A 30-year-old Russian man was arrested over the weekend for a series of crimes involving hacking into point of sales systems at Washington restaurants including a data breach in 2010 that involved stealing credit card information from hundreds of customers of Capitol Hill’s Broadway Grill. The allegations detail at least $1.7 million in losses to banks and credit card companies from data stolen from the Capitol Hill restaurant’s point of sale system.
The U.S. Attorney’s office Monday morning announced the arrest of Roman Seleznev — known as “Track2” in “the criminal carding underground,” according to the announcement. Seleznev was indicted in 2011, according to the U.S. Attorney but wasn’t taken into custody until July 5th. Department of Justice representatives won’t say how the suspect was ultimately captured or how he ultimately arrived in Guam. Russia’s security and law enforcement infrastructure has reportedly been slow to pursue alleged hackers even going so far as to provide travel advisory warning possible online criminals not to travel to “countries that have signed agreements with the U.S. on mutual extradition.”
CHS reported on the status of the case earlier this year as we reported that authorities had still made no arrests in the 2010 crimes against customers of the Capitol Hill restaurant. Secret Service agent Bob Kierstead told CHS that investigators had contained and identified the malware used in the virtual attack but were still working to locate suspects. Kierstead did not tell CHS at the time that an indictment had been made.
The Broadway Grill shuttered in 2013 after owners said they struggled to recover from the negative publicity related to the wave of credit card fraud. Agent Kierstead told CHS there was no illegal activity from within Broadway Grill “whatsoever.” In all, the indictment documents the theft of information about 32,000 credit and bank accounts from October 2009 to October 2010 at the restaurant.
Seleznev’s charges include five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer, one count of possession of unauthorized access devices, and two counts of trafficking those devices. He also faces five counts of aggravated identity theft.
The allegations against Seleznev are outlined in the indictment against the Russian hacking suspect:
The indictment also lays out many of the mechanics of the operation:
The DOJ also alleges Seleznev operated a global “carder” system to aid hacking and the sale of credit and bank card data.
According to the indictment, investigators say Seleznev was linked to data breaches at Mad Pizza locations in the area but not the Broadway store, and a breach at Grand Central Baking.
The full announcement on the arrest is below.
A Russian man, indicted in the Western District of Washington for hacking into point of sale systems at retailers throughout the United States was arrested this weekend and transported to Guam for an initial appearance, announced U.S. Attorney Jenny A. Durkan. ROMAN VALEREVICH SELEZNEV, 30, of Moscow, also known as “Track2” in the criminal carding underground, was indicted in March 2011, for operating several carding forums that engaged in the distribution of stolen credit card information. At his first appearance in Guam today, SELEZNEV was ordered detained pending a further hearing scheduled for July 22, 2014.
“Cyber crooks should take heed: you cannot hide behind distant keyboards. We will bring you to face justice,” said U.S. Attorney Jenny A. Durkan, who leads the Justice Department’s Cybercrime and Intellectual Property Enforcement Subcommittee of the Attorney General’s Advisory Committee. “I want to thank the U.S. Secret Service for their work in investigating this case and in apprehending the defendant. I also want to give credit to the work of the Electronic Crimes Task Force, and Seattle Police Department in particular, and our partners in the United States Attorney’s Office in Guam, the Department of Justice’s Office of International Affairs, and the Computer Crime and Intellectual Property section of the Department of Justice’s Criminal Division.”
The indictment, unsealed today following his arrest on July 5, 2014, details a bank fraud scheme in which SELEZNEV is charged with hacking into retail point of sale systems and installing malicious software on the systems to steal credit card numbers. The illegal hacking outlined in the indictment occurred between October 2009, and February 2011. The indictment alleges that SELEZNEV created and operated infrastructure to facilitate the theft and sales of credit card data and used servers located all over the world to facilitate the operation. This infrastructure included servers that hosted carding forum websites where cybercriminals gathered to sell stolen credit card numbers. The charges in the indictment include five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer, one count of possession of fifteen or more unauthorized access devices (stolen credit card numbers), two counts of trafficking in unauthorized access devices and five counts of aggravated identity theft.
“The arrest of Roman Seleznev is yet another example of how the Secret Service continues to successfully combat data theft and financial crimes,” said Robert Kierstead, Special Agent in Charge of the U.S. Secret Service Seattle Field Office. “The Secret Service utilized state-of-the-art investigative techniques to dismantle this criminal network. Our success in this case and other similar investigations is a result of the extraordinary work of our investigators and our close work with our network of law enforcement partners.”
Bank Fraud is punishable by up to thirty years in prison and a $2 million fine. Intentionally causing damage to a protected computer resulting with a loss of more than $5,000 is punishable by up to ten years in prison and a $250,000 fine. Obtaining information from a protected computer is punishable by up to five years in prison and a $250,000 fine. Possession of more than 15 unauthorized access devices is punishable by up to ten years in prison and a $250,000 fine. Trafficking in unauthorized access devices is punishable by up to 10 years in prison and a $250,000 fine. Aggravated identity theft is punishable by an additional two years in prison on top of any sentence for the underlying crimes. In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders.
SELEZNEV is also charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization as well as two counts of possession of fifteen or more counterfeit and unauthorized access devices. Those charges carry maximum penalties of up to 20 years in prison for RICO and RICO conspiracy and up to 10 years in prison for possession of fifteen or more counterfeit and unauthorized access devices.
Credit card fraud costs financial institutions $40 billion annually. In the Western District of Washington more than 180,000 stolen credit card numbers have been identified in recent cyber cases.
The charges contained in the indictment are only allegations. A person is presumed innocent unless and until he or she is proven guilty beyond a reasonable doubt in a court of law.
The case is being investigated by the U.S. Secret Service Electronic Crimes Task Force which includes detectives from the Seattle Police Department. The Office of International Affairs, the Computer Crime and Intellectual Property Section of the Department of Justice’s Criminal Division and the U.S. Attorney’s Office for the District of Guam provided substantial assistance. Assistant United States Attorney Norman M. Barbosa is prosecuting the case in the Western District of Washington.
UPDATE: Here is the document outlining the charges:
UPDATE 7/9/2014 12:30 PM: Seleznev is the son of Valery Seleznev, “a prominent member of Russian Parliament’s ultra-nationalist Liberal Democratic Party,” the New York Times reports.
According to a statement released by Russia’s foreign ministry, Roman Seleznev was arrested by U.S. agents as he boarded a plane in the Maldives.
Russia calls the arrest a “kidnapping” —
Wherever the apprehension went down, the Russian Foreign Ministry let the Maldives have it. “The stance of Maldives’ authorities cannot be but outraging,” an official told ITAR-TASS. “We consider the incident as another one of Washington’s unfriendly steps. It is not the first time that the U.S. has kidnapped a Russian citizen.”