Darknet Diaries - Ep 32: The Carder
Episode Date: February 19, 2019A carding kingpin was tracked by the Secret Service. How did he steal the cards? Where was he stealing them from? How much was he making doing this? And where did he go wrong? Find out all th...is and more as we listen to how the Secret Service investigated the case.This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "darknet".Cover image this episode created by 𝕄årç ∆⃝ 𝕄ølïñårō.Go to Darknet Diaries for additional show notes.
Transcript
Discussion (0)
A stolen credit card can be worth hundreds of dollars.
It's actual money.
But when hackers steal thousands of them,
they don't have the time or capability to cash out on all these cards.
So they turn to online marketplaces to sell their cash of stolen cards.
In this episode, we'll track down a hacker who's stealing credit cards and selling them.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them.
Because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring
the internet for my name and gave me reports on what they found. And then they got busy deleting
things. It was great to have someone on my team when it comes to my privacy. Take control of your
data and keep your private life private by signing up for Delete.me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete.me plan when you go to join deleteme.com Bye. at checkout. That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security
classes do not need to be expensive, and they are trying to break down barriers to get more people
into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF Cyber Range, which is great for practicing your skills and showing
them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsIninfosec.com posts of things they want to buy. And then agree to buy some stolen credit cards. But the process
isn't straightforward. Your credit card and PayPal are not accepted here. They require too much
identifying information to process these transactions. It's too risky. This is very illegal.
Western Union is doable, but it's not instant. And Bitcoin wasn't around yet in 2007.
So Liberty Reserve was the best option to transfer money.
This is sort of like PayPal,
but they don't require much identification to make an account.
Money can be transferred electronically, quickly, and easily,
and almost anonymously.
So you send your money to the person selling stolen credit cards
and tell them what you want,
and they'll send you the credit card dumps.
A credit card dump is the digital information stored in the credit card,
like name, expiration date, card number, and bank info.
This by itself can sometimes be used to make purchases,
but some people will buy card writers
and actually turn a blank credit card into a stolen credit card.
Then they try to buy things like gift cards at stores
to convert the stolen money into something more legal.
You can buy credit card dumps anywhere from $1 to $40 each, depending on where you live and how much
info you get with it. But you gotta be careful. Some cards you buy might be old, expired, or
already canceled due to someone else using it or it being reported stolen. So you really need to
find a good vendor that you can trust. As you can imagine, some vendors are better than others. They
have a high success rate, like 60%, 80%, and they have a big inventory. Some have fresher cards that were
just stolen yesterday. So finding good credit card dump vendors is highly sought after. But you know
who else is really interested in these vendors? The U.S. Secret Service. The Secret Service has
two main objectives. First is to protect the president, vice president, their families, and ex-presidents.
And their second objective is to investigate criminal activity
relating to financial and payment industries within the U.S.
The Secret Service is very tuned in to the illegal carding markets.
You can bet your bottom dollar that they know about every one of them.
And they're on there, making accounts, exploring the site,
watching key players, buying credit cards, and taking notes. Because what these carding websites are doing is very illegal. Not only is stealing someone's credit card illegal,
but then selling that is also illegal, and then someone else using the stolen credit card is
illegal too. And it doesn't matter where in the world they're doing it from, they're stealing
money from U.S. companies. So while these carding markets are often operated in other countries, U.S. banks are frequently the ones
having their customers' cards get stolen, making U.S. citizens, banks, and shops victims of these
crimes. So the U.S. Secret Service has a mission to find these criminals and bring them to justice.
So the Secret Service went on to one of these sites, cardingworld.cc, and they started looking to see who's selling dumps.
They found one vendor rising up in popularity.
Their name was NCUX.
NCUX would come up on the forum and go crazy selling dumps.
They'd say,
American Express Cards, $1,
Visa, MasterCard, Discover, $5 per dump,
minimum $1,000 order, 60-80% valid rate.
And they'd post this frequently on Carding World and a few other forums.
The Secret Service started to build a case on this person.
They started examining the history of NCUX by looking at other forum posts and their
online activity.
The Secret Service started finding a lot of clues about this person.
They determined NCUX is a Russian word pronounced seek, and it means psycho.
They tracked his username back a few years and found they were first selling stolen identities online,
things like name, birthday, and social.
