RBS Hacker Spared Jail Sentence By Russian Court

One of the hackers at the centre of a £6 million fraud against RBS WorldPay will not go to jail, a Russian judge has ruled

The Russian hacker behind the $9.4 million (£6m) fraud against RBS WorldPay will not go to jail, after agreeing to pay compensation to the bank and become an informant for authorities.

A Russian court handed down a reduced six-year suspended sentence, including four years on probation, to 28-year-old Viktor Pleshchuk. He was also ordered to repay 275 million Rubles (£5.7m) to WorldPay, according to Bloomberg, and agreed to provide information about other hackers who cracked a computer system at RBS WorldPay Inc.

“This is not a regular crime but a cybercrime and Pleshchuk didn’t really have a full understanding of the damage he was causing,” Pleshchuk’s lawyer, Yuriy Novolodsky, said in an interview in St. Petersburg with Bloomberg. “He pleaded guilty and is fully collaborating with authorities.”

RBS WorldPay Hack

RBS WorldPay is the US payment-processing division of Royal Bank of Scotland Group Plc and, according to reports, Pleshchuk was the leader of a global hacking scheme that withdrew $9 million from automated teller machines (ATMs).

It happened back in November 2008, when the gang apparently managed to hack into RBS WorldPay’s computer network, and cracked the data encryption on payroll debit cards, which are used to pay members of staff. This allowed the hackers to create duplicate corporate debit cards, and increase the daily withdrawal limits on the compromised accounts.

The gang and its foot soliders then managed to withdraw over $9 million in cash from ATMs by using only 44 fake debit cards. In less than 12 hours the gang had used over 2,100 cash machines in at least 280 cities around the globe.

Pleshchuk, however, was not the only man caught regarding this crime.

Last month, another alleged ringleader, 26-year-old Sergei Tsurikov, of Tallinn, Estonia, was extradited from Estonia to face a US federal judge. Another man, Oleg Covelin, was arrested in Russia earlier this year, and US authorities have indicted eight people on charges relating to this fraud in total.

Soft On Cybercrime?

The Russian court ruling comes at a time when Russia is trying hard to counter a reputation of turning a blind eye to cybercrimes. The light sentence for Pleshchuk will hardly change that perception, and contrasts sharply with the sentence handed down to other cybercriminals such as Albert Gonzalez.

Albert Gonzalez
Albert Gonzalez

Gonzalez was sentenced in March to a 20-year jail sentence in the United States for hacking into retailer TJX Companies and the Heartland Payment Systems payment processing network.

The RBS case comes at a time when online crimes against banks are becoming increasingly common-place. Last month it emerged that cyber-criminals based in Eastern Europe stole £675,000 from a British bank, using a new version of the infamous Zeus Trojan that cannot be detected by traditional firewalls.

According to security researchers at M86 Security, Zeus v3 spreads through legitimate websites and online advertising to infect victims’ computers. Once the Trojan is successfully installed on a PC, it lies dormant until the user connects to their online banking page. It then transfers the user’s banking login ID, date of birth, and a security number to a command and control server, enabling the hackers to break into the account.

And in early August, the Metropolitan Police Service’s Police Central E-Crime Unit (PCeU) confirmed that it had arrested six people as part of a suspected online banking fraud. The arrests took place across London and Ireland, and concerned the theft of credit cards, as well as personal information and banking details. It is thought that more than 10,000 online bank accounts and 10,000 credit cards have been compromised.