It was a summer day in Las Vegas. Inside the Mandalay Bay Convention Center during the annual hacker-focused conference Black Hat, the cybersecurity crowd found refuge from the scorching sun. From the podium in front of the darkened room, Norman Barbosa, a computer crimes prosecutor in the U.S. Attorney’s office in Seattle, tried to clear the air with some humor.
“The original title to this presentation was nixed,” he said of his talk, titled Ochko123 – How the Feds Caught Russian Mega-Carder Roman Seleznev. “I wanted to go with Ochko123 – Why you shouldn’t use ‘Butthole123’ as the password to your hacking empire,” he quipped. “It doesn’t work well.”
“Ochko” means butthole in Russian. That’s not what makes it amusing. Something else renders Roman Seleznev the butt of this joke: The fact that Seleznev’s mega-carding empire, built on brute force password attacks of local businesses’ poorly secured point of sale systems, was exposed by poor security as well. He just couldn’t resist using one of his favorite passwords, Ochko123, on his laptop holding hundreds of thousands of stolen credit card numbers.
Barbosa’s jest didn’t inspire boisterous laughter in the cybersecurity crowd gathered at the Mandalay Bay. That summer of 2017, they were there mostly to hear about how exactly Seleznev defrauded his victims from Russia, over 10,000 miles away. How 3,700 financial institutions and 500 businesses including many Seattle-area restaurants such as Grand Central Baking, Mad Pizza and Capitol Hill’s Broadway Grill, got caught in Seleznev’s fraud net. And, how the feds ended up capturing him after a years-long investigation that included the U.S. Secret Service, detectives from the Seattle Police Department, Interpol and U.S. Attorney-turned-Seattle-mayor Jenny Durkan.
Seleznev was one of the world’s most significant traffickers in stolen credit cards between 2005 and his capture in 2014. In total, investigators said, Seleznev stole data from over 1 million cardholders and sold the numbers on the online dark market.
In 2017, after a trial in Seattle, Seleznev was sentenced to 27 years in prison. It is still the longest sentence handed down for hacking-related charges in the U.S., according to the U.S. Department of Justice. A month ago, a Ninth Circuit panel upheld the 27-year prison sentence.
Thanks to a recently released report about the hack from Darknet Diaries, Barbosa’s presentation, and court documents examined by CHS, more details of the case have emerged.
The case, a border-transcending story reaching from Russia to Seattle, Morocco, the Maldives and back, is extraordinary. Not only because it reads like cybercrime pulp noir, nor merely for its ensuing record-setting sentence, but because there is so much information about it, particularly compared to cases that don’t go to trial or are resolved by a plea deal.
“A lot of hacks go unsolved,” said Jack Rhysider, producer of the true internet crime podcast Darknet Diaries tells CHS. Rhysider recently dedicated an episode to the Seleznev case.
“What’s special about this: We know who did this.”
In the episode, “The Carder,” Rhysider chronicles how the Secret Service started tracking Seleznev’s online movements already in the early 2000s. Back then, they suspected the “nCUX” who sold stolen identity data and credit card information on carding and hacking forums, was actually Roman Seleznev of Vladivostok, Russia — also the son of a prominent Russian lawmaker friendly with Vladimir Putin.
“While these carding markets are often operated in other countries,” Rhysider explains, “the U.S. banks are frequently the ones having their customer’s cards get stolen, making US citizens, banks and shops victims of these crimes. So the U.S. secret service has a mission to find these criminals and bring them to justice.”
That was the plan, at least. The Secret Service shared their findings, including Seleznev’s name, with the FSB, Russia’s security agency. A month later, something strange happened: nCuX completely disappeared from the internet, announcing he was “retiring.”
He hadn’t really, he just went by other names. By spring 2010, the Secret Service in DC had started an investigation into his second alias, Track2.