Then in 2005, NCUX switched to selling more profitable stuff, credit card dumps.
Investigators searched more and discovered NCUX's identity.
It's unclear how they found this, but they discovered his name was Roman Seleznev
and he was living in Vladivostok, Russia.
The Secret Service went to Russia
and met with the FSB
to see if they can help track him down.
The FSB was formerly the KGB
and they conduct criminal investigations.
When the Secret Service met with them
and started asking about Roman Seleznev,
the FSB offered no help at all,
like almost suspiciously unhelpful, which sent the Secret Service back home. And very soon after that
meeting, NCUX announced one last dump for sale and that they're quitting the carding world.
And after that, NCUX went completely dark. The trail to find him had gone cold. A few months after that, in April 2010, the owner of
cardingworld.cc was arrested and the servers were seized. This gave the Secret Service a few extra
clues and more incriminating evidence. They found an email address for Ansiak and some other
information, but the FSB and Russian government refused to cooperate to help capture him.
And even if he was arrested in Russia, there was no extradition treaty with the U.S.,
so there'd be no way to bring him to the U.S. for a trial.
Around the same time, the Secret Service was watching another illegal carting market called Carter.su,
and out of nowhere, a new vendor showed up there named Track2.
Their forum post read,
Hi dear customers, we glad to present our new shop
of dumps. We selling dumps only stolen by us. This means we are first hands owner. They were even
offering a 48 hour exchange for new dumps if the one you had was bad. This really caught the
attention of the Secret Service. Who is this new vendor and where are they stealing cards from? But what was
really odd is this brand new vendor was marked by the admins as being a trusted vendor. This is a
hard to earn rank on the site and this person had it on day one and also this track two person became
the only dump vendor on the site. Other vendors were being removed from the site. Something odd
was definitely with this Track 2 person,
so the Secret Service began watching them very closely.
In May of 2010, the same time all this is going on,
a Secret Service investigator in the state of Washington
was sitting at his desk investigating a case.
His name was Detective Dunn.
The phone rang on Detective Dunn's desk.
Shlotsky's Deli in Coeur d'Alene, Idaho, was
reporting it had been hacked and he had to go investigate. Detective Dunn had previously worked
with the Seattle Police Department in investigating computer crimes and was good at doing digital
forensics. So he took a trip down to Schlotzky's Deli to investigate. He arrived at the deli and
on the front counter where the customers order their food were two registers next to a soda fountain.
These were touchscreen displays powering the menu software, but also handling credit card transactions.
As Detective Dunn examined the registers closer, he found they're just regular Windows computers running the cash register software.
And he found they both had malware running on them, called Cameo, with a cane.
The malware would listen for keystrokes
made and look for credit cards being swiped and then transmit that data to a server in Russia.
The detective had determined this malware had been present on the computer for six months. He examined
the event logs and the internet history and determined that somebody had installed this
malware by browsing to a website, downloading it, and installing it that way.
This meant that the malware was put there by someone who had control of that computer.
Detective Dunn wasn't sure what that meant and wondered if an employee installed the malware.
About a month later, a person in Ohio gets arrested for attempting to buy things with stolen credit cards. The Secret Service was contacted and were given a forensic image of the computer.
And they looked through the computer and found a bunch of stolen credit cards on it.
They ran a report on each of these cards to see if there's a common purchase point.
Because if a lot of these cards have charges in the same physical place,
then chances are that place might be where the cards got stolen
from. The reports came back and there was a common purchase point, Schlotzky's Deli in Coeur d'Alene,
Idaho. The Secret Service contacted Detective Dunn, the agent who investigated that Schlotzky's
Deli hack, and gave him a forensic image of the PC to see if he could make any connections between
the two cases. Detective Dunn examined the PC and found
credit cards were bought from two different websites, bulba.cc and track2.name. This was
the same track2 from that carter.su forum, you know, that suspicious trusted vendor. And this
computer contained ICQ chat logs with someone named Track2. So this gave the Secret Service the ability to chat with Track2.
The detective then started looking at these two carding websites,
Bulba.cc and Track2.name.
First of all, they look identical, except for two different background colors.
The detective started chatting with Track2 over ICQ to learn more.
