Earlier today, Djevair Ametovski, a Macedonian citizen also known as "xhevo," "sindrom" and "sindromx," pleaded guilty to access device fraud and aggravated identity theft, crimes related to his operation of "Codeshop," a website he created for the sole purpose of selling stolen credit and debit card data, bank account credentials and personal identification information — obtained through illegal hacking and phishing schemes — for financial gain. The plea was entered before United States Magistrate Judge Steven L. Tiscione at the federal courthouse in Brooklyn.
The guilty plea was announced by Bridget M. Rohde, Acting United States Attorney for the Eastern District of New York, and David E. Beach, Special Agent-in-Charge, United States Secret Service, New York Field Office (USSS).
"Cybercriminals such as the defendant profit directly from the mass hacking of online businesses and theft of personal and financial information, and provide a platform for others to do the same," stated Acting United States Attorney Rohde. "This Office, together with our law enforcement partners, will work tirelessly to shut down these illegal businesses and hold their operators accountable for their crimes." Ms. Rohde praised the extraordinary efforts of the Secret Service, the agency responsible for leading the government’s investigation, and also thanked the Slovenian Ministry of the Interior and Ministry of Justice, for their assistance in the investigation and effecting the defendant’s extradition, the United States Marshals Service, for their assistance in transporting the defendant to the United States, the U.S. Department of State Regional Security Officers in Slovenia and the Netherlands, for their assistance in facilitating the defendant’s extradition, and the Justice Department’s Office of International Affairs, for their assistance with multiple international requests for legal assistance during the investigation and with the defendant’s extradition.
"Technology has essentially erased geographic boundaries and changed the way criminals do business," said USSS Special Agent-in-Charge Beach. "The Secret Service continues to develop innovative ways to combat emerging cyber threats. The success in this case demonstrates the collaborative efforts of our worldwide network of law enforcement partners and the transnational investigative capabilities of the United States Secret Service."
As detailed in court papers, Ametovski ran a sophisticated online global marketplace for selling the stolen credit and debit card data, bank account credentials and personal identification information of victims around the world. As part of his operation, Ametovski worked with co-conspirators to steal victim account data both by hacking into the computer databases of financial institutions and other businesses, and by perpetrating "phishing" scams wherein the conspirators sent forged emails to unwitting accountholders that fraudulently induced the accountholders to surrender private information.1 Ametovski and his co-conspirators then packaged this stolen victim account data for sale and posted the data on the Codeshop website, a fully indexed and searchable website that allowed users to search through databases of stolen data by bank identification number, financial institution, country, state and card brand to find the precise data that they wished to buy. Users of the Codeshop website who bought stolen data from the website could use it to make online purchases and to encode plastic cards with the data and use the cards to withdraw cash at ATMs. Ametovski used a network of online money exchangers and anonymous digital currencies (like Bitcoin) to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own. Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards.
1 "Phishing" is a common cyber fraud tactic that involves sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to deceive the user into surrendering private information. In this case, such emails commonly directed users to visit a bogus website where they were asked to update personal information, such as their password, social security number, and bank account number previously provided to a legitimate organization.
Ametovski was arrested in Ljubljana, Slovenia, in January 2014, and was extradited to the United States in May 2016.
When he is sentenced by United States District Judge Eric N. Vitaliano, Ametovski faces up to 15 years in prison for access device fraud, and an additional mandatory sentence of two years’ imprisonment for aggravated identity theft. He is also subject to restitution, criminal forfeiture, and fines.
The government’s case is being handled by the Office’s National Security & Cybercrime Section. Assistant United States Attorneys Saritha Komatireddy, Tiana A. Demas and David K. Kessler are in charge of the prosecution. Additional assistance was provided by Marcus Busch of the Justice Department’s Office of International Affairs.
The Defendant:
DJEVAIR AMETOVSKI, also known as "xhevo," "sindrom" and "sindromx"
Age: 30
Nationality: Macedonian
E.D.N.Y. Docket No. 16-CR-409 (ENV)
--DOJ Eastern District of New York