A Russian man accused of being one of the world’s most prolific traffickers of stolen financial information was arrested in Guam on Saturday, according to the Secret Service.
Roman Valerevich Seleznev was arrested on charges that he hacked into cash register systems at retailers throughout the United States from 2009 to 2011. The Secret Service would not say whether he was tied to the recent attacks that affected the in-store cash register systems at Target, Neiman Marcus, Michaels and other retailers last year.
Seleznev’s arrest provides a look into the shadowy world of Russian hackers, the often sophisticated programmers who seem to operate with impunity. As long ago as March 2011, the U.S. attorney’s office in Washington state identified Seleznev, a Russian citizen, in a sealed indictment as “Track2,” an underground alias that is an apparent reference to the data that can be pulled off the magnetic strips of credit and debit cards.
That data includes enough basic information — like account numbers and expiration dates — to make fraudulent purchases.
The indictment accuses Seleznev of hacking into the cash register systems of businesses across the United States and of operating computer servers and international online forums in Russia, Ukraine and elsewhere where such stolen data is traded in the digital underground.
It was not yet clear how the Secret Service arrested Seleznev, and the U.S. attorney’s office in Washington state declined to elaborate.
In a statement, the Secret Service said Seleznev’s charges included five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer, one count of possession of 15 or more unauthorized access devices, two counts of trafficking unauthorized access devices, and five counts of aggravated identity theft.
According to the indictment, which was unsealed Monday, Seleznev is accused of scanning devices for weaknesses and inserting malware that was capable of stealing credit card information. He is accused of using malware to steal 32,000 credit card numbers from computers at Broadway Grill in Seattle, from December 2009 to October 2010, The restaurant did not discover the thefts until late October 2010.
Seleznev is also accused of pulling off similar heists at four other Washington state restaurants and a number of other U.S. businesses, including Schlotzsky’s Deli in Coeur d’ Alene, Idaho; Active Network in Frostburg, Maryland; Days Jewelers in Maine; Latitude Bar and Grill in New York; and the Phoenix Zoo.
In addition, Seleznev is accused of stealing more than 200,000 credit card numbers from November 2010 to February 2011 and of selling 140,000 credit card numbers on underground sites with names like bulba.cc and Track2.name, generating profits of more than $2 million.
“This scheme involved multiple network intrusions and data thefts for illicit financial gain,” Julia Pierson, director of the Secret Service, said in a statement. “The adverse impact this individual and other transnational organized criminal groups have on our nation’s financial infrastructure is significant and should not be underestimated.”
Early Monday, Seleznev appeared at a court in Guam. He will be held in custody there until his next hearing in two weeks. Seleznev faces up to 30 years in prison if convicted of bank fraud.
The case remains under investigation by the Secret Service Electronic Crimes Task Force in Seattle and is being prosecuted by the U.S. Attorney’s Office for the Western District of Washington state.
According to one government official, who declined to be identified because of the ongoing investigation, Seleznev was also among the members of a transnational criminal organization whose members bought and sold personal and financial information through online carding forums, such as the Russian underground website carder.su. In 2012, 19 members of that group were arrested, but Seleznev remained at large.
He still faces a separate indictment in Nevada on charges of racketeering as well as two counts of possession of 15 or more counterfeit and unauthorized access devices. Those charges carry maximum penalties of up to 20 years in prison for racketeering and up to 10 years in prison for possession of 15 or more counterfeit and unauthorized access devices.
Assistant U.S. Attorney Todd Greenberg would not comment on the means by which Seleznev was detained in Guam. However, arrests in Russia over computer crimes are rare, even when hackers living in Russia have been identified by outside groups like the Spamhaus Project, a spam-prevention service based in Europe.
According to Spamhaus, Russia is the world’s third biggest source of Internet spam, after the United States and China.
Just last week, U.S. security researchers accused the Russian government of systematically hacking into oil and gas companies in the U.S. and other Western nations.
The U.S. has treated computer security as a law enforcement matter. But Russia has pushed for an international treaty that would regulate the use of online weapons by military or espionage agencies. The U.S. has been hesitant to press for such a treaty — in large part because its own National Security Agency is behind some of the broadest espionage operations — but it has continued to press for closer law enforcement cooperation on cybercrime.