July 8, 2014

The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States.

The government alleges that the hacker known in the underground as “nCux” and “Bulba” was Roman Seleznev, a 30-year-old Russian citizen who was recently arrested by the U.S. Secret Service.

Seleznev was initially identified by the government in 2012, when it named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where Bulba and other members openly marketed various cybercrime-oriented services.

According to Seleznev’s own indictment, which was filed in 2011 but made public this week, he was allegedly part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.

The indictment further alleges that Seleznev and unnamed accomplices used his online monikers to sell stolen credit and debit cards at bulba[dot]cc and track2[dot]name. Customers of these services paid for their cards with virtual currencies, including WebMoney and Bitcoin. As explained in the screen shot below, the track2[dot]name site stopped accepting new members in 2011, and new applicants were directed to bulba[dot]cc, which claimed to be an authorized reseller.

Bulba[dot]cc, as it looked in May 2011.

Bulba[dot]cc, as it looked in May 2011.

Recently, however, track2[dot]name began accepting new members who agreed to pay up-front deposits. The deposits ranged from one bitcoin (about $624 USD) for a basic account, to 20 bitcoins (roughly $12,484 USD) for a “corporate” account that is eligible for generous volume discounts and lengthy replacement times for purchased cards that turn out later to be canceled by issuing banks.

Bulk buyers also were a big part of the typical clientele that shopped at bulba[dot]cc. In 2013, the carder[dot]su crime forum was compromised, and a copy of it was obtained by law enforcement and by several security researchers (including this author). Prosecutors alleged that Seleznev also was responsible for maintaining the “Bulba” user account on that forum, and judging from the hundreds of private messages that Bulba responded to from interested buyers, more than a few of them were looking to buy huge quantities of stolen cards.

A private mesasge between card merchant "Bulba" and an interested buyer on the fraud bazaar carder[dot]pro.

A series of private messages between card merchant “Bulba” and an interested buyer on the fraud bazaar carder[dot]pro.

Random mixes of 100 cards from American Express, Visa, MasterCard and Discover fetched $1,300 ($13 per card), while “megamix” collections of 1,000 randomly chosen cards sold for $8,000 ($8 per card). Buyers typically have groups of “runners” at their disposal, each of whom fan out to various big box retailers and use the fabricated cards to purchase high-dollar gift cards, electronics and other items that can be re-sold quickly for cash.

A statement by Washington State U.S. Attorney Jenny A. Durkan notes that Seleznev’s first court appearance was in Guam, an unincorporated territory of the United States in the western Pacific Ocean. A spokesman for the Secret Service declined to say where Seleznev was arrested, but it’s a good bet that he was apprehended while traveling somewhere outside of his home country.

Russian hackers targeting American businesses are generally safe from arrest and prosecution provided they don’t target their own countrymen or travel internationally, and the Russian government has not recently been known to assist foreign law enforcement agencies in arresting its own citizens.

Update, July 8, 8:41 a.m. ET: This Reuters story cites Russian media saying that Seleznev was arrested in the Maldives, and that he may be the son of a member of the Russian parliament.

This statement, from the Russian Ministry of Foreign Affairs, confirms that Seleznev was arrested (the Russian government says “kidnapped”) in the Maldives as he was headed back to Moscow. The ministry said that the Maldives, “contrary to the existing rules of international law, have allowed an intelligence agency of another state to kidnap a Russian citizen and take him out of the country. We demand that the Government of the Maldives to provide the necessary clarifications. Given these circumstances, we again strongly encourage our countrymen to pay attention to the warnings posted on the Web site of the Russian Foreign Ministry, regarding the risks which are associated with foreign travel, if there is a suspicion that U.S. law enforcement agencies can tie them to any claim.”

Original story:

Seleznev and others named as part of the carder.su conspiracy are being charged under the federal Racketeering Influenced Corrupt Organizations (RICO) Act, a law which allows prosecutors to hold every member of a criminal organization individually responsible for the actions of the group as a whole.

Many named in the multi-count carder.su indictment have already been arrested, pleaded guilty or found guilty by a jury, such as David Ray Camez, a 22-year-old who didn’t have much in the way of assets or riches (PDF) to forfeit after his conviction, unless you count PVC card embossers, hot-stamping machines, dozens of phones and computers.