And he found out that Track2.name was where untrusted customers go to
buy stolen cards. And then once you're trusted or you pay a $1,000 registration fee, you could
then be invited to bulba.cc, a more elite carder site. The detective determined the websites were
probably owned by the same person. And he logged into the site and looked around. He found thousands
of credit cards for sale here, claiming
to be 90% from the U.S. with a 60% valid rate. He also found that in order to buy cards here,
you have to use Liberty Reserve to transfer the money. The detective looked at the Whois records
for these two websites. Each website in the world has to be registered, and the registration
information is public for anyone to see. This information can be faked though,
but the WHOIS data on the website said they were registered by two different Yahoo email addresses.
The detective filed a warrant and sent it to Yahoo, the company, so he could see the emails
for this address. See, the FBI and Secret Service can request from Yahoo to view emails for certain
people if a warrant is processed. Then it'll be reviewed by Yahoo, and they'll supply the emails to the feds,
and they won't even tip off the user either.
But getting a warrant and access to emails
takes a while to process.
So the detective had to just sit there
and wait for it to be ready.
While waiting for the warrant to go through,
Detective Dunn got a call
from the Boeing Engineers Credit Union,
or BECU, in Seattle.
The BECU was reporting that a number of fraudulent charges have showed up on some credit cards
with a common purchase point of the Broadway Grill right in Capitol Hill in Seattle.
Since the detective was in Seattle, he drove over to the restaurant
and started conducting a forensic analysis of the computers there.
Their cash registers were Windows computers running a credit card processing software.
These computers had the same Cameo malware that the detective found on the Schlotzky's
Dailies computers.
The malware was slightly different, though.
This one would grab copies of the cards being processed and stick it into a text file, and
then send that text file to the exact same server in Russia.
This text file contained 33,000 credit
cards in clear text. Detective Dunn was shocked, and the Broadway Grill had no idea they had even
been hacked. The detective did more forensics investigations on the computers and found the
malware was installed the same way, too, by someone getting access to this computer and browsing to a
website, downloading it, and installing it.
The detective ran a report on the credit cards in the text file,
and the report showed that within a day or two of the cards being stolen,
they already had fraudulent charges on them from around the world.
This meant that whoever stole these cards had a way to move them quick.
About the same time, the warrant for those Yahoo emails completed, and Detective Dunn got a copy of the inbox for the addresses used to register Bulba.cc and Track2.name.
And he found a lot of emails for transactions through Liberty Reserve,
which indicated the account numbers this person had there.
He also found an email about a PayPal account.
And PayPal does require you to provide a real name,
and this email said this PayPal account
belonged to Roman Seleznev. The same Roman Seleznev that was NCUX, the big-time carder the
Secret Service was tracking years ago, but went dark. Now they were able to connect the dots,
and see that NCUX and Track2 and Bulba were all the same person. Not only did the names match,
but the physical address matched,
the ICQ number matched, the web money accounts matched. Roman didn't disappear. He probably got
tipped off by the FSB that the Secret Service were after him, and he just changed his name.
Now the Secret Service was once again hot on the trail to bring down this big-time Carter,
Roman Sleznev. Detective Dunn continued reading through the emails he found and found one
indicating Roman was renting a server from a company called Hop One in Virginia. A warrant
was issued right away to request a pen trap and a backup copy of the server. Hop One complied with
this search and provided a copy of the server, which was done without any disruption since it
was a virtual server. The detective looked at the data on the server.
First, he found there were over 400,000 credit card dumps stored on this server.
That's a lot.
That alone is worth millions of dollars.
And it seemed like Roman was selling a lot of these.
The detective started finding some hacking tools on the server.
This server was being used to mass scan the internet,
looking for computers
that have port 3389 open, or remote desktop. Windows machines have the capability to connect
to them remotely. This is called remote desktop. And the tools on the server were actively looking
for computers with this service exposed to the internet. Then once the scanner found the computer
on the internet was running remote desktop, it would then attempt to brute force log into it by cycling through thousands of commonly used usernames and passwords.
Then if the password had been guessed correctly, the hacker can access the computer as if they were sitting right in front of it.
This is a sloppy, noisy, and easy way to hack into computers.
But it seemed to be working.
The reality is that nobody should have remote desktop exposed to the internet like that,
yet thousands of computers were, which might also mean they weren't using good passwords either.
