WASHINGTON (Reuters) - Nine people have been charged in an alleged international conspiracy that used malicious software to gather bank account details and use the information to steal millions of dollars, including from accounts held at a Nebraska bank, the Department of Justice said on Friday.
Two of the defendants, both Ukrainian nationals who were living in the UK, have been extradited to face charges in Nebraska, the U.S. Justice Department said.
Four other defendants, who live in the Ukraine and in Russia according to court documents, remain at large. The three other defendants have not yet been identified.
A grand jury indicted the defendants in August 2012, but the indictment was not unsealed until Friday.
According to the charges, the group used Zeus malware to capture passwords and account numbers and then used that information to log into online banking accounts to steal millions of dollars.
The Zeus virus is a piece of malicious software that has been widely used to steal credit card information and other financial data.
The defendants were able to use the malware to beat two-factor identification systems, including SecurID, a product of the RSA unit of EMC Corp, prosecutors said.
The indictment was unsealed on Friday ahead of an arraignment of the two defendants who were extradited from the UK, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36, the Justice Department said.
Prosecutors say the defendants used U.S. residents as “money mules,” receiving funds transferred over the Automated Clearing House network or via other interstate wire systems from victims’ bank accounts into the mules’ own bank accounts. These people then allegedly withdrew some of those funds and wired the money overseas to conspirators.
A lawyer for Konovalenko was not immediately available for comment. A lawyer for Kulibaba could not be immediately located for comment.
The Justice Department said the FBI’s Omaha Cyber Task Force investigated the case, and was assisted by law enforcement agencies in the UK, the Netherlands and Ukraine.
The charges come as the U.S. government and hundreds of business are dealing with the “Heartbleed” bug uncovered this week, which may have left hundreds of thousands of websites open to data theft.
The Department of Homeland Security on Friday also warned of hackers attempting to exploit the bug in targeted attacks.
Reporting by Aruna Viswanatha; Editing by Leslie Adler