Russian hacker captured in 2010 Broadway Grill data breach

Screen Shot 2014-07-07 at 11.17.20 AMA 30-year-old Russian man was arrested over the weekend for a series of crimes involving hacking into point of sales systems at Washington restaurants including a data breach in 2010 that involved stealing credit card information from hundreds of customers of Capitol Hill’s Broadway Grill. The allegations detail at least $1.7 million in losses to banks and credit card companies from data stolen from the Capitol Hill restaurant’s point of sale system.

The U.S. Attorney’s office Monday morning announced the arrest of Roman Seleznev — known as “Track2″ in “the criminal carding underground,” according to the announcement. Seleznev was indicted in 2011, according to the U.S. Attorney but wasn’t taken into custody until July 5th. Department of Justice representatives won’t say how the suspect was ultimately captured or how he ultimately arrived in Guam. Russia’s security and law enforcement infrastructure has reportedly been slow to pursue alleged hackers even going so far as to provide travel advisory warning possible online criminals not to travel to “countries that have signed agreements with the U.S. on mutual extradition.”

CHS reported on the status of the case earlier this year as we reported that authorities had still made no arrests in the 2010 crimes against customers of the Capitol Hill restaurant. Secret Service agent Bob Kierstead told CHS that investigators had contained and identified the malware used in the virtual attack but were still working to locate suspects. Kierstead did not tell CHS at the time that an indictment had been made.

The Broadway Grill shuttered in 2013 after owners said they struggled to recover from the negative publicity related to the wave of credit card fraud. Agent Kierstead told CHS there was no illegal activity from within Broadway Grill “whatsoever.” In all, the indictment documents the theft of information about 32,000 credit and bank accounts from October 2009 to October 2010 at the restaurant.

Seleznev’s charges include five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer, one count of possession of unauthorized access devices, and two counts of trafficking those devices. He also faces five counts of aggravated identity theft.

The allegations against Seleznev are outlined in the indictment against the Russian hacking suspect:

Screen Shot 2014-07-07 at 11.21.19 AM Screen Shot 2014-07-07 at 11.21.24 AM

The indictment also lays out many of the mechanics of the operation:

Screen Shot 2014-07-07 at 12.32.11 PM

The DOJ also alleges Seleznev operated a global “carder” system to aid hacking and the sale of credit and bank card data.

According to the indictment, investigators say Seleznev was linked to data breaches at Mad Pizza locations in the area but not the Broadway store, and a breach at Grand Central Baking.

 

The full announcement on the arrest is below.

A Russian man, indicted in the Western District of Washington for hacking into point of sale systems at retailers throughout the United States was arrested this weekend and transported to Guam for an initial appearance, announced U.S. Attorney Jenny A. Durkan. ROMAN VALEREVICH SELEZNEV, 30, of Moscow, also known as “Track2” in the criminal carding underground, was indicted in March 2011, for operating several carding forums that engaged in the distribution of stolen credit card information. At his first appearance in Guam today, SELEZNEV was ordered detained pending a further hearing scheduled for July 22, 2014.

“Cyber crooks should take heed: you cannot hide behind distant keyboards. We will bring you to face justice,” said U.S. Attorney Jenny A. Durkan, who leads the Justice Department’s Cybercrime and Intellectual Property Enforcement Subcommittee of the Attorney General’s Advisory Committee. “I want to thank the U.S. Secret Service for their work in investigating this case and in apprehending the defendant. I also want to give credit to the work of the Electronic Crimes Task Force, and Seattle Police Department in particular, and our partners in the United States Attorney’s Office in Guam, the Department of Justice’s Office of International Affairs, and the Computer Crime and Intellectual Property section of the Department of Justice’s Criminal Division.”

The indictment, unsealed today following his arrest on July 5, 2014, details a bank fraud scheme in which SELEZNEV is charged with hacking into retail point of sale systems and installing malicious software on the systems to steal credit card numbers. The illegal hacking outlined in the indictment occurred between October 2009, and February 2011. The indictment alleges that SELEZNEV created and operated infrastructure to facilitate the theft and sales of credit card data and used servers located all over the world to facilitate the operation. This infrastructure included servers that hosted carding forum websites where cybercriminals gathered to sell stolen credit card numbers. The charges in the indictment include five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer, one count of possession of fifteen or more unauthorized access devices (stolen credit card numbers), two counts of trafficking in unauthorized access devices and five counts of aggravated identity theft.

“The arrest of Roman Seleznev is yet another example of how the Secret Service continues to successfully combat data theft and financial crimes,” said Robert Kierstead, Special Agent in Charge of the U.S. Secret Service Seattle Field Office. “The Secret Service utilized state-of-the-art investigative techniques to dismantle this criminal network. Our success in this case and other similar investigations is a result of the extraordinary work of our investigators and our close work with our network of law enforcement partners.”