The detective was able to put the pieces together now. Roman would hack into Windows computers that
he would find exposed online, see if they're running any kind of credit card processing
software, and if so, he'd install malware on it to scrape the cards off it and then send it to his
server. It's actually not that sophisticated of a hack. The detective also issued a pen trap on
the server. With this, he can see the metadata about the traffic going in and out of that server,
just like things like IP addresses, ports, and volume of traffic, but not the full packet
capture. Upon putting a pen trap on the server, they found hundreds of computers around the world are connecting to the server and uploading credit card data to it.
He examined what IPs are connecting to it and found that most of them are restaurants.
Places like Grand Central Baking, Z Pizza, Jets Pizza, Mountain Mike's, Extreme Pizza, Casa Mia, and Day's Jewelers.
Detective Dunn started visiting any of these places that were local to Washington State,
where he was based out of.
First, he went to Grand Central Baking, right in downtown Seattle.
Yeah, sure enough, same situation.
Similar point-of-sale software, similar malware,
logs showed remote desktop connection, and then the malware was downloaded.
The detective also checked out another local Seattle place called Mad Pizza, which had been communicating to the Hop1 server, and both
locations he visited had also been hacked. One had malware on it for four months, the other six
months. Then the detective drove down to a little town called Yelm in Washington to visit Casa Mia,
but he didn't go for the all-you-can-eat spaghetti. Instead, he was hungry to see what was on their point-of-sales computers. And once again, all the same signs. Remote desktop
enabled on it, malware installed, and it was scraping credit cards and sending them to either
Ukraine or this Hop1 server. At this point, Detective Dunn had visited five restaurants,
all of which had been hacked in the same way, presumably by Roman Sleznev.
They all had the same signs and were communicating to the same servers.
Some of these restaurants had no clue they were hacked until the Secret Service came to their
door, and others had been notified by a payment card processor that a theft had occurred.
The Secret Service had poured through even more emails that were in Roman's inbox.
They were able to determine his phone number, his Russian address, that he had a wife and a young daughter,
and even that he had a second house in Indonesia that he would sometimes vacation to.
At this point, the evidence was clear and overwhelming.
Roman Seleznev was allegedly hacking into hundreds of restaurants and shops around the world,
stealing credit cards and selling them on his two websites, boba.cc and track2.name. So in March 2011, Roman Seleznev was indicted, which means the Secret
Service had enough evidence on him that they were accusing him of doing these crimes. But the feds
couldn't catch up with him since he was in Russia, and the feds there weren't cooperating with the
U.S. The Secret Service investigated Roman some more and discovered his
father was Valery Seleznev, a deputy of the Russian Duma, which is the Russian parliament.
This big-time hacker and Carter had a father with a lot of political juice that can protect him.
This explains why Roman went dark right after the Secret Service met with the FSB in Moscow.
With his father in this position, this was going to make
it even harder to catch Roman. company's exposure is more important than ever. I recently visited spycloud.com to check my dark
net exposure and was surprised by just how much stolen identity data criminals have at their
disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime,
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
The Secret Service continued to monitor the Bulba.cc and Track2.name websites.
They saw at one point a total of 747,000 credit cards were for sale on the site.
Detective Dunn bought 16 of them off the site,
specifically for the local credit union BECU, so he could analyze them closely.
And sure enough, this gave him leads to even more local places that may have been hacked. The detective monitored the site for the next few weeks
to try to see how many cards were being bought in a week.
And it was around 96,000 cards.
So within a week's time, Roman had brought in 2.4 million US dollars.
This was a big-time operation.
A secret service was able to track Roman's whereabouts using two different techniques.
First, well, they had access to his email, so they could see any flight plans he had and all this kind of stuff.
But second, they found he used the Hop1 server to do his personal web browsing on.
And it was on that server that he would often purchase flights.
So this also gave the Secret Service his passport number.
In April 2011, Roman and his wife took a vacation to Marrakech in Morocco.
The Secret Service had learned he was in Morocco and started trying to figure out ways to capture
him while he's there. Roman and his wife went for dinner in the Argana Cafe, a very popular
restaurant for tourists in Marrakech. Roman and his wife were at a table upstairs overlooking the
square. And while they're enjoying their fancy dinner, the unthinkable
happened.
