This week's arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit card numbers may be only the "tip of the iceberg," security experts say.

In the largest identity theft case ever prosecuted by the US Department of Justice, 11 alleged hackers from around the globe face up to life in prison for hacking nine major US retailers - including TJX. Their crimes include conspiracy, computer intrusion, fraud and identity theft, according to indictments unsealed Tuesday by federal grand juries in Boston, MA and San Diego, CA.

Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People's Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.

The Message to Financial Institutions
These indictments "clearly show what we in the intelligence community have known about and talked about for some time -- there is a very mature, multi-billion dollar industry out there when you look below the surface," says Ken Dunham, an expert in malicious code and Director of Global Response at iSight Partners, a global risk management company. "These criminals are only one group -- there are other large-scale criminal operatives dealing with major money. They're in multiple languages and find in their network of contacts those people who help with credential collection, monetization and laundering of the criminal gains. It's a complete criminal business model that reaches around the world."

Financial institutions must look to their own security in light of this case, says another security leader, Dave Kennedy, Principal and Practice Lead of Profiling and e-Discovery at SecureState, a Cleveland, OH information security and risk assessment firm. "This breach is a proof of concept of what can happen and what attackers are capable of doing," Kennedy says. "A lot of companies never know they're breached until the Feds come knocking on their door. So are financial institutions the same... have they been breached? Are they in the process of being breached as we speak? There is no way of knowing."

Dunham adds everyone needs to realize online crimes are integrated with all types of fraud. "This would have never been possible before the Internet -- to have the level of efficiency that we see today in criminal activity, measured by some analysts as high as $100 billion," he observes. Security researchers have known for a very long time that criminals were performing fraud through multiple entities, but when they are under the radar it is very difficult to quantify and qualify. "The criminal marketplace is mature and is much bigger than we may realize," Dunham says

Details of the Indictments
The indictments include charges against ringleader Albert "Segvec" Gonzalez, of Miami, including computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme. Related charges were also filed against Christopher Scott and Damon Patrick Toey, both of Miami.

Federal prosecutors say that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators stole credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers � including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

"This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results," said U.S. Attorney Michael J. Sullivan in a Department of Justice statement. "Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain."

Once inside the networks, the hackers installed "sniffer" programs to capture card numbers, passwords and account information, as they were processed through the retailers' credit and debit processing networks. The stolen information was then moved to encrypted computer servers the hackers controlled in Eastern Europe and United States. They then sold some of the information on the Internet to other criminals who took the card numbers and made fake cards to withdraw cash and make purchases. The criminals withdrew "tens of thousands of dollars at a time from ATMs."

"Technology has forever changed the way commerce is conducted, virtually erasing geographic boundaries," said U.S. Secret Service Director Mark Sullivan in the DOJ statement. "While these advances and the global nature of cyber crime continue to have a profound impact on our financial crimes

investigations, this case demonstrates how combining law enforcement resources throughout the world sends a strong message to criminals that they will be pursued and prosecuted no matter where they reside."

Gonzalez and others concealed and laundered the stolen money through anonymous Internet-based currencies in the US and abroad, sending it through bank accounts in Eastern Europe.

Gonzalez, who had been arrested by the Secret Service in 2003 for access device fraud and was a confidential informant for the US Secret Service, was found to be involved in this case. Federal prosecutors say because of the size and scope of his involvement he faces a maximum penalty of life in prison if convicted.

In San Diego, scheme participants Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia were charged with crimes related to the sale of the credit card data that Gonzalez and co-conspirators had stolen and additional stolen credit card data. Additional indictments against against Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China, and a person known only by the online nickname "Delpiero," charge them with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting. Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine, were indicted on charges of conspiracy to traffic in unauthorized access devices. All are believed to be foreign nationals residing outside of the United States.

Federal prosecutors charge that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, the People's Republic of China, the Philippines and Thailand. Yastremskiy's indictment alleges he received more than $11 million for his part in this criminal activity.

Earlier in May Gonzalez, Suvorov and Yastremskiy were charged in a related crime in New York. The trio is charged with engaging a sophisticated scheme to hack into computer networks run by the Dave & Buster's restaurant chain. The three stole credit and debit card numbers from at least 11 locations. They used similar methods to hack into the cash register terminals, installing at each restaurant a "packet sniffer," a computer code programmed to capture a computer network's communications. The packet sniffer, configured to capture credit and debit card numbers as this information was processed by the restaurants, was highly effective -- as at one restaurant alone it captured data for approximately 5,000 credit and debit cards. This caused losses of at least $600,000 to the financial institutions that issued the credit and debit cards. (See related: Dave and Buster Indictment)

Three of the 11 are in custody, Gonzalez is being held in New York. Turkish law enforcement arrested Yastremskiy in July on related Turkish charges and will face extradition to the US. Suvorov was arrested in Germany and faces extradition to the US.