Hack Me If You Can, Part 1: The Making of a Russian Hacker – The Journal.

This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.

Ryan Knutzen: Hey, it’s Ryan. One of the hosts of The Journal. In our feed today, we’re bringing you a new series. It’s about hacking. Our colleague, Bob McMillan, is going to tell this story. He knows a lot about hacking. He’s been reporting on it for almost two decades. Pretty much anytime there’s a major hack, whether it’s of Twitter, a hospital, or the US government, we call Bob and asked him to explain it to us. A few months ago, Bob reached out to us and said he had a story he wanted to tell for the podcast. A story that Bob says is key to understanding how Russia produced a generation of cyber criminals. It’s the story of one Russian hacker. Here’s Bob.

Bob McMillan: Dmitriy Smilianets has had a long career.

Dmitriy Smilianets: I had to hustle. I sold unlicensed software. Then, I was building and managing a website for large factory. They were building equipment for producing milk, yogurts and stuff. So I was building a website for them.

Bob McMillan: Okay. You left one thing off your resume though.

Dmitriy Smilianets: Right. That was being manager of the largest hacking group ever prosecuted in the United States.

Bob McMillan: I’ve written about Russian hackers for years, but Dmitriy is the first one that I met in person. In the early 2000s, he led a team that broke into companies across America. They spend a year quietly pulling off what is still one of the biggest hacks in US history, which caught the attention of the government. Here’s a federal prosecutor talking about Dmitriy’s crew.

Speaker 4: They would probe, and test, and penetrate, until they would actually get in. And once they got in, they would use custom designed malware, malicious computer programs, that were their unique burglary tools to gain access to different parts of a company’s networks.

Bob McMillan: I’ll told the feds say that Dmitriy’s gang cost its victims more than $300 million dollars in damages.

Speaker 5: And the good news is, it wasn’t passed on to the consumer. The bad news is, in the end, it always is, because the companies have to make up that loss somewhere.

Bob McMillan: I knew of Dmitriy’s work before I knew his name. But where I found Dmitriy, well, it wasn’t where I expected. He wasn’t in some bunker in Moscow or a maximum security prison. He was living in a gated community in New Jersey.

Speaker 6: Good morning. Where are you guys heading?

Speaker 7: We’re here to see Dmitriy Smilianets.

Bob McMillan: With an immaculate lawn. Yeah. With a big American flag on it. That’s it. And a dog. Dmitriy comes out to meet me. Dmitriy. He’s wearing sweatpants, and has a bodybuilder’s physique. Although he looks tough, he’s warm and welcoming. We walk around his home, which, by my count, has six American flags.
Okay. So you got your classic backyard setup here.

Dmitriy Smilianets: Yeah. A classic American dream backyard, with barbecue, with fire pit, with a table where we can sit together as a family after I grilled some meat.

Bob McMillan: And I even got to meet his parrot.

Dmitriy Smilianets: His name is Jerome. One night, he landed on my desk, and destroyed my keyboard. He picked all the keys. So I’m (inaudible) post no fly zone, and he’s restricted to his cage right now.

Bob McMillan: How Dmitriy ended up here, is the story of how Russia became a criminal hacking superpower. How teenagers schooled in a collapsing empire, went from piloting video games, to stealing hundreds of millions of dollars. And how a cat and mouse game that stretched across continents, would end up with Dmitriy, here in New Jersey, living a double life. From The Journal, this is Hack Me If You Can, the story of a Russian cyber criminal who went to the other side. I’m Bob McMillan. Coming up, part one. The making of a Russian hacker. In the early 90s, when Dmitriy was eight years old, two very important things happened. Computers became widely available, and the Soviet Union collapsed.

Speaker 8: In Moscow, the hammer and sickle is lured for the last time. And an era comes to an end.

Bob McMillan: Dmitriy was an only child living in Moscow, and he remembers the violence and the upheaval rot by the breakup of the USSR.

Speaker 9: Mingling with the rush hour traffic, Red Army armored personnel carriers on the streets of Moscow this morning, heading to the Kremlin.