A massive explosion has ripped through a busy cafe in the Moroccan city of Marrakech, killing
at least 15 people and wounding 20 others. The Agana restaurant on Jama El Fina Square is popular with tourists.
Ten foreigners have been confirmed dead.
Authorities suspect a suicide bombing after nails were found in one of the dead bodies.
If proved to be the work of Islamic militants,
it would be Morocco's biggest terrorist attack
since suicide bombings killed 45 people in Casablanca eight years ago.
The blast ripped the cafe apart all around where Roman was sitting.
Shrapnel and parts of the building came down right on his head, hitting him hard.
He was thrown into the back of an ambulance and taken to the airport, where he was medevaced all the way back to Russia.
For the next few months, no new credit card dumps showed up on his websites,
and customers started complaining they weren't getting dumps.
And someone was replying by saying things like,
well, the boss is ill, you have to wait.
Nine months later, both BulbaCC and Track2.name had shut down completely.
Roman Seleznev went dark once again, and the Secret Service wasn't sure what his condition was.
They thought he's probably still alive and needing time to recover, but if he does get better, he'll probably want to spend some time in his vacation home in Indonesia.
So they started getting prepared in case that happened. They also saw he likes to travel through South Korea to get there, so they issued some
warrants for him in Korea. But then the Secret Service got a tip saying Roman Seleznev has just
arrived in Germany. Quickly, they started booking plane tickets to go there. They were calling up
Interpol, trying to find someone to help arrest him, but just then they found out the passport numbers didn't match, and it was a different Roman Selesnev altogether.
Roman did go to Indonesia to take short trips, but he was buying plane tickets last minute to
avoid being tracked, and he took direct flights and didn't go through Korea like he normally did.
There's no extradition treaty in Indonesia either, so the feds just didn't have a way to capture him there.
The Secret Service was getting impatient, so they tried to lure him to Australia, but that didn't work either.
They just had to wait and be patient, and watch for him to make some kind of mistake.
About a year goes by, and then another carding site opens up called tupac.cc.
This one had a huge inventory of credit card dumps.
And one reason for this is because it was also a reseller. So when the Home Depot and Neiman Marcus
were hit with their massive credit card breaches, those hackers were selling the dumps on Tupac.cc
and getting 50% of the sales. Pretty quickly, this attracted the attention of the Secret Service, who started investigating who might be behind Tupac.cc.
In May 2013, the Secret Service, Department of Homeland Security,
and IRS Criminal Investigation Unit had been fed up with Liberty Reserve
and decided to shut it down.
They arrested the owner and seized the site.
This was a Costa Rica-based company,
and it was being charged with processing money used for illegal purposes.
I think it's illegal to process money if you know the money is being used for criminal activities,
and Liberty Reserve attracted a lot of criminals. So with Liberty Reserve's site in the hands of the Secret Service, they started going through the transactions that were in the database,
and this gave the Secret Service a lot more information about him. They found Roman's old
accounts and added up the
transactions and found he had over 15 million dollars in incoming transactions. They followed
the accounts further and noticed some were recently active. As they investigated, they found
information that connected Roman Seleznev to be the person behind the tupac.cc website. These
transactions also gave the Secret Service more relevant information about Roman, like his most recent address and phone numbers. On July 1st, 2014, the Secret Service got a tip
that Roman was in the Maldives. The problem, though, is that the Maldives doesn't have an
extradition treaty with the U.S. either, so they aren't going to help the U.S. in capturing him.
Roman was smart and knew exactly what countries he could go to in order to avoid being caught. But the Secret Service spoke to the Maldives police and explained how important this
case was. So the Maldives government agreed that if the Secret Service would catch him,
they would expel him to allow the Secret Service to take him. So the Secret Service
immediately jumped on a plane and headed to the Maldives. Roman had been taking a high-class vacation around the islands,
and the Secret Service was hot on his tail.
First, he stayed in the nicest room possible in a fancy hotel,
which cost around $20,000 for just a few days.
Then he took a small plane to a private beach on another island,
which is where he was.
The Secret Service thought he'll probably come back to the International Airport
to return to Russia, so they waited for him at the airport.
