U.S. District Judge Steve C. Jones of the Northern District of Georgia sentenced a Russian cybercriminal to 14 years in prison for involvement in an international hacking conspiracy. The hacker, 33-year-old Roman Valeryevich Seleznev of Vladivostok, Russia, participated in a fraud network that caused more than $50 million in damage. In August 2016, a federal jury in Washington convicted Seleznev of 38 counts of assorted fraud charges. On April 21, a Washington court sentenced Seleznev to 27 years in prison. The 27 year and 14 year prison sentences are to be served concurrently.
In September 2017, Seleznev pleaded guilty to his role as a “casher” in a 2008 hack of RBS WorldPay, a transaction processing branch of Royal Bank of Scotland Group PLC. According to evidence revealed in the courtroom earlier this year, Seleznev and several co-conspirators hacked the encryption on RBS WorldPay systems in Atlanta. After breaching RBS WorldPay encryption, the hackers increased the spending and withdrawal limits on the then-compromised accounts to $1,000,000 or more.
The hackers then, within 12 hours, distributed 44 counterfeit cards to an even larger network of co-conspirators. The network of cashers accessed 2,100 ATMs in almost 300 countries and withdrew more than $9,000,000 from the compromised accounts. Before trying to erase any trace of their unauthorized access of the RBS WorldPay servers, the fraudsters copied more than 45 million pre-paid cards used by unidentified companies to their pay employees.
In an indictment returned in the District of Nevada, Seleznev pleaded guilty to one RICO charge. He admitted to operating online under the usernames “Track2,” “Bulba,” and “Ncux.” He admitted involvement in the carder.su fraud network and market. Carder.su functioned as a fraud hub and market on the clearnet where users could buy credit card information and similar fraud-related sets of data. Seleznev had initially sold card dumps under the Ncux monicker but retired it in 2009 and started selling his card dumps as a private vendor as Track2 and Bulba.cc. He advertised his service on Carder.su before the the United States Government’s “Operation Open Market” shut the carding site down.
Seleznev sold enough credit card information that he created his own auto shop for credit cards that he advertised on carders.su. “His automated website allowed members to log into and purchase stolen credit card account data,” one of the Department of Justice press releases explained. It added, “the defendant’s website had a simple interface that allowed members to search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information.” His business ventures recorded by the Nevada grand jury led to more than $50 million in damages.
The Nevada court ordered that Seleznev pay a restitution of $50 million and the Georgia court ordered an additional $2 million. Both prison sentences are to be served concurrently.