Prosecutors throw the book at Russian behind credit card hacking plot
U.S. prosecutors are asking a federal court in Seattle to sentence prolific Russian hacker Roman Seleznev to 30 years this week, saying he personally helped create a multibillion-dollar ecosystem for credit card fraud.
Calling Seleznev “a pioneer” in the online theft and monetization of card data, a sentencing memorandum claims he “became one of the most revered point-of-sale hackers in the criminal underworld … a market maker whose automated vending sites and tutorials helped grow the market for stolen card data,” by effectively creating an Amazon.com for cyber-thieves and card fraudsters.
Cards that Seleznev sold through his sites generated nearly $170 million in fraudulent charges, prosecutors said.
“This prosecution is unprecedented. Never before has a criminal engaged in computer fraud of this magnitude been identified, captured, and convicted by an American jury,” prosecutors claim.
In arguing for the 30-year sentence, prosecutors also say Seleznev tried to game the court system: “Burning through” six sets of attorneys, including two provided at public cost, while ignoring their advice to negotiate a plea deal; and perjuring himself in effort to suppress a self-incriminating interview. These antics, the memo charges, meant it took more than two years to get to trial.
Prosecutors also argue that there is “an extremely high risk of recidivism.” Given Seleznev’s “stubborn refusal to accept responsibility for his crimes until hopelessly cornered, there is a high likelihood that upon his return to Russia, he will return to his criminal enterprise,” the memo reads, noting that Seleznev “had multiple opportunities to reassess his life and end his career as a hacker” — like being injured in a 2011 terrorist bombing in Marrakesh — but “In each instance, defendant not only returned to his criminal ways, but also grew his criminal enterprise as he took it to new heights.”
Evidence presented at the week-long trial last summer showed that Seleznev started his cybercrime career as a teenager in 2002, using the online alias “nCuX” — the transliteration of the Russian word for “psycho.”
“By 2009, nCuX had become one of the world’s leading providers of stolen credit card data … revered in the carding underworld and admired by thousands of other criminals,” according to the sentencing memorandum. U.S. Secret Service agents, who had made him a top-tier target, developed information that year that nCuX was really Seleznev, the son of a Russian politician. They flew to Moscow and briefed their counterparts from the Russian Federal Security Service, or FSB. A month later “nCuX notified his co-conspirators on multiple criminal forums that he was going out of business. Shortly after that, nCuX completely disappeared from the Internet.”
But three months later, in September 2009, Seleznev appeared again, this time using the online identities Track2 and Bulba, and this time establishing his own sites to sell the card data he hacked. Seleznev’s new vending websites were automated, working “like an Amazon.com for carders, allowing buyers to automatically search, select, and purchase” batches of card data sorted by criteria such as the issuing financial institution or the card brand. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day,” state prosecutors.
After Seleznev was injured in the Marakesh bombing in 2011, the Track2 and Bulba sites closed down. Seleznev’s next site, 2pac.cc, was also automated, but rather than just selling the data he himself had hacked, 2pac was a shop-window for other major hackers as well, who would sell their data on the site and split the proceeds with him. 2pac.cc “facilitated the sales of millions of stolen cards [details] and helped monetize some of the most significant credit card breaches of the last decade,” including Home Depot, Target and Neiman Marcus.
At the same time, Seleznev also helped to grow the market for hacked card details with a site that offered lessons in how to monetize the stolen data by making fake cards. POSdumps.com contained free video tutorials and links to sellers of card coding equipment and other material would be card fraudsters might need.
The site boldly declared “remember this is illegal way.”
Seleznev “blatantly flaunted his illegal behavior knowing that his true identity was hidden behind the layers of anonymity provided by the internet. And even if his true identity was discovered by law enforcement, he was further comforted by the cover provided him by his connections in Russian law enforcement,” say prosecutors
“Carders all over the world turned to defendant to fuel their fraudulent conduct, leading to over $169 million in losses to over 3,700 banks worldwide. His hacking spree wreaked havoc at hundreds of small businesses throughout the United States and overseas as he scooped up millions of credit cards,” according to the sentencing memo.
How much of that money ended up in Seleznev’s hands is unclear — he used multiple anonymous payment systems and cryptocurrency accounts. When prosecutors seized just one of them, Liberty Reserve “in connection with another criminal investigation,” they found Seleznev collected roughly $17 million in sales in just three years, 2010 – 2013, through this single payment system alone. He “undoubtedly collected many millions more using Bitcoin and other currencies throughout his lengthy criminal career.”
Prosecutors record that Seleznev used this money to live “an extravagant lifestyle.” He bought beachfront properties in Bali, Indonesia and “jetted between Bali and [his home in] Vladivostok at will. Photographs on Seleznev’s phone show his associates with large bundles of cash, at luxurious resorts, and posing for photographs next to high-end muscle cars. Immediately before his capture, Seleznev spent over $20,000 to stay in a resort in the Maldives, boasting to an associate in a chat that ‘I took the most expensive villa’ and that ‘I have my own manservant.'”
Although 30 years is significantly more than the 18- and 20-year sentences imposed on prolific hackers in the past, prosecutors argue that Seleznev’s refusal to admit culpability and seek a plea deal (as others have done in the past), plus his status as a facilitator of the crimes of others, mean 30 years is merited.
They note that, because of the huge scale of the offense — authorities were able to identify 2.95 million unique payment card numbers he “stole, possessed or sold” — the sentencing guidelines actually call for life imprisonment. Indeed, the table of guidelines, which measures the severity of offenses on a points system, only goes up to 43 points — a crime meriting life imprisonment. Seleznev’s offenses tallied up a total of 56 points.
The sentencing is scheduled for Friday.