Two days later, Roman, his wife, and his daughter landed in a small plane at the airport and tried
to switch planes to go to Russia, but the Secret Service caught him just in time.
They showed him the arrest warrant and placed cuffs on him. Roman reminded the Secret Service that the Maldives don't have an extradition treaty with the U.S.,
but the Maldivian police just stood there and watched the whole thing happen.
The Secret Service threw a jacket over Roman's wrist to hide that he was handcuffed and walked him through the airport.
They took the luggage he had, which contained the following.
A Sony VAIO Ultrabook running Windows 8, an iPhone, an iPad, a Samsung phone, and his identifications.
The Secret Service were able to confirm the passport number
and address of his identifications,
and they all matched the same Roman Seleznev
that they've been tracking for all these years.
They escorted him to a private jet,
leaving his wife and daughter behind.
The Secret Service took Roman directly to Guam,
a U.S. territory, and put him right in prison.
The Secret Service kept his laptop powered on the whole way back home, but it was password protected.
They explained to Roman the long list of evidence they had gathered on him for the last 10 years.
A news crew caught up with Roman while in prison in Guam.
Here's Roman. The secret service took me from my death's republic on private jet to Guam. They sent me,
I arrested, and I need to go to court. I am not guilty, no.
Because Roman continued to plead innocent, the case had to go to trial.
Roman was not fully recovered from the bombing incident in Morocco and needed daily medicine.
After a while in Guam, he was taken to Washington State where the Secret Service continued to investigate.
The Secret Service needed the password to access his laptop.
They'd already been going through his past emails, and the emails had a familiar pattern.
He frequently used the username Smouse on many of his accounts.
Registering to buy movie tickets online? Username Smouse.
Registering to buy flowers online? Username Smouse.
And the movie ticket website he registered at had terrible security.
Upon registering at this site, they sent him a welcome email,
which displayed his username and password in clear text.
The password he used was Ochco123, which is Russian for butthole.
This gave the Secret Service a username and password to try on Roman's laptop.
And what do you know, it worked first try.
The very first password guess the Secret Service made was
correct. OCHCO123. This was a big failure for Roman. To reuse passwords like this and to use
such a simple one on his personal laptop while being a big carding kingpin? Not a good idea.
The Secret Service took forensic copies of the laptop and gave it to Roman's lawyers.
The first thing the investigators found was that there were 1.7 million credit card dumps on his laptop. That's a lot of stolen credit cards to take with
you on vacation. But Roman's lawyers looked over the friends' copy and saw something else.
They pointed out that some of the incriminating files had a last modified date that was after his
arrest. The lawyers were indicating the evidence was planted
there by the Secret Service. But the Secret Service tried to explain that antivirus and
normal system processes update some of the timestamps while in connected standby. But the
lawyers stuck to this as part of their case. So the Secret Service had to continue to do forensic
work to build a case against Roman. First, they saw that Tupac.cc website had no admin activity
since the date of Roman's arrest. Also, some Liberty Reserve emails connected Roman to Tupac.cc
too. Then, on the laptop, they found more evidence. Things like documents that Roman wrote on how to
use stolen credit cards. And they also found that before Roman would travel, he would search for
warrants and police reports about him to see if he was wanted in the U.S. He wasn't just searching for his name either, but all his
aliases and old names like Bulba and NCUX. The laptop also had a plain text password file,
which gave the Secret Service access to everything Roman had. The website, the hacking servers,
and the servers he used to store dumps on. This gave the Secret Service a ton of more evidence. Forensics experts investigated the laptop closer, and they looked at network logs,
users, and system activity. They looked at the registry keys and the system resource usage
monitor. They found the last Wi-Fi connection on the laptop was at that fancy hotel in the Maldives,
and he was logged in the laptop with the username Smouse, and the last application he used was a Tor browser.
The computer forensics team also tried to see what deleted files they could dig up.
Of course, they checked out the recycling bin, but they also looked in the Slack space.
When a file is deleted on a computer, it's not really wiped.
The computer just kind of forgets there's a file there,
and then says that part of the disk is available to write again.
