TJX Suspect Gets 30 Years

In a follow up to a series of posts I've dubbed "Hacker's 11, The Boston Globe reports that a suspect has been jailed in Turkey for an unrelated (well, related in the sense that he was found guilty of an unrelated cybercrime)  It is believed to be the harshest sentence ever for a cyber-related crime.

In a separate article, Finextra reports: "Although US authorities filed extradition papers against Yastremskiy he has now been convicted in Turkey on the separate charges. According to local reports, he pleaded not guilty but was convicted yesterday in a court in the city of Antalya."

Here's the story from the Boston Globe:

Suspect in TJX data theft sentenced in Turkey in unrelated case - The Boston Globe

By Ross Kerber and Musa Kesler, Globe Correspondent | January 9, 2009

ISTANBUL - A Ukrainian man who authorities allege played a key role in the largest data theft on record was sentenced to 30 years in prison in Turkey yesterday in an unrelated case.

US prosecutors have said that Maksym Yastremskiy was instrumental in the sale of credit and debit card numbers stolen from the retailer TJX Cos. of Framingham and other companies. While the sentence may be one of the longest ever handed down in a cybercrime, the conviction could hamper his prosecution in the United States.

He and 10 others were charged last year with (Editor's Note: See  Graphic on Right)  being part of a ring of thieves from around the world that broke into nine major US retailers' computers systems, stealing customer data and then selling that information. The thieves allegedly hacked into the systems and installed programs to capture data.

Yastremskiy, according to prosecutors, earned more than $11 million from his illicit activities. He has also been charged in another US case, involving theft of data from a Texas restaurant chain.

Court documents indicate that in TJX's case, as many as 100 million card numbers were stolen. Prosecutors alleged the ringleader was Albert Gonzalez of Miami.

A 27-year-old business school graduate, Yastremskiy was arrested in 2007 while on vacation in the Turkish resort of Kemer. His attorney, Ridvan Yildiz, said he was charged with breaking into Turkish bank accounts electronically, to which he pleaded not guilty.

He was sentenced yesterday in Antalya, a city on Turkey's southwestern Mediterranean coast near the resort town.

Before sentencing, Yildiz said, Yastremskiy told the judge: "I am innocent. I didn't do anything to break bank accounts. Somebody else did it, not me. I want to be released from the jail."

Yastremskiy had also argued that a laptop computer found in his hotel room containing bank information belonged to a friend.

Yildiz plans to appeal the sentence to Turkey's highest court, known as the Yargitay.

The 30-year sentence was at the low end of the range of 24 to 72 years sought by prosecutors.

Mark Rasch, a former federal prosecutor and computer-crimes expert in Bethesda, Md., said the sentence was the longest he had ever heard of involving a cybercrime. It would be allowed under US laws only if the offenses had led to death or other extreme consequences, he said.

Yet the heavy sentence could give US prosecutors influence in obtaining Yastremskiy's cooperation against others. "This would be great leverage," Rasch said.

A previous defense attorney for Yastremskiy had said that US officials have sought to extradite him, but that Turkish law prevents that until after he serves his sentence.

Yesterday, US Justice Department officials would only say they continue to seek Yastremskiy his extradition. US prosecutors in Boston have already won several guilty pleas from minor figures in the case.

Ross Kerber can be reached at kerber@globe.com. Kerber reported from Boston. Kesler, a correspondent for the newspaper Milliyet, reported from Istanbul

Related articles by Zemanta

• Turkish courts hands out 30 years to hacking godfather
• Carder linked to TJX hack jailed for 30 years by Turkish court
• Inside the Mind of a Hacker