The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States.
The government alleges that the hacker known in the underground as “nCux” and “Bulba” was Roman Seleznev, a 30-year-old Russian citizen who was recently arrested by the U.S. Secret Service.
Seleznev was initially identified by the government in 2012, when it named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where Bulba and other members openly marketed various cybercrime-oriented services.
According to Seleznev’s own indictment, which was filed in 2011 but made public this week, he was allegedly part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.
The indictment further alleges that Seleznev and unnamed accomplices used his online monikers to sell stolen credit and debit cards at bulba[dot]cc and track2[dot]name. Customers of these services paid for their cards with virtual currencies, including WebMoney and Bitcoin. As explained in the screen shot below, the track2[dot]name site stopped accepting new members in 2011, and new applicants were directed to bulba[dot]cc, which claimed to be an authorized reseller.
Recently, however, track2[dot]name began accepting new members who agreed to pay up-front deposits. The deposits ranged from one bitcoin (about $624 USD) for a basic account, to 20 bitcoins (roughly $12,484 USD) for a “corporate” account that is eligible for generous volume discounts and lengthy replacement times for purchased cards that turn out later to be canceled by issuing banks.
Bulk buyers also were a big part of the typical clientele that shopped at bulba[dot]cc. In 2013, the carder[dot]su crime forum was compromised, and a copy of it was obtained by law enforcement and by several security researchers (including this author). Prosecutors alleged that Seleznev also was responsible for maintaining the “Bulba” user account on that forum, and judging from the hundreds of private messages that Bulba responded to from interested buyers, more than a few of them were looking to buy huge quantities of stolen cards.
Random mixes of 100 cards from American Express, Visa, MasterCard and Discover fetched $1,300 ($13 per card), while “megamix” collections of 1,000 randomly chosen cards sold for $8,000 ($8 per card). Buyers typically have groups of “runners” at their disposal, each of whom fan out to various big box retailers and use the fabricated cards to purchase high-dollar gift cards, electronics and other items that can be re-sold quickly for cash.
A statement by Washington State U.S. Attorney Jenny A. Durkan notes that Seleznev’s first court appearance was in Guam, an unincorporated territory of the United States in the western Pacific Ocean. A spokesman for the Secret Service declined to say where Seleznev was arrested, but it’s a good bet that he was apprehended while traveling somewhere outside of his home country.
Russian hackers targeting American businesses are generally safe from arrest and prosecution provided they don’t target their own countrymen or travel internationally, and the Russian government has not recently been known to assist foreign law enforcement agencies in arresting its own citizens.
This statement, from the Russian Ministry of Foreign Affairs, confirms that Seleznev was arrested (the Russian government says “kidnapped”) in the Maldives as he was headed back to Moscow. The ministry said that the Maldives, “contrary to the existing rules of international law, have allowed an intelligence agency of another state to kidnap a Russian citizen and take him out of the country. We demand that the Government of the Maldives to provide the necessary clarifications. Given these circumstances, we again strongly encourage our countrymen to pay attention to the warnings posted on the Web site of the Russian Foreign Ministry, regarding the risks which are associated with foreign travel, if there is a suspicion that U.S. law enforcement agencies can tie them to any claim.”
Seleznev and others named as part of the carder.su conspiracy are being charged under the federal Racketeering Influenced Corrupt Organizations (RICO) Act, a law which allows prosecutors to hold every member of a criminal organization individually responsible for the actions of the group as a whole.
Many named in the multi-count carder.su indictment have already been arrested, pleaded guilty or found guilty by a jury, such as David Ray Camez, a 22-year-old who didn’t have much in the way of assets or riches (PDF) to forfeit after his conviction, unless you count PVC card embossers, hot-stamping machines, dozens of phones and computers.
Another member of the conspiracy, Cameron “Kilobit” Harrison of Georgia, pleaded guilty to federal racketeering charges in April 2014. Kilobit is the same carder.su member asking Bulba in the above screenshot about the price of purchasing stolen cards in packs of 100.
For more on how these carding shops work, check out my story from last month, “Peek Inside a Professional Card Shop.”
A copy of the indictment against Seleznev is available here (PDF).