Threat Intelligence

07:50 PM
Connect Directly

Inside the Investigation and Trial of Roman Seleznev

The officials who convicted the credit card thief discussed the investigation, evidence, trial, and challenges involved in his case.

BLACK HAT - Las Vegas - Officials involved in the investigation, arrest, and trial of Roman Seleznev dove into the details of how he operated his hacking empire, the slipups that led to his arrest, and evidence that led to his sentencing.

Seleznev, a notorious Russian computer hacker, was responsible for more than 400 point-of-sale hacks and at least $169 million in credit card fraud. He was sentenced to 27 years in prison and $170 million in restitution after a trial that took place earlier this year.

He went through three "chapters" in his time as a card thief, each defined by a different name, explained Norman Barbosa, assistant US attorney at the US Attorney's Office for the Western District, at Black Hat. The first began in the early 2000s when he adopted the handle nCux, which he used to operate online shops for selling stolen information.

"By 2005, he picked up on the fact that credit cards were an easy way to monetize hacking," said Barbosa. This was around the time the Secret Service began to notice his criminal activity and gather intelligence on him. By 2009, they had collected enough information to determine his identity — just in time for Seleznev to vanish.

"Unfortunately, approximately a month later, he disappeared from the Internet, putting the Secret Service investigation back a step," Barbosa said. "They had to rethink how they would go about seeking international cooperation on the case."

Seleznev reappeared in 2009 under aliases Track2 and Bulba. Officials noted his activity on, a forum and online marketplace for credit card details and personal data. He was listed as a "trusted vendor of dumps," which tipped them off to the fact this wasn't a new player.

The investigation was reopened in May 2010 and accelerated through June 2011. During this time, Seleznev was involved in hacking restaurants and stealing credit card data from their point-of-sale devices.

Following his injuries in the 2011 Morocco terrorist attacks, Seleznev returned to Russia and closed his online shop in January 2012. Investigators continued to chase him until 2013, when he reappeared under the alias 2PAC.CC. At this point he wasn't only selling his own stolen data; other major hackers were coming to him to resell credit cards.

Seleznev was arrested in the Maldives in 2014. Normally, the extradition process can take between six months and four years, said Barbosa. In this case, it took about two days to get the Secret Service to the Maldives, and only three more to get Seleznev to the United States.

Independent trial attorney Harold Chun discussed the evidence seized after Seleznev's arrest and mistakes he made leading up to it. Officials seized his laptop, passport, phone, and travel documents, all of which confirmed their earlier hypotheses.

"What these things did was confirm all the attribution that had been gleaned in the investigation, year after year," said Chun.

Seleznev's laptop proved to be a gold mine of evidence. Law enforcement found 1.7 million credit card numbers stored on his device, along with Web pages he created to teach people how they could use stolen card details. On the page, he reminded users: "Remember this is illegal way!!"

"There's not much to say when you have 1.7 million credit card numbers on you when you're on vacation," Chun quipped.

Investigators also discovered an account on Pacer Records, an online court system for recording indictments and search warrants. Before he traveled, Seleznev would search for information on his name and nicknames to determine whether it would be safe to leave.

Other pieces of evidence included information from Windows artifacts, registry keys, event logs, and the System Resource Usage Monitor. Officials also found cellphone backups stored on his computer and in the cloud.

Seleznev made several key slipups leading up to his arrest. He reused passwords for multiple online accounts, making it easy for investigators to guess the password to his laptop. He had two email addresses for his online aliases, some of which he used for crime and some of which he used for personal communications — for example, opening a PayPal account.

Barbosa explained how Seleznev used one of these email addresses to place a flower order for his wife, which he did using his own name and phone number that could be traced back to him.

Seleznev attempted to claim he had been framed by someone — either the US government or another hacker — and also tried to bribe the prosecutor for his case. Neither worked, and it only took a few hours for a Seattle jury to convict him on 38 counts, Chun said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...