Dmitriy Smilianets: I remember tanks shooting at the parliament building. I remember people with guns, running on the streets shooting. I remember chaos. I remember there was no law. I was raised in a vacuum of the law. Russia, there was a wind of change. They knew Russia is not the Russia we see today. That Russia was freedom. It was unlimited freedom.

Bob McMillan: Dmitriy’s going to tell most of this story, but I’ve spoken to a lot of people about it. I’ve examined documents and video evidence to confirm it. To piece together the details, I’ve also talked to his friends, associates, even the people who would later investigate him. And I swapped emails with his dad, a former criminal investigator with the Moscow police. When Dmitriy was growing up, his mom was a school teacher. She wanted him to join the FSB, which was Russia’s security agency. Dmitriy had other ideas.

Dmitriy Smilianets: I saw my father was in government, and I saw him coming with a lot of cases, with a lot of documents. Investigations, right? But I didn’t see him bringing a lot of bags, fruits, juice, candies. So he worked a lot, but there was not enough results for us to see the value in his work.

Bob McMillan: So you felt he was underpaid?

Speaker 12: Absolutely.

Bob McMillan: Yeah.

Dmitriy Smilianets: And I was like, “I don’t want to be that guy.”

Bob McMillan: What did you want to be when you grew up, at that age?

Dmitriy Smilianets: I knew that computers industry will grow. And I knew it, I will be very close tied to the computers.

Bob McMillan: Dmitriy new computers would be the future. So he started learning everything he could about them. He got his first one in fifth grade. And by the age of 13, he says he was selling counterfeit software at a Moscow flea market. He was part of an emerging generation of young hackers in the late 90s in Russia. Their Bible, a magazine called Hacker. You can still buy copies of it today. I went and dug out the first edition. And on the outside, it looks like a kid’s comic with cartoon characters on the cover. But the articles inside reveal it to be a very practical guide to becoming a criminal hacker. You can get tips on how to hack computers, how to hack answering machines, even how to steal credit card numbers. It was this magazine that taught Dmitriy about counterfeit software, and how to carry out his first hack, which helped him access something he couldn’t afford. The internet.

Dmitriy Smilianets: Internet was extremely expensive in Russian. It was $10 for one hour. I had to collect money, save money, to buy one hour, then use it. And I was like, “How can I stay longer?”

Bob McMillan: An article Dmitriy read in Hacker Magazine, explained how to steal people’s internet passwords. At first, he says he and a friend stole them from other internet users. But soon, his victims noticed that their bills were going up a lot.
So you had used some passwords that were but were a consumer, but then they would stop working after a while.

Dmitriy Smilianets: Yeah, because they also had to pay for this super expensive-

Bob McMillan: You would get a bill-

Dmitriy Smilianets: … I drained their accounts very fast. Right. So-

Bob McMillan: … So what, how many hours are you on the internet with this, at $10 an hour with these consumer passwords?

Dmitriy Smilianets: I don’t remember, but enough.

Bob McMillan: And then, one day, Dmitriy was with his friend, when his friend got a call.

Dmitriy Smilianets: So he said, “Hello.” And it’s like, “Excuse me. You’ve been using my account for a while, and you drained my account. Please don’t do it ever again or I will go to the police. And we’re like, “Oh, shit. How did they discover my phone number? So we’ve had to stop.

Bob McMillan: How old were you when you did this?

Dmitriy Smilianets: I was like 12, 13.

Bob McMillan: Dmitriy may have dabbled in hacks like this, but he wanted a legitimate job in computer science. At 18, he signed up for a degree at a prestigious university in Moscow.
What did you think about your prospects, looking at your dad who clearly wasn’t being paid what he was worth. What did you think your prospects were for your future then?

Dmitriy Smilianets: They changed. So I was very excited when I started going to college, I picked the most promising specialty. Information security. Information assurance. But getting closer to graduation, I saw no future for myself. I wasn’t given opportunity. I wasn’t given interviews with my future employers. That never happened.

Bob McMillan: Then, in his third year of college, Dmitriy’s future was decided very suddenly.

Dmitriy Smilianets: I had a very good friend. We went to celebrate something. We both got drunk. I already had driver license. He was younger. He did not have a driver license, but he had a very expensive car. So he said, “Dmitriy, we have better chances with you driving, because we both are drunk. It was very slippery. It was raining. And it was very sharp turn. I overestimated my skills. So we got thrown out of the road, and I hit the concrete pole.