So if data doesn't overwrite that part of the disk, then deleted files can still be there. That's what
the Slack space is, and the forensics team took a grueling task of trying to drudge up any deleted
files that were in the Slack space. This computer was running Windows 8 and had the volume shadow
copy service enabled, and this takes snapshots of the computer over time to allow the user to
restore to an older version. Secret Service looked through the computer over time to allow the user to restore to an older
version. Secret Service looked through the volume shadow copy and found the same incriminating files,
proving these files were there before the arrest. The Secret Service also had his phones, which
showed him the phone numbers, locations, and photos where he was. And these phones also had
logins to his cloud storage, which contained even more sensitive documents. Roman continued to plead
innocent and demanded he talk to his father, who's a member of the Russian parliament. Roman has just
gone from a life of luxury and riches to now having nothing. He wasn't happy with the situation at all
and needed to make a plan. He was able to talk to his father in Russia. The Secret Service listened
in on the calls and overheard some of their plans to get Roman free. First, Roman's father, a member
of the Russian parliament,
tried to use his political juice to get him home, but this didn't work.
Then, the plan was to pay off prosecutors.
After all, Roman was worth millions of dollars,
so they had quite a lot to try to spring him out with.
Here's a transcript of the call.
His father.
We can just pay them all in advance, and that's it.
Roman.
It is what I'm saying. Offer them this.
His father. Yes, I'm leaning towards this. I think and that's it. Roman. It is what I'm saying. Offer them this. His father.
Yes, I'm leaning towards this.
I think this is an option.
Roman.
Just make sure they know how much money they would get right away would be what they'd
get in a whole year.
Later, the prosecutors did get a bribe of around $10 million to release him.
The prosecutors did not accept this, and it only added to his case.
Then the phone calls between him and his dad grew stranger.
They would say things like,
you know that thing we talked about that we're not allowed to talk about?
Yeah, it's not true, okay?
And then his father told him he was going to visit some doctors
and then the doctors will visit Roman soon to explain the rest.
And something about using Uncle Andre to create a miracle.
The Secret Service thought maybe this was some kind of code for an escape plan. And around the same time, for some strange reason, the prosecutors all started
getting banned from entering Russia. Maybe Roman's father was banning them out of spite or something.
During this time, Roman went through six different lawyers. Some were quitting because he was very
hard to work with, and some Roman was firing because he didn't like what they were suggesting. The lawyers were suggesting he takes a plea deal,
like give the Secret Service some information about carding criminals and work out a deal to
do very little time, but Roman refused to cooperate with any plea deal and kept trying to find a
different way out of prison. Roman's dad was also trying to get him to stall and to give him more
time to make a plan,
suggesting he'd get sick or fire another lawyer to postpone the trial.
After three years of being held in prison, his trial day finally came.
Roman ran out of ways to stall and delay the trial.
He was being charged with 40 counts of criminal activity, and Roman was pleading innocent.
His lawyers had only two positions to defend him with.
First, the files
on his laptop were tampered with, but the Secret Service was able to prove the files were there in
the volume shadow copies before the arrest. And second, the defense attorney was saying the arrest
in the Maldives was illegal and essentially kidnapping, accusing the U.S. that this is a
retaliation because Russia is harboring Snowden. The trial took about one and a half weeks,
and after the jurors thought it over for about three hours,
they found Roman Seleznev guilty.
He was found guilty on 38 out of 40 counts.
This included 10 counts of wire fraud,
9 counts of obtaining information from a protected computer,
2 counts of aggravated identity theft,
15 counts of possessing unauthorized equipment,
and eight counts of international damage to protected computers.
He was accused of hacking into a pizzeria in Duval, Washington,
but the jury found him not guilty for doing that.
At this point, Roman finally started to try to get a plea deal worked out, but it was too late.
There are guidelines suggesting on how long of a prison sentence a person should get
who's guilty of this many crimes,
and the guidelines were off the charts, suggesting he gets life in prison.
But Roman's lawyers tried to talk the judge down to not very many years.
But because Roman refused to cooperate and continuously lied to prosecutors,
the judge did not see favorably on him and gave him 27 years of prison time for his crimes.
Roman was 32 when he was sentenced,
meaning he'll get out when he's almost 60,
missing most of his daughter's life and half of his own.
Roman was still recovering from his injuries from the bombing years ago,
and he had to take daily medication for it because it damaged his head.
The lawyer thought Roman was so sick that 27 years is a life sentence.
The lawyer said, quote,
He's not going to live that long.
