© Nicholas Rigg/GettyFive men from Russia and Ukraine are charged in a US$300m hacking case involving stolen credit card details.
Three suspects still at large in alleged global racket involving credit card details being stolen and traded online.

Federal prosecutors in the US have charged five men blamed for a hacking and credit card fraud spree that cost companies more US$300million. Two of the suspects are in custody in the biggest cybercrime case filed in US history.

Authorities also disclosed a new security breach against Nasdaq but provided few details.

Other companies alleged to have been targeted by the men include a Visa licensee, JC Penney Co, JetBlue Airways and the French retailer Carrefour, according to an indictment unveiled in New Jersey.

Authorities had been pursing the men for years. Many of the breaches had previously become public, though it appeared the one involving Nasdaq OMX Group Inc was being disclosed for the first time.

Prosecutors said they conservatively estimated the group of five men from Russia and Ukraine helped steal at least 160m payment card numbers, resulting in losses in excess of US$300m.

Authorities in New Jersey charged that each of the defendants had specialised tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.

Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits. Prosecutors said he charged $10 for US cards, $15 for ones from Canada and $50 for European cards, which are more expensive because they have computer chips that make them more secure.

The five hid their efforts by disabling antivirus software of their victims and storing data on multiple hacking platforms, prosecutors said. They sold payment card numbers to resellers, who then sold them on online forums or to "cashers" who encoded the numbers on to blank plastic cards.

"This type of crime is the cutting edge," said New Jersey US attorney Paul J Fishman. "Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security."

The indictment cited Albert Gonzalez as a co-conspirator. He is serving 20 years in prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in US history, helping steal millions of credit and debit cards. Prosecutors say the defendants worked with Gonzalez before his arrest in Miami, then continued on a crime spree after his capture.

Drinkman and Smilianets were arrested in June 2012 while traveling in the Netherlands at the request of US authorities. Smilianets was extradited last September and is expected to appear in New Jersey federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.

Prosecutors declined comment on the whereabouts of the other three defendants. Tom Kellermann, a vice-president with security software maker Trend Micro, said he though the prospects were dim that they would be caught because authorities in some countries turned a blind eye to cybercriminals. "There is an enormous shadow economy that exists in eastern Europe. In some countries sophisticated hackers are seen as national assets," he said.

The US attorney's office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.

The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.