Another member of the conspiracy, Cameron “Kilobit” Harrison of Georgia, pleaded guilty to federal racketeering charges in April 2014. Kilobit is the same carder.su member asking Bulba in the above screenshot about the price of purchasing stolen cards in packs of 100.

For more on how these carding shops work, check out my story from last month, “Peek Inside a Professional Card Shop.”

A copy of the indictment against Seleznev is available here (PDF).


60 thoughts on “Feds Charge Carding Kingpin in Retail Hacks

  1. Justin Hakes

    I can’t believe how dumb / arrogant some of these criminals are, All he had to do was stay in Russia…..

    With that, these operations are proving the existing payment tech is lacking in security and needs to rebuilt from the ground up.

    1. Tom S

      Um… have you ever spent any time in Russia? I have. They mostly can’t WAIT to get out of there, even if only for a short vacation… looks like some of their vacations will be extended.

      1. SeymourB

        It’s a fine place to stay, so long as you can afford to stay near the top of the food chain. But if your criminal empire starts hiccups and you miss paying the wrong bribe, you can quickly end up as miserable as the average Russian citizen.

        1. Jesse

          Even billionaires are not exempt. Mikhail Khodorkovsky can tell us all about that.

  2. Hybrid AU

    A great article as always, it’s a good day when Krebs pops up in my RSS feed.

    One small typo I think Prosectors should be Prosecutors

  3. stevieod

    What is truly sad about this whole incident is that American card providers are using a band aid approach to protecting their customers.

    Europe, Japan, China, and many other progressive countries have already gone to more secure methods of charge card use and processing.

    I imagine it’s the old problem of let’s use what we got until we run it into the ground. That and NIH.

    1. Mike

      What do the National Institutes of Health have to do with this arrest??

      (Just kidding)

  4. Theome

    Small typo: 8th paragraph reads “meagmix”, should be “megamix”.

  5. heh

    That pink looks fabulous. Boris will be very popular in prison 🙂

  6. Rosemary

    Wow! Thank you for the info. Our security for our U.S. citizens need to seriously reviewed. This is an eye opener! Information like this does not make the news.

  7. Lady Ga Ga

    Not surprised at all its an Old school tactics . in case you didnt know , he was arrested in Maldive islands .
    here is the interesting point you mentioned — “generous volume discounts and lengthy replacement times for purchased cards that turn out later to be canceled by issuing banks.”

    How do you know that they been canceled by issuing banks ? did you try to use/buy them cards ? there is no other way to know if they are still ” GOOD ” unless you buy them/ Most of them shops dont display full card number they only display BIN and you cant cancel a credit card just by looking at the BIN you need full number or a name at list . Very , very strange story .

    1. todd glassey

      Gaga – here is the deal, we tried to get VISA to use one of the new light-weight but very strong crypto systems we invented (we invented what you think of as location based services – US6370629 – so this is no problem to fix.) but the issue then was “changing the customer experience” and the VISA fraud rate was down at 3% or so. 3% of three trillion dollars – then… Today its much higher than that.

      The reality is that none of the people driving this boat has any idea how to secure PCI (*Payment Card Industry) controls and in fact the SSC has supposedly set the compliance aside for certain parties as well making it a very one-sided compliance practice which apparently was more indicative of the PCI adding extra overhead to the merchant cost model which can only be serviced by PCI DSS certified parties – i.e. they created their own industry to audit the card processors – which of course has its own rules which are different than any other public auditors today… Nice move that.

      If you want to blame someone specific for this hack – the Russians let this guy operate – because he most likely paid someone to allow that. The person that was paid needs to go down too here otherwise this appears to be the Russian Government approving Cyber Crime against the US and that would be a covert act of war.

    2. Ralph Daugherty

      gaga, for some reason you’re assuming the cards would be replaced without using them, not sure why you would assume that. The information provided is straightforward. A corporate account gives a generous replacement policy for cards that turned out to be cancelled, and yes, they’re found out to be cancelled by trying to use them. Nothing strange about any of that.

  8. Andy

    Leaving the safety of mother Russia is not a smart move when you’re in the carding business.

    1. Diane Trefethen

      Nor, sadly, if you blow the whistle on unconstitutional activities by the US government.