He's going to die in jail.
I'm certain of that.
End quote.
The Secret Service had to go through the 1.7 million credit cards
found on Roman's laptop and inform each bank of the theft.
Those cards belonged to 3,700 different banks and inform each bank of the theft. Those cards belonged to
3,700 different banks, and each of them were called. In total, the Secret Service counted
that Roman had hacked into 400 different restaurants and shops to steal credit cards from,
many of which were locally owned businesses. Looking through the court transcripts, I see
that Roman also hacked into zoos across the U.S. And one of them he hacked into and stole credit cards from was the Phoenix Zoo.
Which is crazy to me because I've actually been there.
And I tried to look up what Phoenix news outlets covered this hack,
and only one small tech website did.
My guess is that the zoo never went public with this breach.
And when the evidence about it came up years later in Roman's trial,
it was just too old to be a news story anymore.
Now, you might be wondering why so many of these small and local businesses
had remote desktop exposed to the internet.
Well, a few of the owners came to court to testify.
They said they had it open like that because their IT support team
needed it open to troubleshoot issues.
And actually, a lot of these businesses had the same password
because the same IT support group re actually, a lot of these businesses had the same password because
the same IT support group reused passwords for many of these businesses. So each of the victim
companies had to spend a lot of money to fix these security issues. First, they had to remove the
malware, then upgrade some equipment like putting a VPN device in place so tech support can connect
to them securely. But when you incur a credit card breach like this, the credit card companies
start getting into your business. See, in order to process credit cards, you must be compliant
with the payment card industry, or PCI. This is ran by Visa and MasterCard and stuff. So the PCI
requires audits to be conducted on the network also. And on top of all that, because they weren't
compliant with PCI, they were fined anywhere from $5,000 to $30,000.
So at a minimum, this breach cost each of these small businesses $20,000, and some much higher.
Then to top it all off, if the story got out,
customers would stop coming in fear of getting their cards stolen.
The Broadway Grill in Seattle had just changed ownership right before this hack,
and this was a major setback for the new owners.
They spent tens of thousands of dollars to fix the security issues on their systems.
And they also felt a big hit from customers who were afraid to come use your credit cards there.
And they suffered a lot of ridicule and shaming over this.
After being there for 22 years,
this hack ultimately caused the Broadway Grill to shut down and declare bankruptcy.
But wait, there's more to this story.
Two other states had indictments for Roman Seleznev and wanted to try him too.
Remember how it was really suspicious that Roman, or Track 2, was a trusted vendor on Carter.su the day he opened an account?
And remember when he was the only vendor selling
dumps on that site? Yeah, some feds in Las Vegas thought this was suspicious enough and accused
Roman of being the owner of carter.su. So they brought Roman to trial for this. Sure enough,
it was true. Roman pleaded guilty to these charges, which resulted in him having to pay
$50 million in restitution, which was the same amount believed to have been made
from selling cards on the website.
And then, once that was over,
a federal court in Atlanta, Georgia,
took a shot at Roman too.
Federal prosecutors there claimed Roman,
along with 14 other people,
hacked into RBS WorldPay,
which is a payment processor in Atlanta.
In 2008, the hackers got in,
stole thousands of credit cards,
then gave it to 14 different cashers around the world. These people would write the dumps to blank credit cards and then go to ATMs
and just go through card after card, taking out as much money as they could until the ATM was out
of money. Then they move on to the next one. Within 12 hours of the breach, the cashers were
able to hit 280 cities, cashing out for more than $9 million total. Roman was accused of stealing $2 million
himself. The federal court in Atlanta brought Roman to trial on this, and Roman pleaded guilty
to this too. This resulted in 14 more years of prison time and another $2 million in restitution.
Today, Roman sits in a medium-security prison in North Carolina, still recovering from his head injury, still dreaming about seeing his family again someday, and probably still wishing he was back home in Russia. you've been listening to darknet diaries for show notes and links check out darknetdiaries.com thanks to all the people who have given on patreon i now have a bonus episode for people
there so if you want more of the show donate on patreon and i'll be regularly releasing bonus
episodes to supporters there this show is made by me skid rock jack reciter and the theme music
is made by the helmet wearing breakaring Breakmaster Cylinder. See you again in two weeks.