The US Justice Department brought indictments against 22 people this week for allegedly purchasing and using stolen credit cards from a national retailer.
Threat actors collected information from over three million payment cards, including credit, debit, and gift cards, used at over 400 of the target company’s retail outlets, using point-of-sale malware deployed at various retail sites.
According to the indictment, the co-conspirators subsequently sold the stolen data for $4 million in Bitcoin to an individual who subsequently sold it to tens of thousands of people, including the 22 persons who are now facing charges from the US Department of Justice.
Twenty of the accused have been apprehended, while the remaining two are on the run, most likely abroad, according to the authorities.
The 22 people are accused of utilising the credit card information to make purchases at gas stations, hotels, and restaurants, among other places.
According to the indictment, one of the accused acquired over 13,000 payment cards stolen from the retailer, while another purchased over 6,000. Others bought anything from 2,000 to 4,000 payment cards.
Each defendant faces up to 20 years in federal prison for wire fraud and a two-year mandatory, consecutive prison term for aggravated identity theft, according to the Justice Department.