      1. Cog

        Nor, sadly, if you blow the whistle on unconstitutional activities by the Russian government. Oh wait…

  9. TheOreganoRouter.onion.it

    Great article, keep them coming

  10. Chuck Fonta

    I’m sure that the weak security measures will stay in place until the cost to the card providers exceeds the cost of the upgrades. With the exorbitant interest charged, and negligent customers, I am guessing that the card issuers are looking at card fraud as simply the cost of doing business, and pass it on to their card holders.

    1. sarah

      Mostly they pass it on to merchants, but otherwise correct!

      1. Sam Walton

        Well, it IS the merchant that’s being compromised, so why shouldn’t they have the cost passed to them?

        1. Diane Trefethen

          “The only reason I can’t get a job (do my homework, get ready on time) is that you are always nagging me.” “If you were a more loving wife, I wouldn’t have sex with other women.” “If you made more money, I wouldn’t need to drink to make life more bearable.” In our society, we have grown very accustomed to placing the blame for our misdeeds on the actions of others. Clearly this makes no sense but we do it anyway. Sam’s comment is the result of this kind of thinking. Why shouldn’t merchants have the cost of credit card fraud passed to them? Because the merchant signed a contract with the card issuer in which the card issuer promised to deliver a service. The promised service did not include getting defrauded and the fraud was a direct consequence of the actions, or lack thereof, of the card issuer. The merchant is in the same position as you would be if you hired a bonded service to deliver a cash filled briefcase and the person carrying the cash got robbed. Would you say, “Well, it IS me that’s being compromised, so why shouldn’t I have the cost passed to me?” Or would you rightly point out that the company breached a contract when it failed to provide the service it promised and therefore should be liable for the damages to you?

          Whether it is a service or a product, no warranty laws can relieve the provider of the responsibility for delivering goods that meet the criterion of what is reasonably expected for that particular service or product. If you buy a new bike, it should have two, new, serviceable tires. If you buy a steak dinner, you should not get pancakes and bacon. Similarly, a credit card issuer should not be allowed to foist off onto a customer, the losses when third parties steal that customer’s money, losses that result from the card issuer’s failure to adequately secure the cards it provides.

          1. Jeff

            Sorry, Diane, the one shifting blame here is you. If you hire a bonded agent to carry your cash for you, but someone robs your cash drawer before that agent shows up to collect it, it is not the agent’s fault.

            It is not the bank’s fault that Target let the air conditioning guy have access to their most secure network.

            It is not the bike shops fault that you have strewn *your* driveway with broken glass.

            It is not the steak shop’s fault that you accidentally went to the pancake shop next door, and pointed to the pancakes on the menu, because you never bothered to learn the difference between steak and pancake.

            1. Diane Trefethen

              @Jeff
              An analogy is supposed to mirror the actual case but in a fashion that clarifies a problem. Your post is an admirable exercise in obfuscation. Still, taking just your first scenario:
              Your statement is correct. In the scenario you pose, the agent is not at fault. In fact, the agent is not even involved in the transaction that actually occurred, ie, the theft, so there is no way the agent can be faulted. But… is that analogous to what is actually happening in these frauds? No it is not. The “bonded agent,” ie, the credit card provider, promised you a service and AFTER using the service, the criminals exploited the “bonded agent’s” faulty card security to rob your cash drawer. Had the card the “bonded agent” given you been more secure, the robbery of your “cash drawer” would have been much less likely.

              As to your other scenarios, they all rest on you being foolish. The actual crimes involved you doing exactly what you are supposed to do with a credit card. Use it. Ergo, your scenarios are not remotely analogous to what actually transpired.

    1. Mike

      In the title and in the article, RT puts kidnapped in quotes. Whew. They’re just repeating, not as propaganda megaphone like ABC/NBC/MSNBC/CBS does for the White House, how the MP phrased it when he accused. That’s what the quote marks mean.

      It’s a well-written article, now that I’ve read it.

  11. petepall

    Keep in mind that “costs passed on to merchants” wind up biting us, the customer, in the butt!

  12. Jackie

    I have been reading about these kinds of incidents way too often. Clearly the US government needs to do something to improve the security on credit card data. It should be being taken a lot more seriously than it currently is. We are aware that hackers are becoming smarter but that means we should be implementing more security measures not sitting back and doing nothing.

  13. Heron

    You got on Fresh Air! I am so jealous.

    (For anyone who doesn’t know, Fresh Air is an NPR program.)

