Two dozen people on four continents, including alleged two hackers from New York, have been arrested in an elaborate sting targeting a black market for online financial fraud, federal officials said Tuesday.
U.S. officials called the crackdown in the United States, Europe, Asia and Australia the largest enforcement effort ever against computer crooks who specialize in stealing and trafficking credit card, bank and other personal identification information on the Internet — a practice known as "carding."
The officials claimed the two-year FBI sting protected more than 400,000 potential victims and prevented losses of around $205 million.
The arrests "cause significant disruption to the underground economy and are a stark reminder that masked (Internet protocol) addresses and private forums are no sanctuary for criminals and are not beyond the reach of the FBI," Janice Fedarcyk, head of the FBI's New York office, said in a statement.
U.S. Attorney Preet Bharara called the international investigation an unprecedented demonstration that "fraudsters cannot count on being able to prowl the Internet in anonymity and with impunity, even across national boundaries."
According to a criminal complaint unsealed Tuesday in federal court in Manhattan, the suspects bought and sold hacking programs and stolen information via secure websites.
In June 2010, undercover investigators set up their own website "as an online meeting place where the FBI could locate cybercriminals, investigate and identify them and disrupt their activities," the complaint said. The site — called "Carder Profit" — was rigged to allow agents to monitor and record private messages and identify the computers of registered users.
The complaints charged two alleged "carders" from the Bronx, Joshua Hicks and Mir Islam, with fraud. Both were released on bail following brief appearances in federal court in Manhattan. Neither entered a plea.
Undercover agents say they bought stolen data related to 15 American Express, MasterCard and Discover accounts from Hicks, a 19-year who lives with his mother and goes by the name "OxideDox" on the Internet.
In one instance, an undercover investigator delivered a digital camera as payment to Hicks for one of the stolen information "dumps," the complaint added. When the agent later asked the defendant in a chat if he liked the camera, the defendant responded, "A different model ... would have been better, but hey, a free camera is a free camera."
Using the name "JoshTheGod", the 18-year-old Islam advised another website user to keep fraudulent purchases from Apple under $350 to avoid detection, the court papers said. He also provided an undercover investigator with credit card numbers and Card Verification Value numbers and corresponding names and addresses, they said.
After Islam's arrest, authorities say Islam admitted that he also used the site to advertise his "doxing" service — a term referring to the sharing of an "individual's name, address, phone number, date of birth, Social Security number, email address in order to embarrass, harass or retaliate against such individual."
Another defendant from Tucson, Ariz., was accused of trying to sell viruses on the FBI site that was designed to take over and remotely control a victim's computer. The malware programs allowed buyers to turn on the web camera of an infected computer and spy on the users, and to record user names and passwords on bank and other accounts, authorities said.
The registration process for the bogus website required unwitting users "to agree to terms and conditions, including that their activities on the site were subject to monitoring for any purpose," the complaint said.
Investigators made 11 arrests in various states, including New York, Florida, Wisconsin and California. Thirteen others were picked up in the United Kingdom, Bosnia, Norway, Italy, Japan and elsewhere overseas. In addition, search warrants were executed in Australia and Canada.
If convicted, the U.S. defendants face five to 20 years in prison.
Associated Press Writer Larry Neumeister contributed to this report.