Bob McMillan: They both survived. But the car, a Mercedes E-Class worth about $50,000, was totaled. And Dmitriy says he was on the hook for it.
What was your plan to pay back the money?

Dmitriy Smilianets: There was no plan.

Bob McMillan: Dmitriy didn’t have tens of thousands of dollars lying around, and neither did his parents. So he got in touch with some friends he’d made online.

Dmitriy Smilianets: I was just given an advice that there is a place in internet that you could go and discover, and find ways to make a lot of money, very fast. It was website called Carderplanet.

Bob McMillan: Imagine an online marketplace like eBay, except this isn’t where you come to buy an antique. This is Carderplanet, a marketplace for stolen credit cards, with thousands of users.

Dmitriy Smilianets: I went there. I studied it. I read every single post. Sometimes I have to reread to comprehend. But in a week, I became very knowledgeable in cybercrime. I knew what was carding, credit card fraud. I knew where to find data. I knew who’s selling it. I knew what people do with this data.

Bob McMillan: What Dmitriy had stumbled across was carding, as in stealing credit cards. And it works like this. That black strip on the back of your credit card contains a digital version of your credit card number, along with the expiration date and a security code. That’s what the hackers want to steal. Once they have it, they can make a counterfeit of your card and ship it to associates, who then use that counterfeit to empty ATMs and buy products that they sell online. Dmitriy knew he wanted in, but he wasn’t sure what his role would be in this criminal operation.

Dmitriy Smilianets: I only had to find a place for myself in this ecosystem, because I wasn’t a great hacker. So I found a place as a middleman, between the guy who gets data, and the guys who are using this data. And I became very successful at that.

Bob McMillan: Hackers can’t do everything on their own. So when they get good, they work in teams. Dmitriy joined one as a deal maker. His role was to sell the card data they stole. And like a lot of people in sales, he still remembers his first deal.

Dmitriy Smilianets: My first deal, I remember I received $190. And 140 of them, I had to pay for the data to my vendor. So I have $50 and this $50, I also have to receive them somehow. So I hired the person to do this and I split my 50 bucks with him first. That was my first deal.

Bob McMillan: By the time Dmitriy had paid the guy who sold him the data, and the guy who picked up his cash, Dmitriy says he made about 25 bucks from that first deal. That doesn’t sound great. But what the sale actually gave him, was something far more valuable. A good reputation.

Dmitriy Smilianets: He left a positive review, and I started getting two, three, deals a day. There were small. But together, they meant something. And I felt a difference.

Bob McMillan: Within months, Dmitriy says he went from $25 deals, to sales worth tens of thousands of dollars.

Dmitriy Smilianets: In a month, I paid my debt. I paid my debt for the Mercedes. And then, in the second month, I bought myself an Audi.

Bob McMillan: That’s pretty good.

Dmitriy Smilianets: I go to the restaurant, buy clothes I wanted, and I have money. I have cash to afford all my dreams. So it was great in the moment. And then, I was upset because it’s too easy. I had that feeling that everything is affordable right now, and I need to set maybe bigger goals. I got hooked. I couldn’t stop.

Bob McMillan: If the car accident hadn’t have happened, would you have gone into cybercrime?

Dmitriy Smilianets: Never. I would never join cybercrime. I had to do it. I had to find this money. I had to find $50,000. I know it sounds like I’m making an excuse for my actions, but for a 20 year old boy getting into this situation, and I could have started selling drugs. I could have started doing something even worse. I think I got lucky that I got involved just in cybercrime.

Bob McMillan: But this was just the beginning, because Dmitriy would go on to become a carding king, and lead a team that would pull off one of the biggest acts in US history. That’s next.
2003 was a big year for Dmitriy. He was halfway through college, and he had met the woman he would go on to marry. And he had even tried working a legitimate job, running a website for a company called Momash, that made, of all things, cow milking machines. But Dmitriy never stopped hacking. Over the next few years, he made big money on Carderplanet. Much more than a legit job would ever pay. After he graduated from college in 2006, Dmitriy told his family and his girlfriend that he was making money from web development in real estate work. But really, he was hacking full time. It was illegal, but Dmitriy and the other users of Carderplanet, weren’t worried about the law or their victims. Dmitriy read an article in Hacker Magazine, which explained that stealing American credit card details didn’t actually hurt anyone. Nearly 20 years later, he still remembers what it said.