About the same time, U.S. Secret Service agent David Dunn, based in Seattle, received a phone call. A Schlotzsky’s Deli in Coeur d’Alene, Idaho, had been hacked. Dunn was sent to investigate and discovered that keystroke logging malware on the registers had been transmitting swiped credit card information to a server in Russia for the past six months. Those stolen credit cards were traced back to two carding websites, bulba.cc and track.name. That they were sold there was not surprising. What was: Someone had installed the malware by taking control of that computer from afar.
It all clicked months later, in October of 2010 on Capitol Hill at the Broadway Grill.
Dunn had gotten another call, this time from a bank investigator at BECU, Washington’s largest credit union, who told him they noticed in a massive spike of fraud. The common denominator? The Broadway Grill, the then recently-revived Capitol Hill queer institution. On their back-office computers running their sale system, Dunn found the same malware he’d found at Schlotzsky’s. It was installed in a very similar way: By someone getting access to the computer.
The Broadway Grill had no idea they’d been hacked, nor that the hacker had been able to siphon off roughly 33,000 credit card numbers to another computer with an I.P. address in Ukraine during a five-day breach. The hacker, the investigators found, then quickly sold them on the dark web, resulting in at least $79,000 worth of unauthorized charges. That the number of stolen credit cards ran into the tens of thousands had to do with the fact that Broadway Grill’s software “was not configured to purge previously-used numbers periodically, so there were many months of numbers saved on the point of sale system,” said U.S. Department of Justice Public Affairs Specialist Emily Langlie over email. That meant the hacker was able to access card numbers from months before the breach.
Among those 30,000+ stolen credit card numbers were those of C.J. Saretto, a Broadway Grill co-owner who had taken over the 20-year old restaurant with Matthew Walsh in the summer of 2010 and reopened it as The Grill on Broadway. Saretto, who holds degrees in computer science, discovered his own numbers among the other stolen ones in the plain text file on the server.
“I can tell you mine were included, because I was a customer before I was the owner,” Saretto revealed during trial testimony, according to court records.
Saretto, who worked at Microsoft at the time, rushed to the restaurant as soon as he heard about the breach. “I left work because the restaurant was not going to be able to function if we didn’t switch over to using modems to process credit cards,” Saretto said. With the help of a Staples-bought modem, they air-gapped the system. It worked painstakingly slow. “You can imagine, every time someone swipes the card, the computer in the back office is making that wailing modem sound, that we remember from the ‘90s.” Saretto added that it was very tough to do business as a result, particularly during the Grill’s second-busiest time of year, its boozy Halloween costume contest and party.
While the Grill struggled, detective Dunn was still looking for the hacker. He suspected that the email address connected to the two carding websites, [email protected], did not really belong to “Alexy Davydov.” A warrant for the email address leads Dunn to a server in Virginia, full of credit card dumps, worth millions of dollars, uploaded by hundreds of computers across the country. Many of these computers, Dunn found, were located in small restaurants.
Almost all of them used a similar point of sale system. The hacker accessed the systems by scanning for computers with remote desktop open to the internet. Once he found them, he’d fire off a brute force password attack, an automated process that cracks the code by firing off thousands or millions of combinations of words. And sometimes, Rhysider said, he’d just use the password he found they were all using at the same time.
“Seleznev was good at the market itself,” Rhysider told CHS. “Knowing how to sell these cards, that was his specialty. He was only a mediocre hacker.”
But if perhaps the people in charge of securing the PoS systems were a little sloppy, then so was Seleznev. On the server in Virginia, investigators found that a certain ‘Roman Seleznev’ had purchased airline tickets for himself and his family. And the Samvelich email address? A Roman Seleznev used it to open up a PayPal account. It listed his home address. Other sloppiness exposed Seleznev further. At one point, he used one of his “professional” email addresses to order flowers for his wife, with a personal note including their daughters name. It also linked to his home phone number. And the movie ticket website he registered at? They sent him a welcome email that displayed his username and password in clear text: Ochko123.
