Share This Page

Moldovan man charged in Pittsburgh over $25M in computer hacker losses

| Friday, Feb. 26, 2016, 11:42 a.m.

The victims of a vast international computer hacking scheme thought they might never see a defendant brought to trial in Pittsburgh.

But the FBI on Thursday sent an airplane to Cyprus and returned with Andrey Ghinkul, 30, of Moldova, who has been accused of conspiring to run a hacking scheme that stole an estimated $25 million through phishing malware that stole victims' personal and bank information. He attended an initial appearance hearing Friday at the federal courthouse, Downtown.

“As we are dealing with the dynamic challenge of fighting cyber criminals ... we remain committed here to treating everyone the same,” U.S. Attorney David Hickton told reporters. “If you are violating the law, it doesn't matter your status or where you reside, we are going to charge you and try to find you.”

Ghinkul maintains his innocence, his lawyer, Arkardy Bukh of New York City, told the Tribune-Review. Ghinkul will be represented by a public defender until the court approves Bukh's representation in the case.

The government has a high burden of proof to show that Ghinkul was the hacker operating the computer behind the attacks, Bukh said.

“The typical defense in those cases is that the government will have to face an uphill battle in proving that this is the guy,” Bukh said. “... The typical defense is that someone used the name as a shield to frame someone else.”

Ghinkul has been charged with conspiring with others to distribute malware — known variously as Dridex, Cridex or Bugat — to steal personal and banking information from infected computers around the world.

Hackers could then use the stolen credentials to authorize fraudulent wire transfers worth millions of dollars from victims' bank accounts.

Local victims of the hacking schemes include Penneco Oil Co. in Delmont and the Sharon City School District, prosecutors have said.

Criminals transferred more than $3.5 million from Penneco's bank account to accounts in Krasnodar, Russia, and Minsk, Belarus, on Aug. 31, 2012, and Sept. 4, 2012, according to court documents.

“They informed us early on that the likelihood of physically apprehending the perpetrators was very low,” said Ben Wallace, Penneco's chief operating officer. “We appreciate their diligence and hard work.”

Separately, hackers targeted Sharon City schools on Dec. 16, 2011, trying to move $999,999 from the district's bank account to an account in Kiev, Ukraine, prosecutors said. A diligent bank employee thwarted the theft by calling the district's business manager for confirmation of the large transfer.

“We had every confidence that at some point they would be tracked down, but as the years went by, you kind of wondered where that's going to go,” said Michael Calla, superintendent of Sharon City schools.

The FBI estimates that losses from the scheme in the United States are about $10 million, while worldwide losses are close to $25 million. Those are conservative estimates, Hickton has said.

In recent years, Hickton has shifted federal priorities to indicting computer hackers no matter where they live, bringing charges against military officers in China and computer programmers in Russia and other Eastern European countries. He has vowed all along to bring them to justice in Pittsburgh.

“Fairly, there has been a discussion and a debate of the question of whether our work will lead to arrests,” Hickton said. “... I remain committed to bringing individuals to justice in this building where we can and that we will work very hard at this.”

Ghinkul was arrested in Cyprus while on vacation in August and extradited to the United States this week, after fighting his case all the way to the Cyprus supreme court.

“It was a long battle in Cyprus, which unfortunately our client lost, so he will face justice in the United States,” Bukh said.

Other high-profile hacking defendants who have been indicted in foreign countries — including five members of China's People's Liberation Army — remain at large.

Andrew Conte is a member of the Tribune-Review investigations team.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.