Wednesday, July 09, 2014

Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court in Guam

The media is buzzing about the arrest of hacker and stolen credit card vendor Roman Seleznev who has appeared in court in the US territory of Guam after being arrested in the Maldives. We wrote about Seleznev as part of the RICO racketeering case against the owners and operators of the website. (See The indictment: United States v. Kilobit et. al.) but that was only the first part of Seleznev's trouble. Until this weekend, the original 27-page indictment against Seleznev in the Western District of Washington was under court seal.

In the Kilobit/Las Vegas indictment, the charges are that Seleznev did "Participate in a Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the organization operate principally in Las Vegas, Nevada, and elsewhere.

The important thing to understand about RICO is that as PART OF THE CORRUPT ORGANIZATION all of the charged members are sentenced as if the whole group did all of the crimes.

What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged with being part of a RICO group that is credited with directly causing, in actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!

But before Vegas gets their hands on him, Seleznev will face charges in the Western District of Washington for Case # 2:11-cr-0070-RAJ-1.

In that case, Roman Seleznev, AKA TRACK2, AKA Roman Ivanov, AKA Ruben Samvelich, AKA nCuX, AKA Bulba, AKA bandysli64, AKA smaus, AKA Zagreb, AKA shmak is charged with:

(Counts 1-5) Bank Fraud 18:1344 & 2
(6-13)  Intentional Damage to a Protected Computer 18:1030(a)(5)(A) & 1030(c)(4)(B)(i) & 2
(14-21) Obtaining InformationFrom a Protected Computer 18:1030(a)(2) & 1030(c)(2)(ii) & 2
(22) Possession of Fifteen or More Unauthorized Access Devices 18:1029(a)(3) & 1029(c)(1)(A)(i) & 2 
(23-24) Trafficking in Unauthorized Access Devices 18:1029(a)(2) & 1029(c)(1)(A)(i) & 2  
(25-29) Aggravated Identity Theft 18:1028(a)(1) & 2
This 27 page indictment, filed March 3, 2011, was just unsealed on July 6, 2014 when Seleznev appeared in court in Guam.

Washington charges that Seleznev "knowingly and willfully devised and executed and aided and abetted a scheme and artifice to defraud various financial institutions, including, but not limited to, Boeing Employees' Credit Union, Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and credits under the custody and control of the banks by means of material false and fraudulent pretenses, representations and promises, as further described below."

Seleznev would:

  1. hack into retail businesses,
  2. install malicious computer code onto those hacked computers,
  3. and use the malware to steal credit card numbers from the victim businesses' customers
  4. market and sell the stolen credit card numbers on "criminally inspired" websites
  5. thus allowing these cards and the associated accounts to be used for fraudulent purposes by the customers of his service.
Seleznev's malware primarily was controlled from a server named or at the IP address which is housed in a data center in the Russian Federation of Irkutsk. (That IP-name mapping is confirmed by Internet Identity's historical Passive DNS systems in May 2010.) A collection of malware found at the root site of that website, including malware named shmak, shmak2, kameo, hameo, zameo, dtc, dtc2, dtc4, rsca, remcomsvc, and others. FVDS.RU is a "third level domain" system that is attractive to criminals wishing to host malware on dedicated hostnames, without having to have their ownership of the hostname tracked in WHOIS services or through credit card payments.

Seleznev's websites for selling cards were primarily,,, and

The targeted businesses usually had several "point of sale" terminals "up front" and a "back of the house computer" which may have been a server or perhaps even just the manager's computer.

Some of Seleznov's victims included:

The Broadway Grill - 32,000 unique credit card numbers from Dec 1, 2009 to Oct 22, 2010

Grand Central Baking Company in Seattle, WA

four Mad Pizza restaurants (three in Seattle, one in Tukwila, WA)

Village Pizza in Anacortes, WA

Casa Mia Italian in Yelm, WA.

Schlotsky's Deli in Coeur d'Alene, Idaho

Active Networks in Frostburg, MD

Days Jewelry in Waterville, Maine

Latitude Bar and Grill, NY, NY

Mary's Pizza Shack in Sonoma, CA

City News Stand in Chicago and Evanston, IL

Bulba would advertise when he had new cards for sale, claiming as many as 17,000 "Fresh Dumps" (newly stolen and never before used for fraud) cards and offering guarantees, including free card replacement for cards that were declined. Seleznev/Bulba had such high quality, that the owners of the popular and allowed Seleznev and others to assume Monopoly status as the preferred card vendors for their boards, which were extremely prevalent in the underground.

According to the newly unsealed indictment, Seleznev personally stole (through his malware) more than 200,000 cards, and succesfully sold over 140,000 of those cards through his websites and between November 15, 2010 and February 22, 2011, generating direct illicit profits in excess of $2,000,000 USD.

Just the cards stolen by Seleznev at the Broadway Grill have been associated with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are responsible for actual fraud charges of at least $1,175,217.37.

November 15-16, 2010, $83,490 in charges were made against Boeing Employees Credit Union cards.

Jan 31-Feb 1, 2011, $30,716 in charges against BECU.

Seleznev will have a hearing in Guam on July 22, and then be transferred to the Seattle courts.

Seleznev Diplomatic Spat with Russia?

The story is growing into an international diplomatic spat as a Russian politician and member of the Duma, Valery Seleznev, is the father of the cyber criminal. In a statement from the Russian Foreign Ministry, the Russians accuse Maldives of ignoring their Bilateral Treaty of 1999 on Mutual Assistance in Criminal Matters. The statement says this is the third recent case of a similar situation, citing the examples of Viktor Bout and K.V. Yaroshenko as other recent cases where the US has forcibly taken a Russian citizen from a third country to stand trial in the United States. I strongly agree with the statement at the close of their statement, where they "strongly encourage our countryment to pay attention to the cautions posted by the Russian Foreign Ministry on their website about the risks associated with foreign travel, if there is a suspicion that U.S. law enforcement agencies can charge them with any crime."

Who are these others who are mentioned? Viktor Bout (Виктор Анатольевич Бут) was arrested in Thailand in 2008 and extradited in 2010 to stand trial for terrorism charges for delivering anti-aircraft missiles to FARC in Colombia. He was convicted by a jury in Manhattan (More from The Guardian) Konstantin Yaroshenko was arrested in May 2010 in Liberia as a cocaine smuggler pilot when he landed his plane in Monrovia, Liberia and was arrested by the DEA as he tried to negotiate a contract for $4.5 million to deliver 5 tons of cocaine from Colombia to West Africa. Yaroshenko was knowingly working with smugglers who were raising funds for the Colombian terror group FARC. (See Superseding Indictment

1 comment:

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.