursuit of the WorldPay hackers almost nine years after the crime and underscores yet again that it prioritizes taking down cybercriminal networks and prosecuting offenders even if they reside outside of the United States.

Sarah Tate Chambers is a second year law student at the University of South Carolina. She currently works for the Department of Justice's Publications Unit. She graduated from the University of Minnesota with a B.A. in Religious Studies.

Subscribe to Lawfare