Nearly twenty Americans have been indicted in connection with a card-cloning scam that targeted a national retail chain based in Chicago, Illinois. The scam took place between 2016 and 2017 when a malicious software program was installed on computers belonging to the retailer, which sold a variety of products including clothing, electronics, toys, furniture, and home decor.
The malware allowed a co-conspirator to steal data from over three million credit cards, debit cards, and gift cards used at 400 of the retailer’s branches. The stolen data was then sold for $4 million in Bitcoin to another individual, who in turn offered it for sale on two separate websites to over 3,000 users.
An indictment unsealed in the Northern District of Illinois on May 25 named 22 individuals from nine states who were accused of purchasing the stolen data. Most of the defendants are in their late 20s or early 30s and reside in California or New York. They allegedly used the stolen information to make purchases at various businesses across the country, victimizing at least 80 people in Illinois between August 2016 and July 2020.
All but two of the defendants have been arrested and are now in the federal court system, while the remaining two are believed to have fled overseas. The Department of Justice stated that the investigation into the card-skimming scam is ongoing.
The defendants are accused of purchasing the payment card data of between 1,000 and 2,000 skimmed cards, with one individual, Barry Shi of Rosemead, California, allegedly buying the data of 18,742 payment cards, including over 13,000 used at the Chicago retailer’s stores, for around $507,273 in Bitcoin.
Wire fraud carries a maximum sentence of 20 years in federal prison, while aggravated identity theft mandates a consecutive prison sentence of two years.
The impact of this card-cloning scam highlights the importance of cybersecurity measures for retailers and consumers alike. It serves as a reminder of the risks associated with financial transactions and the need for vigilance in protecting personal data from cybercriminals.