For a while, Seleznev was lucky enough to stay out of the hands of the Secret Service. He also got unlucky. In April of 2011, he and his wife were in the wrong place at the wrong time. The popular Argana café in Marrakesh, Morocco, was hit by a bomb explosion. Seleznev, in serious condition after being hit by shrapnel, was medically evacuated to Moscow. After the blast, the bulba.cc website went silent.
Seleznev had not only narrowly escaped death. He’d also escaped capture. The Secret Service had figured out Seleznev was in Morocco and had started trying to figure out ways to capture him while he was there. The attack threw a wrench in the works.
In the end, the Secret Service had to wait for another Seleznev vacation, in July 2014. Seleznev was a resident and citizen of Russia, which does not extradite its citizens to the U.S. They had to wait for Seleznev, back on his illegal carding game, to take a trip to a country that would extradite him.
Seleznev likely suspected an atoll in the Maldives, a tropical South Asia nation that does not have an extradition treaty with the U.S., was a safe place to spend a $20,000 private beach vacation. But he miscalculated how badly the U.S. wanted to catch him. Stressing the importance of the case and issuing a “formal request,” to the Maldives government, the U.S. was able to convince the Maldives to expel Seleznev into U.S. custody.
So the Secret Service waited for him at the airport. Flanked by his wife and daughter, Seleznev appeared, ready to board a plane back to Russia. Instead he was apprehended and put on a private jet to Guam, where he was detained. The Secret Service also seized the blue Lacoste laptop case with his laptop and iPhone in it.
Russian officials were not pleased. They accused the U.S. of “kidnapping” Seleznev in an attempt to trade him for whistleblower Edward Snowden, which the U.S. denied. “His political ties and his father’s position in the Russian government were a significant issue in the case,” Barbosa said. “There was a lot of tension between our governments as a result of his capture.”
But now that the U.S. had Seleznev, they were not ready to let him go. They were bent on making an example out of him. “Cyber crooks should take heed: you cannot hide behind distant keyboards,” said Jenny A. Durkan, the U.S. Attorney for Western Washington at the time of the arrest. Back then, Seattle’s now-mayor was known for her role in fighting cybercrime waging back then a forceful fight against what she called the “cyber crook business model.” That same year, Durkan stepped down from her post. Her office continued to prosecute Seleznev.
The laptop proved to be the smoking gun. It was password protected, but a case agent remembered Seleznev’s favorite password: Ochko123. He tried it and got in on the first try. On the laptop were over 1.7 million credit card number as well as PACER (Public Access to Court Electronic Records) records. Before he traveled, Seleznev used to search the PACER database for his own name and nicknames, to see if there were any arrests warrants. It enabled investigators to tie Seleznev to even more online aliases he used for criminal activity — more than twenty in total.
Three years later, Seleznev was sentenced to 27 years in prison in the Western District of Washington case. His sentence runs concurrently with other sentences of 14 years in other cases tried in the Northern District of Georgia and the District of Nevada courts. In total, Seleznev was ordered to pay restitution of $221,919,973… and 25 cents.
According to court documents, the court sought restitution of $20,580 for Saretto of The Broadway Grill, which the U.S. Department of Justice Public Affairs said was among the victims with the most numbers stolen. What was to blame on Broadway?
Mainly, the remotely administered and out of date PoS system. The Broadway Grill’s system, Restaurant Manager, was remotely administered by a Sammamish-based company. Saretto said the company never upgraded the system which was behind on updates when they purchased the Grill.
The remote administration of the system, which exposed it to the internet, was its vulnerability. Many local businesses had their systems administered in a similar way. “A few of the owners came to court to testify,” says Rhysider in his podcast. “They said they had it open like that because their I.T. support team needed it open to troubleshoot issues. And actually, a lot of these businesses had the same password because the same I.T. support groups reuse passwords for many of these businesses.”
CHS reached out to the company but has not heard back from them about whether they are still serving local businesses with remote system administration.