      1. JimV

        Perhaps it’s a bit of semantic nicety, if the rendition (capture by covert operatives) occurred in the Maldives but then he was then taken to Guam and handed over to the Secret Service where formal induction into the legal system took place at that point.

        1. Eric

          The Maldives is an Islamic republic which does not appear to have an extradition treaty with the US.

          If he was arrested by the Secret Service there, it was definately a snatch and grab and the case could definately made that he was kidnapped.

          Guam appears to be the closest US territory so taking him there first makes sense.

          1. Mike

            That would make the article accurate, unless BK was referring to a different facet of the article–some other information.

          2. Evgueni

            The devil in the details… If he was arested by Maldivian law enforcement and brought to an US military ship or aircraft he can be legally get re-arrested by US Secret Service.

  14. Smileydi

    Slightly off topic, but really enjoyed the interview on “Fresh Air” this morning with Terry Gross. Brian was very low-key about the personal prices he and his family have had to pay in harassment because of his job. I for one, really appreciate the journalistic integrity and perseverance he has displayed in the face of all this.
    Keep up the great work, Mr. Krebs!! Diana

  15. Aleksey

    Another interesting story of a carder who dared to venture out of no-US-extradition territory and paid dearly for it. Two questions remain:

    1. What evidence links the online criminal described in the indictment to the physical persona of Roman Seleznev?

    2. How come he was arrested and then taken out of Maldives without any extradition proceedings?

  16. zackis

    Good riddance to bad rubbish! Thanks BK for once again shining the light into the dark corners. Information, if nothing else no longer allows people to claim ” I didn’t know” and that is one step closer to asking that the Banks do the job of securing money. In the end that is their one and only job is it not?

  17. KFritz

    I visited this website to see which countries lacked US extradition treaties.

    http://www.justanswer.com/criminal-law/165kv-countries-not-expidite-people-back-u-s.html

    Although there are quite a few nations with tropical beaches and which don’t like the US, very few of them like Russian carders, either. So while most probably won’t extradite a carder ot the US , they’re likely to ask a carder to leave when the US let’s them know about him. And if there’s no direct flight to Russia from said country, a carder may very well be arrested if a flight stops in an extraditing nation. The Maldives would not ask a carder to leave, BUT the US would have no qualms about a snatch in the Maldives because it’s an Islamic republic that usurped an elected government–with nothing the US needs.

    After looking at the list, a carder’s best bet (probably only chance) for hassle-free tropical beaches and a direct flight to Russia is….Cuba!

    Would any readers have been able to extrapolate this information before the snatch in the Maldives? I read a fair amount about politics, and I wouldn’t have been able to predict the snatch. This carder wasn’t being stupid or careless–he lacked in-depth information.

    1. Aleksey

      This snatch in Maldives is a first of a kind for a cybercriminal bust, unless I missed something. Usually there are arrests made by local authorities and subsequent extradition proceedings.

      I agree – it would be difficult to predict this event for a carder. But if I was a big enough player in the cybercrime biz, I would stay completely out of any country that is not “axis of evil” type – like Cuba, North Korea, Iran, Venezuela, Belarus, etc… After all, Russia has enough of nice places to enjoy if one has money. The risks are simply not worth it these days.

      1. KFritz

        Yep, the kidnapping is an escalation. Russia doesn’t have warm tropical water with beaches. And Cuba is a much safer nation than Venezuela.

        Would you not have thought the Maldives safe before the snatch?

        1. Aleksey

          This qustion is answered here: http://en.wikipedia.org/wiki/PISCES

          This article also provides a handy list of no-go countries to anyone who may have any problems with US law enforcement, especially cybercriminals…

        2. Aleksey

          I would have thought it safe, but it is clear taht there are very few “safe” places for cybercriminals to go now.

          Russia has some tropical resorts, although not much. Sochi comes to mind and now, Crimea…

          1. KFritz

            I’ve never been to Sochi, the Maldives, or Cuba–but from my reading, the Maldives and Cuba are much nicer places to lay in the sun, and swim in the water. If you’re a wanted carder, only Cuba. (-;

  18. SpryWeb

    I recommend all merchants stop accepting credit and debit cards altogether. Put an ATM machine in your shop (that you run and get commission for, of course) and accept CASH ONLY. Post it on the door and lower the cost of your goods.

    Only when the usage of credit and debit cards drops significantly due to fraud will the banks and card issuers switch to something more secure. Currently the only thing more secure (but still vulnerable) is chip-and-PIN.

