A couple of Romanians have pleaded guilty to their part in a scam that saw the point-of-sale systems of hundreds of US Subway sandwich shops hacked, thousands of cards compromised and millions of dollars stolen.
Iulian Dolan and Cezar Butu were part of a four-man gang that between 2009 and 2011 remotely hacked the POS systems of more than 200 retail outlets, including 150 Subway stores, say authorities.
Dolan remotely scanned the Internet to identify US-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, he then logged onto the targeted systems.
If necessary, he would crack any passwords before remotely installing keystroke loggers to record, and then store, all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data.
Dolan periodically remotely hacked back into the compromised merchants' POS system to retrieve the customers' data and then transferred it to various electronic storage locations that a co-conspirator, Adrian-Tiberiu Oprea, had set up.
Oprea would then use the data to make charges to cards or transfer funds. He also tried to sell the stolen data to other crooks, among them Butu, who acquired information on around 140 cards and tried to use it.
In all, the group compromised more than 146,000 payments cards and racked up over $10 million in losses. For his efforts, Dolan received less than $7,500 in cash and personal property from Oprea.
In his plea agreement, Dolan has agreed to be sentenced to seven years in prison, while Butu will serve 21 months. Oprea is in US custody and awaiting trial. In May, authorities said that a fourth player, Florin Radu, was still at large.