Advertisement

Russian hacker went from poverty to making millions in stolen credit cards. Now he’s facing 27 years in prison

Trevor McFadden, acting principal deputy assistant attorney general, discusses Roman Valerevich Seleznev's 27-year prison sentence for hacking into U.S. businesses to steal credit card data.
Trevor McFadden, acting principal deputy assistant attorney general, discusses Roman Valerevich Seleznev’s 27-year prison sentence for hacking into U.S. businesses to steal credit card data.
(Ted S. Warren / Associated Press)
Share via

Born almost dirt-poor in Russia’s Far East, Roman Valerevich Seleznev still turned himself into a multi-millionaire by being one of the best in his field. That field, however, was stealing and selling credit card data.

On Friday, in a Seattle federal courtroom, before a judge sentenced Seleznev to 27 years in prison, his attorney and prosecutors recounted his remarkable rise — and fall.

“His entire life was a series of tragic events,” said his New York attorney, Igor Litvak.

Seleznev’s parents divorced when he was 2, and he and his mother lived in small Vladivostok apartment with four other families. His mother died of alcohol poisoning when he was 17.

Advertisement

As a teen he began to make money by hacking computers, but got robbed and tortured by home invaders. When attempting to reunite with his father in Morocco in 2011, a portion of Seleznev’s skull was blown off in a Marrakesh terrorist bombing in which 20 others died.

He went on to become what investigators and prosecutors described as perhaps the most successful hacker they’ve encountered, which may explain the stocky, lightly bearded Russian’s often amused smile.

As prosecutors put it in charging papers after his arrest, Seleznev “became one of the most revered point-of-sale hackers in the criminal underworld … a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”

Advertisement

Prosecutors added: “This prosecution is unprecedented. Never before has a criminal engaged in computer fraud of this magnitude been identified, captured, and convicted by an American jury.”

That happened here in August when Seleznev was convicted of 38 counts of stealing and selling credit card data. Prosecutors said he operated a Russian server that he used to install malware on point-of-sale computer systems. The malware would copy the card data and send it to other Seleznev servers in Ukraine and McLean, Va.

Seleznev ultimately confessed and apologized, and his attorney argued that he had cooperated with prosecutors to provide valuable information and names regarding global cyberthefts. But prosecutors said his help was not useful to their investigation; the Justice Department clearly felt it had made a big dent in Russian cyberhacking. In court, a prosecutor described Seleznev as a “Tony Soprano-style mob boss.”

Advertisement
Igor Litvak, attorney for Russian hacker Roman Seleznev, says Seleznev's life has been a series of tragedies.
(Ted S. Warren / Associated Press)

His arrest came July 5, 2014, as he was heading back to Russia after a vacation. He, his girlfriend and their child were passing through security at Male International Airport in the Maldives, which has no extradition treaty with the U.S.

Seleznev was asked to step out of the line and then handed off to U.S. agents, who’d been tracking his faint trail for almost a decade. He was quickly flown to Guam for a hearing. Four flights later, detoured by a hurricane and slowed by two planes with mechanical trouble, he landed in Seattle.

The Russian government was irate. Officials, including Seleznev’s father, Valery, a member of Russia’s lower house of parliament and an ally of President Vladimir Putin, likened the arrest to the “extraordinary rendition” flights that have been used by the U.S. to kidnap and transport suspected terrorists to “black sites” — secret prisons — overseas.

FBI Director James B. Comey calls such takedowns legal tactics in the war against computer thieves. “It’s too easy for those criminals to think that ‘I can sit in my basement halfway around the world and steal everything that matters to an American,’” he told “60 Minutes.” “We want them looking over their shoulders when they’re sitting at a keyboard.”

The U.S. also legally eavesdrops on prison conversations, as Seleznev and his father found out after an international phone call last August. Speaking in Russian, Seleznev’s father asked, “What can we discuss, your escape plan or what?”

Advertisement

They went on to chat about tampering with a witness and delaying a hearing by staging a medical emergency, according to prosecutors and a transcript of the call.

His father said he had “found some ‘magicians’” who were “ready to create a miracle” leading to a fake illness and his son’s hospitalization. But with the feds tipped off, the plan never took off.

To carry out his crimes, Seleznev used the aliases “Track2” and “Bulba,” and created automated vending websites where criminals could obtain stolen data, investigators determined.

The data was sold and resold through the underworld. Testimony at Seleznev’s trial revealed that 3,700 financial institutions lost more than $169 million from the scheme, though officials speculated it could be billions. Seleznev, the onetime needy kid from Vladivostok, made millions.

In just two years of reaching across the seas to electronically break into banks, restaurants and credit card companies, he made $17 million, investigators said.

He scored “tens of millions more” in his nearly 25 years of hacking, they figured, but could not trace all his sales and income. He owned two properties in Bali and regularly jetted back and forth to Russia. He bought American muscle cars and took lavish vacations, prosecutors said.

Advertisement

American Express, MasterCard and Visa alone say his electronic entries resulted in a collective loss of at least $35 million. But Seleznev sought the little fish, too. Among the 2 million credit card numbers downloaded and then sold on the black market through Seleznev’s operation in recent years, many were obtained by cyberattacks at small businesses including bakeries and dozens of West Cost pizza parlors from Los Angeles to Seattle.

Seleznev’s legal problems are not over. The U.S. is seeking forfeiture of $17 million of his assets. He faces racketeering and conspiracy charges for his alleged cyberheists in Nevada, and is charged in Georgia with conspiracy to commit bank fraud, one count of bank fraud and four counts of wire fraud.

Before his sentencing Friday, Seleznev sent a letter to the court, seeking compassion and recalling his childhood: “Most of the time I was home alone and work hard. I learn myself about computer technology. I have great skill at young age and it was clear I could do great things with my life.”

Times change, said Seattle U.S. Atty. Annette L. Hayes. “Today is a bad day for hackers around the world,” she noted. “The notion that the internet is a Wild West where anything goes is a thing of the past.”

Anderson is a special correspondent.

ALSO

Advertisement

Justice Department to ‘sanctuary cities’: Comply on immigration or you could lose federal grants

Barack Obama to hold first public event since leaving office, Monday in Chicago

Trump wants to ramp up deportations, but ICE probably won’t be able to keep up


UPDATES:

8:20 p.m.: This article has been updated with more information about Ramon Valerevich Seleznev’s criminal history and quotes from Igor Litvak and Annette L. Hayes.

This article was originally published at 4:25 p.m.

Advertisement