Dmitriy Smilianets: Carding is not a crime. It’s a victimless action. There is no guilt, because even if the money were stolen from a card holder, the bank will replenish the money. The insurance will cover losses for the bank. The treasury will print more cash and cover insurance. So at the end, as I was explained and told, there is no victim.

Bob McMillan: So you believed that.

Dmitriy Smilianets: I wanted to believe that, because I already saw how profitable this is. So I just needed justification. And that came right in place.

Bob McMillan: What would your dad have said about that?

Dmitriy Smilianets: Oh, if I ever shared with him what I was doing, he’d probably smack me first, and then explained me that I’m going to jail for these actions. He never knew.

Bob McMillan: Dmitriy wasn’t worried about being arrested in Russia. He was hacking companies outside the country, and Russia didn’t extradite, which meant that Russia’s hacking into US networks were almost never arrested. So hackers like Dmitriy were able to hone their skills on Carderplanet, all in relative security.

Dmitriy Smilianets: We were pioneers, and we shared real stories right there on the forums. Sometimes with photos. Sometimes people didn’t even hide their true identity. We thought we are very close family. Three, 4,000 people knew each other. We did not expect that someone is watching us, especially not in Russian, Ukraine. The cybercrime did not exist. So it was very trusted in close community.

Bob McMillan: This meant that Dmitriy and the hackers on Carderplanet had the time to get good. Really good. And in Dmitriy’s case, time to build a great hacking team. First, he needed an exceptionally talented hacker. And after a few months on Carderplanet, he discovered one of the best. Who is Vladimir Drinkman?

Dmitriy Smilianets: Mr. Drinkman is the most gifted hacker in the world. Super gifted. His way of thinking about networks, his way of seeing things is different than what I have. We immediately became friends in real life, spending time together. At some point, we even lived together. We just liked to hang out together, spend as much time as we could together.

Bob McMillan: And what would you talk about?

Dmitriy Smilianets: Everything? Girls, life, business, appliances in the house, cars, new technology things.

Bob McMillan: Dmitriy saw in Drinkman, the deep technical skills that he lacked. And Drinkman, well, he saw something in Dmitriy too.

Dmitriy Smilianets: He saw potential, and he needed a person to handle all this, because it’s impossible to focus on hacking and monetizing at the same time. You need to split your day, split your way of thinking. And it was easier to find another person to move data. And that was me.

Bob McMillan: So you were complimentary in your skills, basically.

Dmitriy Smilianets: That’s correct.

Bob McMillan: They decided to work together. Drinkman would find new and innovative ways to steal data, and Dmitriy would make the money.

Dmitriy Smilianets: So at first, it was me and him. Then, it grew up to a bigger, larger group, because he needed more people for very specific tasks.

Bob McMillan: Tasks, such as?

Dmitriy Smilianets: Someone is hacking into, someone is literally moving through the network. Someone is harvesting the data. Someone is supplying bulletproof servers. Someone is monetizing the data. So everyone has a very specific role. It’s like Ocean’s Eleven. You can imagine.

Bob McMillan: The roles went like this. Dmitriy was the CEO. He would do the deals, and sell the credit card dumps. Drinkman was effectively chief technology officer. He was responsible for breaking into networks, and moving within them, searching for the places to hide and pull the data out. He was assisted by a man called Alexander Kalinin. Let’s call him head of business development. Then, there was Roman Kotov, who was really the chief data officer, a master at mining networks to steal data. And the final member of the team, was Mikel Ritikov. He was responsible for building a bulletproof server. That server, it was hidden in a rundown shack in Ukraine, that was filled with debris. There was a secret button on the floor of one of the shack’s junk filled rooms. If you pushed it, the floor would drop, revealing an underground bunker.
This is where Dmitriy’s team hid everything they stole. There’s a video of that bunker, and it’s totally bonkers. It shows a secret stairway you walk down to get into the room itself. You open a door, and bam, there’s a room stacked with blinking server towers, cooling fans. The hum is overwhelming. And tucked away in the corner, there’s Ritikov’s desk. The man responsible for keeping the bulletproof servers running. I was pretty impressed with the team’s security. It’s not every day you see a server hidden in a bunker. But when I asked Dmitriy about that video, he had a different take.

