The U.S. Justice Department this week announced indictments against 22 individuals who allegedly purchased and used payment cards stolen from a national retail chain.
Using point-of-sale malware installed at multiple retail locations of the target company, threat actors stole information of over three million payment cards, including credit, debit, and gift cards used at over 400 of the company’s retail stores.
According to the indictment, the co-conspirators then sold the hijacked data for $4 million in Bitcoin to an individual who sold it to thousands of other people, including the 22 now facing charges by the U.S. Department of Justice.
Twenty of the defendants have been arrested while the other two remain are large, likely abroad, the authorities said.
The 22 individuals are charged with using the payment card information to make various purchases, including at gas stations, hotels, and restaurants.
The indictment alleges that one of the defendants purchased more than 13,000 payment cards stolen from the retail chain, while another purchased more than 6,000 such cards. Others purchased between 2,000 and 4,000 payment cards.
According to the Justice Department, each defendant faces up to 20 years in federal prison for charges of wire fraud and a two-year mandatory, consecutive prison sentence for aggravated identity theft.