The breach dealt a death blow to the Broadway Grill, which was already dealing with the quality of food and service, among other problems. Saretto, during testimony, claimed that they saw “somewhere on the order of 40% reduction in gross revenue, pretty heavily, after the media picked it up.” Customers were worried and stopped coming. Saretto and Walsh also had to fix their security issues to make sure they were compliant with the Payment Card Industry requirements. Hiring a forensic firm and the compliance program cost roughly $12,000 to $13,000, Saretto said. On top of that, Visa and MasterCard levied a $5,000 and $2,500 fine for having been “non-compliant” with PCI’s security standards.
It all spiraled from there. For years after the breach, Saretto said in his testimony, The Broadway Grill was operating in the red, and never got out of it again. “And after keeping the business on life-support for about two-and-a-half years after that, we just called it quits,” Saretto said of the April 2013 closure. “shuttered the doors, walked away from the loan obligations, filed personal bankruptcies.”
The Grill got blindsided by the hacking. But how likely is it that a similar breach happens to other small businesses today?
“The risks are real,” says Troy Leach, Chief Technology Officer at Payment Card Industry, a coalition founded by credit card companies. “What small businesses don’t realize: They hear about these giant hacks that are happening, front page news, and think these hackers are targeting giant businesses. But the vast majority of attacks are done automatically by botnets, and they do not know who they are attacking. It’s a shotgun approach, they are attacking everyone equally — including small businesses.”
He continued: “[Data criminals] want to do it as simply as possible, with automated solutions, which makes small business more at risk, because they typically do not have a professional security expert on staff,” nor, often, the money or time to do it themselves.
Leach also gave some tips for businesses to strengthen their security. Keep your software and hardware up to date, don’t use the same wi-fi network for sensitive payment information, and ask third-party vendors — meaning payment processors — if their remote updates are secure, among others.
Saretto, at The Broadway Grill, learned much of this only after the fact. “Did your expertise include point-of-sale systems?” Seth Wilkinson of the U.S. Attorney’s Office asked Saretto during his testimony. “I know an awful lot about point-of-sale systems today,” Saretto answered. “But when I took control of the restaurant, no, sir, I did not have any idea.”
Saretto and Walsh who have not responded to request for comment, now live in Tennessee. Today, six years after the closure, the Grill is ready to start a new life as well. Last month, the building, which has sat empty for years, was purchased by prolific Capitol Hill real estate investor Ron Amundson in a $3.2 million deal.
“It definitely will be kicking back into life,” Amundson told CHS. “Paint, lights, a clean-up. It’s time.”
You can listen to Darknet Diaries here.
WE NEED YOUR HELP -- SUBSCRIBE TO CHS -- OUR VOLUNTARY SUBSCRIBER TOTAL HAS FALLEN! BUT THE CHS AUDIENCE HAS GROWN! -- HELP US PAY REPORTERS & PHOTOGRAPHERS!
CHS is funded by voluntary subscriptions from paying supporters. If you enjoy CHS, SUBSCRIBE HERE. Become a subscriber at $1/$5/$10 a month to help CHS provide community news.
I appreciate this article, it fills in some blanks in my knowledge.
Agreed. Great reading.
I also want to give kudos to Margo on this article. Well-written, informative, and captivating.
Agreed. Amazing article. You don’t see many as good these days… except of course right here on CHS.
A lot of sloppy, careless, security management all around. Who would think a prolific hacker like Seleznev would go down making the same mistakes he relied on others to make in building his empire?
Fascinating, informative, well-written and really useful. Understanding all these chains of failures, from POS systems to the IT managers of POS systems using similar passwords for multiple businesses – I guess with small businesses maybe cash is safest as it’s clear that even someone technically sophisticated as the MSoft employee couldn’t control it.
This is exceptional journalism and an amazing article. I gave this article to my students to read, analyze, and discuss as an example of how it should be done (and written). Who needs WSJ or NYT when we have this kind of reporting from CHS?