Dmitriy Smilianets: But did you look at his desk?

Bob McMillan: No.

Dmitriy Smilianets: You should revisit that video.

Bob McMillan: Yeah.

Dmitriy Smilianets: His desk is a mess. And when I saw that desk, I messaged the guys like, “Bro, you disappoint me with this. Why is that?” And he never replied.

Bob McMillan: You keep a tidy desk.

Dmitriy Smilianets: Yes. I feel like if your desk is organized, your mind is organized.

Bob McMillan: Ritikov’s lawyer says his client denies any wrongdoing. Dmitriy’s all star team of hackers had big targets. They were going to focus on hacking the computer networks of retailers and financial companies, because they held millions of payment card details. Many of the companies were American, and they were unprepared for the matchup against Dmitriy’s crack team. This was in the early 2000s, when the huge threat posed by hackers was only just starting to be understood. And investing in cybersecurity, well, that was expensive. Dmitriy’s team went on to hack a lot of companies. Companies like 7-Eleven, JetBlue, and Dow Jones, the company I work for, which publishes the Wall Street Journal.

Dmitriy Smilianets: We only were paying attention to financial crimes, because we knew how to monetize those crimes. With this knowledge, expertise, and skill, we could do anything. If there was an order to look at the dark side of the moon, we would get that.

Bob McMillan: Were you consider yourself to be the best hacking team in the world, then?

Dmitriy Smilianets: Yes.

Bob McMillan: These hacks made Dmitriy a lot of money. And what does a 20 something do with that kind of money? He spends it.

Dmitriy Smilianets: We are young. We don’t care about money. We spend them. Fancy cars, renting boats, spending on luxury alcohol. The money flew away very quickly.

Bob McMillan: He hung out a lot with Drinkman, his best friend and partner in crime. When they weren’t hacking, they liked to party.

Dmitriy Smilianets: We went to Sochi a lot, many times. Nightclubs, of course. All the top clubs in Moscow.

Bob McMillan: Sochi may be known for hosting the Winter Olympics, but it’s a beach resort on the Black Sea. Sometimes referred to as the Florida of Russia. It was one of Drinkman And Dmitriy’s favorite places to unwind.

Dmitriy Smilianets: You live in a hotel, you wake up, you go down to the shore, you rent jet ski, you surf, you ride, and you drink beer, and you go to the lunch, and you get into the dinner time, you party all night, and you go back to sleep.

Bob McMillan: Dmitriy may have been partying, but he was still a hustler, always thinking about his next target. Around Christmas, 2007, he and his team set their sight on their biggest hack yet. An American company called Heartland Payment Systems. Was it a known company to you, before then?

Dmitriy Smilianets: I never knew that company. But again, we had a person whose job was look for targets. And job was to compromise them. I guess he found that target and exploited that.

Bob McMillan: Dmitriy might not have heard of Heartland, but it was a big target. A credit card processing company that did all the backhand work, whenever a business was paid by debit or credit cards. By the time they were on Dmitriy’s radar, they were processing millions of payments each day for Visa, MasterCard, and American Express. For this hack, they teamed up with someone they’d worked with before. An American named Albert Gonzalez. Gonzalez was a big name in carding, a pioneer of the genre. And he had experience hacking big US companies. The team spotted a bug in Heartland’s website, which gave them a way in. Now, they needed to find where Heartland stored the credit card numbers. But they hit a dead end

Dmitriy Smilianets: When they entered, they were looking for storage, and there was none. But because it’s a processor, there is credit card data flying around. That’s what its job, right? So we just needed to find it.

Bob McMillan: Heartland had pretty good security. So the hackers couldn’t lift card numbers off of the company’s file systems. They were encrypted, but Heartland was a payment processor. And to process payments, you need to have those numbers. Somewhere along the line, they had to be unencrypted.

