Two California men have been charged with conspiracy and wire fraud in an elaborate hacking scheme that netted them $40,000 in Subway gift cards. According to recently released court documents, Shahin Abdollahi and Jeffrey Thomas Wilkinson remotely accessed the point of sale systems in at least 13 Subway restaurants, using them to load money onto gift cards. Abdollahi and Wilkinson allegedly weren't breaking into the systems, though — they'd actually sold them to the Subway franchises with their own company, "POS Doctor."
As 'Sean Holdt,' Abdollahi sold point of sale systems to 13 Subways
Abdollahi had a history as a Subway restaurant owner, operating "one or more" franchises in Southern California from 2005 to 2008. Shortly thereafter, he opened POS Doctor under the alias "Sean Holdt," selling and sometimes installing new or refurbished point of sale systems at 13 franchises around the country. In itself, this wasn't necessarily unusual, as court documents note that Subway owners often buy their systems from third-party companies. Abdollahi, however, allegedly kept remote access privileges and used them to make fake gift card purchases: he and Wilkinson would wait until a restaurant had closed, then load money onto cards in their possession, usually selling them online later.
This indictment follows another recent Subway hacking case. In early 2013, a Romanian hacker was sentenced for his role in breaking into registers at 150 Subway restaurants and 50 other unknown stores, compromising credit card data and making off with millions in unauthorized purchases. Abdollahi and Wilkinson's plan was far less lucrative, but its method — allegedly starting a business to defraud Subway restaurants after years of operating one — sits at an interesting juncture between hacking and business fraud.