On August 26th, a federal jury in Seattle found Roman Seleznev guilty of stealing more than 2.9 million credit card numbers and selling them to fraudsters on the deepweb. Seleznev, 32, is the son of Russian Parliament member Valery Seleznev.
According to a 2014 indictment from the Department of Justice, Seleznev, as well as unknown accomplices, “developed and used automated techniques, such as port scanning, to identify computers and computer systems that were connected to the Internet [and] were dedicated to or involved with credit processing by retail businesses.”
Roman Seleznev operated under the names “TRACK2,”and “nCuX,” as well as several other pseudonyms listed in the indictment. While he almost exclusively operated on deepweb forums under the TRACK2 moniker, the prosecutors believe the other names were used for specific pieces of malware. When Seleznev’s servers were examined, nearly a dozen names were discovered, all leading back to Seleznev.
The 32-year-old hacker identified PoS (Point of Sale) systems throughout the United States and downloaded malware that fed customer and credit card information back to his servers.
According to the indictment:
The malware that Roman Seleznev and others unknown to the Grand Jury caused to be downloaded to the victim business’ computers monitored the traffic within the business’ computer network and intercepted the communications between the point of sale terminals and the back of the house compared. The malware would extract and copy data the included credit card track data and, every five minutes, compile the stolen credit card track data and transmit and upload it to a server identified by a specific IP address.
Seleznev’s malware worked especially efficiently in some cases. An example given in the indictment is one where malware was uploaded to the Broadway Grill’s back of the house computer. This restaurant stored every credit card transaction between December 1, 2009, and October 22, 2010, in an unencrypted text file. Seleznev pulled over 32,000 unique numbers from this computer alone.
From there, he uploaded more malware to the front of the house PoS, allowing him access to every credit card swiped until the restaurant declared bankruptcy. While this is a particularly striking example based, in part, on the restaurant’s security practices, Seleznev replicated similar tactics across businesses throughout the United States.
Seleznev then sold the card numbers on both deepweb and clearnet forums. Cards with a 95 percent chance of being valid went for a maximum of $30. Cards with lower validity rates went for as a low as $7.
The investigation revealed that under TRACK2, using the most frequented carding forums and marketplaces, 140,000 credit card numbers were sold and a profit of $2 million was accumulated. The DoJ suspects, though, that the “scheme” was deeper than law enforcement initially suspected. When Seleznev was arrested in 2014 in the Maldives with his girlfriend, an additional 1.7 million credit card numbers were discovered on his laptop.
Roman Seleznev was found guilty of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.
A lawyer representing Seleznev plans to appeal the verdict on the grounds that an illegal arrest was made, invalidating the evidence discovered in the 10-year-long case built against Seleznev. In claims made by the lawyer, Seleznev’s laptop was illegally seized and searched. When the US arrested Seleznev at Malé international airport, the man was never detained or held by local authorities. No opportunity to appear before a local court was presented to him either, claims Seleznev.
The Russian government considers this arrest to be an illegal kidnapping by US law enforcement, according to Reuters.
A sentencing hearing is scheduled for December 2nd with Seleznev facing a minimum of four years behind bars. He is also facing charges in Georgia and Nevada.