Dmitriy Smilianets: There is a place in a network when data gets decrypted for a split of a second, and verified, because you need to verify if the credit card is legit, if there’s money. So during that split of a second process, we went to the memory and scraped that real credit card number. Give me that. That’s what happened.

Bob McMillan: Dmitriy and his team were in. Discovering hackers on your network is a nightmare for any security pro. This particular nightmare, it landed on the desk of Chris Herren. In 2008, he was Heartland’s chief security officer.

Chris Herren: As a CSO, you’re the guy that’s supposed to keep Russian hackers out of your network. And two weeks after I joined Heartland, Russian hackers were stealing data from my network. So they know that credit cards are flowing through Heartland’s systems somehow. And they’re trying to figure out and map out different systems, different people, who does what, and they’re trying to find this very specific data called track data. So they’re literally searching through systems to look for this stuff.

Bob McMillan: Chris and his team got to work, trying to block Dmitriy’s squad from Heartland’s systems. And initially, they managed to kick them out.

Chris Herren: The Heartland security team at that time, they detected it. They knew. They knew there had been an incident, and they thought they had cleaned it all up.

Bob McMillan: But the American hacker Dmitriy’s team was working with, Gonzalez, he helped them find a way back in.

Dmitriy Smilianets: They kicked us out. Then, I think Gonzales provided us with that access, if I remember well, so we were able to get back and kept collecting for a while more.

Bob McMillan: Gonzales may have gotten Dmitriy’s team back in the system, but he wasn’t part of the Heartland hack for long, because one of the risks of teaming up with a superstar hacker, is that sometimes they get arrested. And that’s what happened to Gonzalez. One day, while he and Dmitriy were chatting online, Gonzalez said he was going to go to the gym. But he never came back to the computer. Dmitriy says he never heard from Gonzalez again. Gonzalez had been arrested for a completely different case, unrelated to Heartland. But even with him out of the picture, the Heartland hack went on, and Dmitriy’s crew were starting to realize that this would make them richer than they’d ever imagined.
What did Drinkman say about it?

Dmitriy Smilianets: Oh, you’re going to be sick selling this, Dmitriy.

Bob McMillan: And why did he think that? What was-

Dmitriy Smilianets: Because he saw the amounts of data they were pulling out, daily.

Bob McMillan: So normally, how much data would you pull out from a hack?

Dmitriy Smilianets: Well, normally, talking about a million credit card database, is something huge. In this case, it was more than that every day.

Bob McMillan: This is like an oil well. You’re just pumping data out like a raw material.

Dmitriy Smilianets: That’s how it looked like.

Bob McMillan: Dmitriy and the team were stealing about a million cards every day. And this kept going on for months. They kept pulling more and more credit card numbers, but they had a decision to make. If they sold the data, it would trigger fraud warnings with the credit card companies. So they waited.

Dmitriy Smilianets: I would say half a year, at least.

Bob McMillan: Half a year?

Dmitriy Smilianets: Yeah. And I was living in expectations. I was like, “I’m going to get something big. I’m going to get something big.” But we didn’t touch it. Like, Dmitriy, hold strong. Don’t touch it. Don’t do it. Yeah.

Bob McMillan: Well, Dmitriy and his team spent most of 2008 extracting that data. Chris Herren had no idea they were back in the Heartland system. That was until he got a call while he was on a business trip toward the end of the year.

Chris Herren: I was in Louisville, Kentucky, at our office call center there. I was enjoying a dinner on this trip. In fact, I was on the river, and I can remember the restaurant, when I got a phone call from Visa. And it was a gentleman at Visa, who’s responsible for risk. And he said, “Hey, Chris. I want to chat. We’ve got something really odd going on, and we need your help. We need you guys to look into some stuff.” He said, “We’ve got a large event. A big dump of cards just went on the market. And they’re all being used for fraud now. But where did this come from?”

Bob McMillan: Dmitriy had started selling the credit card data. And there was so much of it, Visa and the other card issuers had noted a glut of fake cards entering the black market. They wanted to figure out where those numbers had been stolen from, and they thought the source might be Heartland. How do you feel, getting that call?

Chris Herren: Clearly, that’s a no call. That is a heart stopping call, that no CSO ever wants. And that kicked off months of work by lots of different people, to try to figure out what was going on.

