Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/27/2017
07:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Inside the Investigation and Trial of Roman Seleznev

The officials who convicted the credit card thief discussed the investigation, evidence, trial, and challenges involved in his case.

BLACK HAT - Las Vegas - Officials involved in the investigation, arrest, and trial of Roman Seleznev dove into the details of how he operated his hacking empire, the slipups that led to his arrest, and evidence that led to his sentencing.

Seleznev, a notorious Russian computer hacker, was responsible for more than 400 point-of-sale hacks and at least $169 million in credit card fraud. He was sentenced to 27 years in prison and $170 million in restitution after a trial that took place earlier this year.

He went through three "chapters" in his time as a card thief, each defined by a different name, explained Norman Barbosa, assistant US attorney at the US Attorney's Office for the Western District, at Black Hat. The first began in the early 2000s when he adopted the handle nCux, which he used to operate online shops for selling stolen information.

"By 2005, he picked up on the fact that credit cards were an easy way to monetize hacking," said Barbosa. This was around the time the Secret Service began to notice his criminal activity and gather intelligence on him. By 2009, they had collected enough information to determine his identity — just in time for Seleznev to vanish.

"Unfortunately, approximately a month later, he disappeared from the Internet, putting the Secret Service investigation back a step," Barbosa said. "They had to rethink how they would go about seeking international cooperation on the case."

Seleznev reappeared in 2009 under aliases Track2 and Bulba. Officials noted his activity on Carder.su, a forum and online marketplace for credit card details and personal data. He was listed as a "trusted vendor of dumps," which tipped them off to the fact this wasn't a new player.

The investigation was reopened in May 2010 and accelerated through June 2011. During this time, Seleznev was involved in hacking restaurants and stealing credit card data from their point-of-sale devices.

Following his injuries in the 2011 Morocco terrorist attacks, Seleznev returned to Russia and closed his online shop in January 2012. Investigators continued to chase him until 2013, when he reappeared under the alias 2PAC.CC. At this point he wasn't only selling his own stolen data; other major hackers were coming to him to resell credit cards.

Seleznev was arrested in the Maldives in 2014. Normally, the extradition process can take between six months and four years, said Barbosa. In this case, it took about two days to get the Secret Service to the Maldives, and only three more to get Seleznev to the United States.

Independent trial attorney Harold Chun discussed the evidence seized after Seleznev's arrest and mistakes he made leading up to it. Officials seized his laptop, passport, phone, and travel documents, all of which confirmed their earlier hypotheses.

"What these things did was confirm all the attribution that had been gleaned in the investigation, year after year," said Chun.

Seleznev's laptop proved to be a gold mine of evidence. Law enforcement found 1.7 million credit card numbers stored on his device, along with Web pages he created to teach people how they could use stolen card details. On the page, he reminded users: "Remember this is illegal way!!"

"There's not much to say when you have 1.7 million credit card numbers on you when you're on vacation," Chun quipped.

Investigators also discovered an account on Pacer Records, an online court system for recording indictments and search warrants. Before he traveled, Seleznev would search for information on his name and nicknames to determine whether it would be safe to leave.

Other pieces of evidence included information from Windows artifacts, registry keys, event logs, and the System Resource Usage Monitor. Officials also found cellphone backups stored on his computer and in the cloud.

Seleznev made several key slipups leading up to his arrest. He reused passwords for multiple online accounts, making it easy for investigators to guess the password to his laptop. He had two email addresses for his online aliases, some of which he used for crime and some of which he used for personal communications — for example, opening a PayPal account.

Barbosa explained how Seleznev used one of these email addresses to place a flower order for his wife, which he did using his own name and phone number that could be traced back to him.

Seleznev attempted to claim he had been framed by someone — either the US government or another hacker — and also tried to bribe the prosecutor for his case. Neither worked, and it only took a few hours for a Seattle jury to convict him on 38 counts, Chun said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-3473
PUBLISHED: 2021-04-13
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exist...