BLACK HAT - Las Vegas - Officials involved in the investigation, arrest, and trial of Roman Seleznev dove into the details of how he operated his hacking empire, the slipups that led to his arrest, and evidence that led to his sentencing.
Seleznev, a notorious Russian computer hacker, was responsible for more than 400 point-of-sale hacks and at least $169 million in credit card fraud. He was sentenced to 27 years in prison and $170 million in restitution after a trial that took place earlier this year.
He went through three "chapters" in his time as a card thief, each defined by a different name, explained Norman Barbosa, assistant US attorney at the US Attorney's Office for the Western District, at Black Hat. The first began in the early 2000s when he adopted the handle nCux, which he used to operate online shops for selling stolen information.
"By 2005, he picked up on the fact that credit cards were an easy way to monetize hacking," said Barbosa. This was around the time the Secret Service began to notice his criminal activity and gather intelligence on him. By 2009, they had collected enough information to determine his identity — just in time for Seleznev to vanish.
"Unfortunately, approximately a month later, he disappeared from the Internet, putting the Secret Service investigation back a step," Barbosa said. "They had to rethink how they would go about seeking international cooperation on the case."
Seleznev reappeared in 2009 under aliases Track2 and Bulba. Officials noted his activity on Carder.su, a forum and online marketplace for credit card details and personal data. He was listed as a "trusted vendor of dumps," which tipped them off to the fact this wasn't a new player.
The investigation was reopened in May 2010 and accelerated through June 2011. During this time, Seleznev was involved in hacking restaurants and stealing credit card data from their point-of-sale devices.
Following his injuries in the 2011 Morocco terrorist attacks, Seleznev returned to Russia and closed his online shop in January 2012. Investigators continued to chase him until 2013, when he reappeared under the alias 2PAC.CC. At this point he wasn't only selling his own stolen data; other major hackers were coming to him to resell credit cards.
Seleznev was arrested in the Maldives in 2014. Normally, the extradition process can take between six months and four years, said Barbosa. In this case, it took about two days to get the Secret Service to the Maldives, and only three more to get Seleznev to the United States.
Independent trial attorney Harold Chun discussed the evidence seized after Seleznev's arrest and mistakes he made leading up to it. Officials seized his laptop, passport, phone, and travel documents, all of which confirmed their earlier hypotheses.
"What these things did was confirm all the attribution that had been gleaned in the investigation, year after year," said Chun.
Seleznev's laptop proved to be a gold mine of evidence. Law enforcement found 1.7 million credit card numbers stored on his device, along with Web pages he created to teach people how they could use stolen card details. On the page, he reminded users: "Remember this is illegal way!!"
"There's not much to say when you have 1.7 million credit card numbers on you when you're on vacation," Chun quipped.
Investigators also discovered an account on Pacer Records, an online court system for recording indictments and search warrants. Before he traveled, Seleznev would search for information on his name and nicknames to determine whether it would be safe to leave.
Other pieces of evidence included information from Windows artifacts, registry keys, event logs, and the System Resource Usage Monitor. Officials also found cellphone backups stored on his computer and in the cloud.
Seleznev made several key slipups leading up to his arrest. He reused passwords for multiple online accounts, making it easy for investigators to guess the password to his laptop. He had two email addresses for his online aliases, some of which he used for crime and some of which he used for personal communications — for example, opening a PayPal account.
Barbosa explained how Seleznev used one of these email addresses to place a flower order for his wife, which he did using his own name and phone number that could be traced back to him.
Seleznev attempted to claim he had been framed by someone — either the US government or another hacker — and also tried to bribe the prosecutor for his case. Neither worked, and it only took a few hours for a Seattle jury to convict him on 38 counts, Chun said.