Russian Cyber-Criminal Convicted Following Eight-Day Trial
Hacking Scheme Involving Millions of Credit Cards Defrauded Banks of Over $169 Million
Seattle – A federal court jury today convicted Roman Valerevich Seleznev, aka “Track2,” 32, of Vladivostok, Russia, of 38 counts related to his scheme to hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld, announced U.S. Attorney Annette L. Hayes. The jury deliberated six hours following an eight-day trial. U.S. District Judge Richard A. Jones scheduled sentencing for December 2, 2016.
The 40-count indictment charged Seleznev with the theft and sale of more than 2.9 million credit card numbers. According to testimony at trial and court documents, between October 2009 and October 2013, Seleznev hacked into retail point-of-sale systems and installed malicious software to steal credit card numbers from various businesses. Many of the businesses were small businesses, and included restaurants and pizza parlors in Western Washington. The Broadway Grill in Seattle was one of the better known victim businesses, which was forced into bankruptcy following the cyber attack.
Seleznev operated a server in Russia that he used to install malware on the point-of-sale computer systems. The malware would steal the credit card data from the point-of-sale systems and send it to other servers controlled by Seleznev, including in the Ukraine and McLean, Virginia. Seleznev would bundle the credit card information into groups called “bases” and sell the information on various criminal “carding” websites. The buyers would then use the credit card numbers for fraudulent purchases. Testimony at trial revealed that 3,700 financial institutions lost more than $169 million because of the scheme.
When Seleznev was taken into custody in July 2014 in the Maldives, his laptop contained more than 1.7 million stolen credit card numbers– some from businesses in Western Washington. Also on the laptop was additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the scheme.
In closing arguments prosecutors told the jury that if they “follow the digital fingerprints” Seleznev left across the internet, they would find “one of the most prolific credit card thieves in history.”
In particular, Seleznev was convicted of ten counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft. Wire fraud is punishable by up to thirty years in prison and a $1 million fine. Intentionally causing damage to a protected computer resulting with a loss of more than $5,000 is punishable by up to ten years in prison and a $250,000 fine. Obtaining information from a protected computer is punishable by up to five years in prison and a $250,000 fine. Possession of more than 15 unauthorized access devices is punishable by up to ten years in prison and a $250,000 fine. Aggravated identity theft is punishable by an additional two years in prison on top of any sentence for the underlying crimes. It is important to keep in mind that these are maximum possible sentences that could be imposed on individual counts in this case. They are not a statement of what the United States will recommend at the time of sentencing. Further, in determining what sentence to impose, at the time of the sentencing hearing, the Court will apply the United States Sentencing Guidelines to the specific facts of this case to come up with a non-binding sentencing guidelines range.
Seleznev is also charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization, as well as two counts of possession of 15 or more counterfeit and unauthorized access devices. Seleznev is also charged in the Northern District of Georgia with conspiracy to commit bank fraud, one count of bank fraud, and four counts of wire fraud.
The Seattle case was investigated by the U.S. Secret Service Electronic Crimes Task Force, which includes detectives from the Seattle Police Department and the U.S. Secret Service Cyber Intelligence Section in Washington, D.C. The case is being prosecuted by Assistant U.S. Attorneys Norman M. Barbosa and Seth Wilkinson of the Western District of Washington and Trial Attorney Harold Chun of the Criminal Division’s Computer Crime and Intellectual Property Section. The U.S. Department of Justice Cyber Crime Lab, and its Director, Ovie Carroll, provided substantial support for the prosecution. The Office of International Affairs and the U.S. Attorney’s Office for the District of Guam also provided assistance in this case.