Guilty: Russian POS Malware Hacking Kingpin Stole 2M Cards

Anti-Malware , Fraud , Technology

Roman Seleznev, Son of Russian Legislator, Caused $169 Million in Fraud Guilty: Russian POS Malware Hacking Kingpin Stole 2M CardsConvicted hacker Roman Seleznev. Source: Department of Justice

Russian hacker Roman Valerevich Seleznev has been convicted of stealing data from more than 2 million U.S. payment cards and defrauding 3,700 financial institutions in the United States of at least $169 million.

See Also: The Inconvenient Truth About API Security

On Aug. 25, after an eight-day trial, a federal jury in the state of Washington convicted 32-year-old Seleznev, a.k.a. "Track2," of hacking into point-of-sale devices and installing malware to steal payment card details and route them to a servers based in Russia, Ukraine and McLean, Va. According to court documents, Seleznev gathered up the stolen card data in batches - or "bases" - then sold them on carder forums, also known as dump sites, including one called "2pac.cc" that he allegedly ran.

Seleznev's operation ran from October 2009 to October 2013, federal prosecutors said, adding that many of his victims were small businesses, some of which were forced into bankruptcy by the attacks. Seleznev had pleaded not guilty to related charges (see Free Defense for Alleged $18M Hacker?).

The federal jury convicted Seleznev on 38 counts - 10 counts of wire fraud, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices, eight counts of intentional damage to a protected computer and two counts of aggravated identity theft - according to the U.S. Justice Department.

Seleznev is due to be sentenced Dec. 2 by U.S. District Judge Richard A. Jones of the Western District of Washington. He could face decades in prison.

Indicted in 2011

Seleznev was first indicted in Washington federal court in March 2011 on 40 charges relating to the theft and sale of at least 2 million payment card numbers. At least some of the information used to charge him came via the Justice Department's investigation into the notorious virtual currency system Liberty Reserve, which was based in Costa Rica.

After Liberty Reserve was forcibly shut down in May 2013 - authorities accused the site of laundering $6 billion - law enforcement promised to "follow the money." They said they found that the service had been used by some of Seleznev's customers to route him payments. "Among the Liberty Reserve accounts maintained by [Seleznev] were two accounts that received over $17.8 million U.S. dollars in payments for the sales of stolen credit card data," according to court documents," the Justice Department says.

Informal Extradition

Seleznev was detained at an airport in Maldives - an island nation in the Indian Ocean - in July 2014 while on vacation. He was then flown by U.S. Secret Service agents to the U.S. territory of Guam, where he was arrested. The Russian government characterized the episode as kidnapping.

U.S. law enforcement agencies, however, refer to this occasional practice instead as informal extradition, "because kidnapping is such a dirty word," according to Verizon security evangelist Mark Rasch, who created the computer crime unit at the U.S. Department of Justice (see FBI Hacker Hunt Goes 'Wild West').

Son of Russian Legislator

Seleznev is the son of Russian legislator Valery Seleznev, who's part of the country's Liberal Democratic party, which is often described as a far-right ultranationalist party.

Valery Seleznev initially denied that the man who had been arrested on related charges in 2014 could have been his son, saying his son had no knowledge of computers or a U.S. visa. After news reports confirmed that his son had been detained, and then arrested on U.S. soil, he told state-operated Russian news agency RIA Novosti that the episode amounted to "a terrible, monstrous nonsense."

Investigators Recovered Laptop, iPhone

Prosecutors said that a laptop in Seleznev's possession at the time of his arrest contained 1.7 million payment card details. In a March 2015 motion, they also supplied the court with photographs of Seleznev posing with stacks of 5,000-ruble notes - each bill worth about $85 - as well as luxury cars. They said the photos were retrieved from the laptop, as well as an iPhone that was in his possession when he was arrested by the U.S. Secret Service.

According to court documents filed by federal prosecutors, Saleznev maintained an extravagant lifestyle, including owning high-end automobiles, regularly flying to exotic locales and staying in fancy hotels, as well as owning multiple properties, including two apartments in the Indonesian island and province Bali, for which he paid $790,000.