A prolific Russian hacker who stole data from over a dozen U.S. companies and information about over 100 million U.S. consumers was sentenced Thursday to 12 years in prison after admitting involvement in one of the biggest thefts of consumer data from a U.S. financial institution.
Andrei Tyurin, 37, was sentenced in Manhattan federal court after pleading guilty in September 2019 to computer intrusion, wire fraud, bank fraud and illegal online gambling offenses.
Prosecutors say Tyurin helped steal the personal data of more than 80 million customers from JP Morgan Chase alone.
They said Tyurin targeted financial institutions, brokerage firms and financial news publishers including the Wall Street Journal in the United States from 2012 to mid-2015, getting the personal information of more than 100 million customers of the companies.
Tyurin operated from his Moscow home, collecting over $19 million as he utilized a computer infrastructure across five continents, authorities said.
In a release, Acting U.S. Attorney Audrey Strauss said Tyurin “played a major role in orchestrating and facilitating an international hacking campaign that included one of the largest thefts of U.S. customer data from a single financial institution in history.”
In court papers, Tyurin’s lawyer, Florian Miedel, wrote that Tyurin only pocketed about $5 million because the rest was only promised by a co-conspirator who relied on Tyurin to get names and contact information so he could recruit customers for his illegal online gambling business.
Miedel requested leniency for his client, saying Tyurin never stole money through his hacking.
In a letter to the judge, Tyurin said he was “terribly ashamed” of the personal information he was stealing online and believed he had “chosen a wrong path in life.”
He also wrote that he has changed since a daughter he can no longer see was born four years ago.
In court papers, prosecutors wrote that as investigators closed in on Tyurin and the co-conspirator with the online gambling business, Tyurin and his accomplice “were fundamentally driven by pragmatic considerations regarding the risk of their detection and ultimately their apprehension, rather than concerns regarding relative moral culpability of their use of the stolen data.”
They urged a stiff sentence, citing the difficulty of apprehending someone who operates a half a world away.
“As a result of the significant resources required to mount a successful hacking prosecution, convictions are relatively rare. Consequently, the importance of affording general deterrence through meaningful sentences is particularly acute in criminal hacking cases,” according to a sentencing submission signed by Assistant U.S. Attorney Eun Young Choi.
Tyurin has been in U.S. custody since he was extradited from the country of Georgia in September 2018. He will be deported once he serves his sentence.
U.S. District Judge Laura Taylor Swain ordered him to forfeit his profits. Restitution was to be determined at a later date.