  19. Roger J

    Fantastic article right on top of the NPR Fresh Air interview that was aired on KQED this evening. I sat in my car for 45 minutes listening to the full interview instead of going into the restaurant where I had a reservation. Worth the wait. Thanks for your important and insightful work.

    1. IA Eng

      Now, tie the money back to them, and see how much kickbacks were recieved.

      That’s the real reason they are all ticked off. The USA cut off some of their illicit funding.

      1. NikSam

        According to father, he was not much in contact with his son and was not aware of his activities.
        But him and Russian foreign ministry condemns unlawful kidnaping and trafficking of a russian citizen.

        1. IA Eng

          Yeah he says that now – Cuz the kickbacks aren’t happening any more. Look for photos on your fav search engine and see if they hung out together recently in public.

          Don’t always believe what you read on the internet. Double that if it comes from a politician. Quadruple that if it comes from a Politician via a news article on the internet.

          Any recent paper articles ?… Wait ! am I questioning the word of a Dignostory ? yep.

          Kid:Hey dad, how have ya been.
          Dad: Good How is life? How is work?
          Kid: I am doing good. The CC ripoff biz is doing quite well !
          Dad: Where is my share ? You know I work the PM, and to you should pay insurance hommage to me in order to keep this quiet.
          Kid: When I get home (not) from my trip the check will be on your desk.

  20. Sab B. Ath

    Hello,

    I wonder if the russian guy was taken from Maldive idlands to the Guam base in “Mossad-Eichmann” style? Maybe israeli agents were actually involved? It looks like his chief victim was the “Schlotzsky’s Deli” fast food chain, which sounds like a kosher name.

  21. NikSam

    “Russian government has not recently been known to assist foreign law enforcement agencies in arresting its own citizens.”

    It was exercise of power on US part.

    And how would someone expect the russian authorities to bend over if similar requests by Russians being ignored in US and UK and Canada
    The 3 countries are well known to give a safe refuge for wanted russian criminals.
    Interpol requests for russian mafia leaders are being ignored.

    US cannot expect it to work only one way.

    1. BrianKrebs Post author

      My sense from talking to many law enforcement folks on cyber is that they’re done waiting for the Russians to help at all on cybercrime related activities. Near as I can tell, the last time the US got anything close to cooperation that didn’t also alert the parties under investigation was in 2009, and that’s a long time ago in Internet time.

      1. IA Eng

        Though it may be very hard to track, I am sure some of these illicit funds are probably used to keep the Russian Government afloat.

        Call them kickbacks, paying a higher tax rate – whatever it is, its just plain wrong for them to not assist in these type of crimes. As long as the country benefits from this sort of activity, then its going to continue to happen, and I personally never expected the Krimeland to ever group up and look around.

        I just look at it as if the Krimeland wants to maintain that communist look and feel, and the Krimeland doesn’t want China having all the funds.

        Yeah I understand, its probably an unspoken rule, if the miscreant is in Russia, they are to leave Russians and select other parties alone.

        But common – if your a carder, or a mafia kingpin and you have millions of dollars siphoned through you, wouldn’t you save a portion of that and then when it reaches a bizzare amount, simply get in a plane and go live on an island somewhere (HINT: not Guam) and start over. The only reason I see the need for millions, hundreds of millions or even billions is to keep the Krimeland from going bankrupt.

        =\

      2. Evgueni

        Well… they’ve arrested Paunch and few of his friends last fall. I guess they didn’t want to cooperate with FSB. 🙂

        1. BrianKrebs Post author

          True, but Paunch was working directly with many customers who were targeting Russian banks, so he violated the golden rule about not peeing in his own backyard.

    1. IA Eng

      The REAL question is…. How did they know about his travels in the first place? Hummmmmmm.

      1. JimV

        Just imagine someone in one of the NSA’s underground lairs who is monitoring his communications and chortling “Ve haf wayz of making you ‘talk’…”

  22. Zeydlitz

    The only one question I have: how PISCES distinguish one Roman Seleznev from another? It’s pretty common name and surname, and there is a bunch of Roman Selevnevs in Russia (and even age and does not give uniq identificator).

    Arrested Roman Seleznev has a pretty severe headtrauma from terrorist attack in Marrakesh 2011, and he is a hacker?

Comments are closed.