WASHINGTON, D.C.–A Romanian man was extradited to the United States and appeared in federal court in New Hampshire Tuesday, to face federal charges relating to his alleged participation in an international multimillion dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ “point of sale” computer systems.
In a four-count indictment unsealed on Dec. 6, 2011, Adrian-Tiberiu Oprea, 28, of Constanta, Romania, along with three other Romanian nationals, Iulian Dolan, Cezar Iulian Butu and Florin Radu, were charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and conspiracy to commit access device fraud. Oprea was extradited to the United States on May 25, 2012. He was arrested on Dec. 1, 2011, in Romania and remained in custody there prior to his extradition. Dolan and Butu were arrested upon their entry into the United States on Aug. 13 and Aug. 14, 2011, respectively, and remain in United States custody. Radu remains at large.
According to the indictment, from approximately 2008 until May 2011, Oprea, Dolan, Butu and Radu conspired to remotely hack into more than 200 U.S.-based merchants’ point-of-sale (POS) or “checkout” computer systems in order to steal customers’ credit, debit and gift card numbers and associated data (collectively referred to as “credit card data”). A POS system allows merchants to process customer purchases, including those made using credit, debit and gift cards, and typically includes a computer, monitor, integrated credit card processing system, signature capture device and a customer pin pad device. Merchant victims include more than 150 Subway restaurant franchises located throughout the United States, including in the District of New Hampshire, as well as more than 50 other identified retailers. According to the indictment, members of the conspiracy have compromised the credit card data of more than 80,000 customers, and millions of dollars of unauthorized purchases have been made using the compromised data.
If convicted, each defendant faces a maximum sentence of five years in prison for the conspiracy to commit computer fraud charge and for each conspiracy to commit access device fraud charge and 20 years in prison for conspiracy to commit wire fraud charge. They also face up to three years of supervised release, a fine of up to twice the amount of the fraud loss, and restitution.