Bob McMillan: This is how hacks often go down. Companies kick the hackers out, and then they find a way back in. Now, Chris and his team needed to work fast to get Dmitriy’s Ocean’s Eleven squad out of Heartland’s systems. Chris had experienced rooting out the bad guys. But Dmitriy’s team, they knew where to hide.

Chris Herren: Whac-A-Mole is probably a good way to describe the attackers and the defenders. There are always new vulnerabilities that come up. Bad guys are looking to exploit those as quickly as possible.

Dmitriy Smilianets: Your adrenaline goes through the roof, heart start beating. You’re at real action, and you see your adversaries moving and trying to cut you from the network.

Chris Herren: Good guys are scrambling to get it fixed as quickly as possible.

Dmitriy Smilianets: But you are very persistent. You stay. You hide. And that game, cat of mouse, that’s exciting.

Bob McMillan: It took Chris and his team months to completely eject Dmitriy’s squad from the system. Over the course of the Heartland hack, they lost 130 million card numbers. And eventually, the company had to pay damages of more than 110 million dollars to Visa, MasterCard and American Express.

Chris Herren: People wondered if Heartland was going to go out of business.

Bob McMillan: Heartland didn’t go out of business, but the hack wasn’t forgotten. It triggered an investigation by the secret service and the FBI. In August, 2009, the US government filed charges against Albert Gonzalez, for previous hacks and for his role in Heartland. But that wasn’t all.

Speaker 11: This today, the justice department has just announced indictments for the largest data breach in US history.

Speaker 12: Well, authorities have busted what could be the largest ever case of identity theft, involving more than 130 million credit-

Speaker 11: 130 million credit and debit card numbers were stolen from three companies. Heartland Payment Systems, 7-Eleven, and Hannaford Brothers.

Speaker 12: They planted software to steal data in real time, as it was being entered by cardholders.

Speaker 13: Ringleader is 28 year old Albert Gonzalez. He’s from Miami.

Speaker 12: An American, Albert Gonzalez, and two Russians, hacked into the servers of credit card processor, Heartland Payment Systems, and four other companies, including 7-Eleven.

Speaker 11: Officials are charging a Miami man, and two Russians in the case.

Bob McMillan: The mention of two unnamed Russian hackers had caught Dmitriy’s attention. This could be him and Drinkman, but the feds also might have no idea which Russians they were looking for. Did the US government know this was them? Maybe. But Dmitriy was confident that they had covered their tracks. Albert Gonzalez pled guilty, and was sentenced to 20 years in prison. He is still serving his time. With the Heartland hack, Dmitriy’s team had hit the jackpot. But it had also put them on the map. And Dmitriy started to realize just how deep he was getting into the game.
What did you think about the legality of what you were doing? Was this still victimless crime, or how aware were you of the fact just that you were breaking the law, doing all of this?

Dmitriy Smilianets: I think, at some point I understood that it’s a lie, because of big news, because governments got involved. We saw the victims. There are victims. But I was too deep into the game. Imagine a car. It’s moving 20 miles per hour. You can open the door. You can jump out. Maybe you’ll break something. Imagine a car is doing 60 miles per hour. You’re still going to open the door. And if you jump, you’re going to get hurt. Our car was moving 200 miles an hour. I couldn’t open the door.

Bob McMillan: What Dmitriy didn’t know, is that someone from US law enforcement was already on his tail, and getting closer by the day.

Speaker 14: The Secret Service had seen a mistake with Dmitriy Smilianets. This group, their operational security was unbelievable. But he had made a mistake. He was on the radar.

Bob McMillan: That’s coming up in the next episode of Hack Me If You Can.
Hack Me If You Can is part of The Journal, which is a co-production of Gimlet and the Wall Street Journal. This episode was produced by Rachel Humphreys, and hosted by me, Bob McMillan. It was edited by Brendan Klinkenberg, with help from Catherine Brewer. Fact checking by Nicole Pisolka. Sound design and mixing by Griffin Tanner. Music in this episode by Marcus Agala, Nathan Singapak, Bosco, Epidemic Sound, and Audio Network. The music and remix by So Wiley. Thanks for listening. Check out Episode Two. It’s already in your feed.