Threat Intelligence

07:50 PM
Connect Directly

Inside the Investigation and Trial of Roman Seleznev

The officials who convicted the credit card thief discussed the investigation, evidence, trial, and challenges involved in his case.

BLACK HAT - Las Vegas - Officials involved in the investigation, arrest, and trial of Roman Seleznev dove into the details of how he operated his hacking empire, the slipups that led to his arrest, and evidence that led to his sentencing.

Seleznev, a notorious Russian computer hacker, was responsible for more than 400 point-of-sale hacks and at least $169 million in credit card fraud. He was sentenced to 27 years in prison and $170 million in restitution after a trial that took place earlier this year.

He went through three "chapters" in his time as a card thief, each defined by a different name, explained Norman Barbosa, assistant US attorney at the US Attorney's Office for the Western District, at Black Hat. The first began in the early 2000s when he adopted the handle nCux, which he used to operate online shops for selling stolen information.

"By 2005, he picked up on the fact that credit cards were an easy way to monetize hacking," said Barbosa. This was around the time the Secret Service began to notice his criminal activity and gather intelligence on him. By 2009, they had collected enough information to determine his identity — just in time for Seleznev to vanish.

"Unfortunately, approximately a month later, he disappeared from the Internet, putting the Secret Service investigation back a step," Barbosa said. "They had to rethink how they would go about seeking international cooperation on the case."

Seleznev reappeared in 2009 under aliases Track2 and Bulba. Officials noted his activity on, a forum and online marketplace for credit card details and personal data. He was listed as a "trusted vendor of dumps," which tipped them off to the fact this wasn't a new player.

The investigation was reopened in May 2010 and accelerated through June 2011. During this time, Seleznev was involved in hacking restaurants and stealing credit card data from their point-of-sale devices.

Following his injuries in the 2011 Morocco terrorist attacks, Seleznev returned to Russia and closed his online shop in January 2012. Investigators continued to chase him until 2013, when he reappeared under the alias 2PAC.CC. At this point he wasn't only selling his own stolen data; other major hackers were coming to him to resell credit cards.

Seleznev was arrested in the Maldives in 2014. Normally, the extradition process can take between six months and four years, said Barbosa. In this case, it took about two days to get the Secret Service to the Maldives, and only three more to get Seleznev to the United States.

Independent trial attorney Harold Chun discussed the evidence seized after Seleznev's arrest and mistakes he made leading up to it. Officials seized his laptop, passport, phone, and travel documents, all of which confirmed their earlier hypotheses.

"What these things did was confirm all the attribution that had been gleaned in the investigation, year after year," said Chun.

Seleznev's laptop proved to be a gold mine of evidence. Law enforcement found 1.7 million credit card numbers stored on his device, along with Web pages he created to teach people how they could use stolen card details. On the page, he reminded users: "Remember this is illegal way!!"

"There's not much to say when you have 1.7 million credit card numbers on you when you're on vacation," Chun quipped.

Investigators also discovered an account on Pacer Records, an online court system for recording indictments and search warrants. Before he traveled, Seleznev would search for information on his name and nicknames to determine whether it would be safe to leave.

Other pieces of evidence included information from Windows artifacts, registry keys, event logs, and the System Resource Usage Monitor. Officials also found cellphone backups stored on his computer and in the cloud.

Seleznev made several key slipups leading up to his arrest. He reused passwords for multiple online accounts, making it easy for investigators to guess the password to his laptop. He had two email addresses for his online aliases, some of which he used for crime and some of which he used for personal communications — for example, opening a PayPal account.

Barbosa explained how Seleznev used one of these email addresses to place a flower order for his wife, which he did using his own name and phone number that could be traced back to him.

Seleznev attempted to claim he had been framed by someone — either the US government or another hacker — and also tried to bribe the prosecutor for his case. Neither worked, and it only took a few hours for a Seattle jury to convict him on 38 counts, Chun said.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.