Bank Fraud is punishable by up to thirty years in prison and a $2 million fine. Intentionally causing damage to a protected computer resulting with a loss of more than $5,000 is punishable by up to ten years in prison and a $250,000 fine. Obtaining information from a protected computer is punishable by up to five years in prison and a $250,000 fine. Possession of more than 15 unauthorized access devices is punishable by up to ten years in prison and a $250,000 fine. Trafficking in unauthorized access devices is punishable by up to 10 years in prison and a $250,000 fine. Aggravated identity theft is punishable by an additional two years in prison on top of any sentence for the underlying crimes. In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders.

SELEZNEV is also charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization as well as two counts of possession of fifteen or more counterfeit and unauthorized access devices. Those charges carry maximum penalties of up to 20 years in prison for RICO and RICO conspiracy and up to 10 years in prison for possession of fifteen or more counterfeit and unauthorized access devices.

Credit card fraud costs financial institutions $40 billion annually. In the Western District of Washington more than 180,000 stolen credit card numbers have been identified in recent cyber cases.

The charges contained in the indictment are only allegations. A person is presumed innocent unless and until he or she is proven guilty beyond a reasonable doubt in a court of law.

The case is being investigated by the U.S. Secret Service Electronic Crimes Task Force which includes detectives from the Seattle Police Department. The Office of International Affairs, the Computer Crime and Intellectual Property Section of the Department of Justice’s Criminal Division and the U.S. Attorney’s Office for the District of Guam provided substantial assistance. Assistant United States Attorney Norman M. Barbosa is prosecuting the case in the Western District of Washington.

UPDATE: Here is the document outlining the charges:

UPDATE 7/9/2014 12:30 PM: Seleznev is the son of Valery Seleznev, “a prominent member of Russian Parliament’s ultra-nationalist Liberal Democratic Party,” the New York Times reports.

According to a statement released by Russia’s foreign ministry, Roman Seleznev was arrested by U.S. agents as he boarded a plane in the Maldives.

Russia calls the arrest a “kidnapping”

Wherever the apprehension went down, the Russian Foreign Ministry let the Maldives have it. “The stance of Maldives’ authorities cannot be but outraging,” an official told ITAR-TASS. “We consider the incident as another one of Washington’s unfriendly steps. It is not the first time that the U.S. has kidnapped a Russian citizen.”

10 thoughts on “Russian hacker captured in 2010 Broadway Grill data breach

  1. Glad they caught him. He stole my credit card number from either The Grill or Mad Pizza. Fortunately my credit card company took the loss not me but when charges in France started showing up on my bill when I haven’t been to France in ages it raised some red flags to say the least.

  2. Pingback: Today’s Links July 8, 2014 | Rhode Island's Premier Computer & Network Technical Support

  3. Pingback: US nabs a hacker in the Maldives, but Russia sees it as “kidnapping” | World Updates

  4. Pingback: The Hacker Academy – Security Round Up | Week 2

  5. Won’t be surprised if he starts “working” for the Secret Service for a reduced/ or no sentence at all; then “traded” to the Russians for one of our own – maybe bring that traitor Snowden back to the States and let him stand trial……

  6. Pingback: Phoenix Zoo among those targeted by serial hacker | AZ Tech BeatAZ Tech Beat

  7. “The new face of organized crime—and particularly international organized crime—is largely cyber-based,” James Trusty, the head of the Justice Department’s organized-crime and gang section, told WSJ. “The groups are emerging as very hierarchical, very secure and very profitable criminal enterprises.”

    Very and very secure!!!
    Seleznev allegedly carried out a scheme to hack into retailers’ computers, install malicious software and steal credit card numbers
    Address representatives of Russian company Oxygen Forensic
    UNITED STATES
    Oxygen Forensics, Inc
    901 N. Pitt St, Suite 320
    Alexandria, VA 22314
    +1 (877) 9-OXYGEN

    EUROPE & UNITED KINGDOM
    Detegra Ltd
    4 Station Approach, Wendover
    Bucks HP22 6BN
    +44 1296 621121

    Oxygen Forensic Suite helps investigators and forensic specialists access and analyze data from a variety of mobile devices such as cell phones, smartphones, communicators, PDA and tablet PCs. Currently supporting more than 5,200 different models
    Malicious software allows analyzing logs and activities performed by common spyware applications, and allows accessing chunks of data that would be otherwise inaccessible to an investigator. Apple iOS analysis can retrieve user passwords stored in keychain backups created
    Parsing and analyzing keychain allows investigators getting access to most passwords stored in Apple iOS devices such as iPhone and iPad.
    Investigators can track user location at every moment.
    The global search quickly reveals any connections (e.g. common contacts, exchanged calls, texts or emails) between the phone owners.
    Oxygen’s statistical analysis tools allow investigators discover social connections between the users of multiple mobile devices. Calls, text messages and Skype conversations.

  8. Pingback: Restaurant Hacker from 2010 Finally Captured - Entrust, Inc.

  9. Pingback: Personal Cybersecurity #44: Daily news | SurvivalRing

Add Comment Register

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>