A year ago, this topic was actively discussed at Giktime:
Russian carder Roman Seleznev, son of a deputy, was sentenced to 27 years in prison in the United States
Carder and son of a deputy Roman Seleznev said that since 2008 he worked under the protection of the FSB
In today's translation, we will reveal the details of how the feds caught Russian mega-carder Roman Seleznev.
Good afternoon, my name is Norman Barbosa, and I'm a computer crime prosecutor in Seattle's US Attorney's Office, and my second assistant, Harold Chen, is a former prosecutor at the Washington, DC General Directorate of Justice, now working for Google. He received a lot of money after we won this case, and now he is happy to be here with me.
I want to thank our friend here for providing me with the laptop. Yesterday, when I came here, my computer started beeping and immediately gave a critical error. I thought it might be "these" guys or the FSB. I'm not sure, but I know that many of you are playing the game of Feds. When we were working on the Seleznev case, among other things, we also played the game "find an FSB agent", so if you see him, let us know.
Our presentation is not intended to guess the password for your hacking empire, because that doesn't work anyway. It's just a real opportunity for us, the Justice Department, to talk in detail about how we investigate cases of computer crimes so that our accusations sound convincing to the jury. We have to prove to 12 jurors that this man was sitting at the computer, and provide detailed evidence for which he was put on trial.
There was a situation when we were forced to present all our evidence in such details that far exceed the publicly available amount of information. And then, there are cases that are resolved if the accused admits his guilt or simply does not come to court.
We are very lucky to have this case - Harold, me and another attorney in my office, Seth Wilkinson. It was a long investigation, and we were involved in it from the beginning, this case was handled by another assistant district attorney who retired before Roman was arrested. Her name was Catherine Worman, she was my management mentor and was well versed in computer crime. She worked on this case with agent David Dunn, who also left government service before Seleznev's arrest.
I'm sure many of you have heard of him here this week, and he's an excellent investigator who returned to work specifically to attend court hearings.
So, today I'm going to tell you about the progress of the investigation, and then Harold will talk about the evidence we obtained from the arrest of Roman, about the difficulties of the process caused by the results of the forensic medical examination of the accused and how we had to deal with them.
Here is a small characteristic of Roman Seleznev: he was one of the world's largest thieves of credit card data, was charged by three federal courts in different states, a Russian, who has real estate in Vladivostok and Bali, Indonesia.
He was involved in the theft of bank card data from about 2005 until we were able to arrest him and bring him to trial in 2014. From 2011 to 2014, we made several attempts to arrest him, which were unsuccessful.
The position of his father in the Russian government was of great importance, which the court could not ignore (Valery Seleznev is a State Duma deputy from the LDPR party). Tensions arose between our government and the Russian government after Roman was detained in the Maldives in 2014, which resulted in the inclusion of me and other participants in the process on the Russian government's “black list” and a ban on entry into Russia. Fortunately, this tension has subsided, and I can again go to Moscow, where I studied Russian. But at that time none of us could go there.
Thanks to his criminal scheme, Seleznev stole a lot of money, so he hoped with the help of them to destroy the trial. He had a very monetary "support team" to protect him.
Seleznev hacked card services using three different "nicknames": nCux, Track2, and 2Pac, associated with three periods of his hacking activity.
He used the first one on carders' forums, where he had been selling stolen card data since 2002, then he started using the Track2 nickname and used the 2Pac nickname before being arrested.
Identification of nCux took place in early 2009, when he "lit up" on many carder forums, on this slide you can see his message about the sale of these cards: "Dear customers, do not miss your chance - all AMEX cards are at $ 1 apiece, VISA, MC , DISCOVER - $ 5 each. " The "Great Sale" stems from the fact that in May 2009, Roman announced that he was retiring and would stop hacking. His activity in this field has been tracked since 2002, when he began selling cards with all the details, including name, password, date of birth and social security number. In 2005, he realized that stolen credit card information was very popular and purchasing power, and he developed a vigorous activity. Thanks to this, he came to the attention of the Washington Cyber Intelligence Unit of the Secret Service. They began to monitor his activity on the Internet and realized that he was a "big player" and began to try to find out who exactly was hiding behind the "nickname" nCux. In fact, the transliteration of this "nickname" in Russian meant "psycho" - this nickname was awarded to Roman by friends for his "explosive" character.
While tracking him from 2005 to 2009, the CIS Secret Service obtained quite a lot of information based on the "excavation" of open Internet trolling - good "old-fashioned" investigative work.
In May 2009, together with the FBI, they met with the FSB in Moscow and reached agreements on the exchange of information, after which literally a month passed, and Seleznev disappeared from the Internet, destroying all accounts known to the FBI. He posted this post in May and disappeared in June.
This set the Secret Service back and forced it to rethink the way it would conduct international investigations and exchange information in this particular case.
Naturally, Seleznev was not going to retire - he simply changed his “nickname” and during 2009-2012 used the “nicknames” Track2 and Bulba. This slide shows a new post by Seleznev, who began to re-create his empire on carder.su, the most authoritative resource for carders, where Roman already had a reputation as a solid seller. This is evidenced by the mark in the upper left part of the message under “nickname”. This prompted the Secret Service that this is not just some new hacker who got some stolen cards from his "stash", he has weight and popularity among the users of this resource. The administration of the site even gave him a monopoly in this matter, throwing out Seleznev's smaller competitors who offered a similar product.
CIS came to the conclusion that this is a really big player, and they immediately tagged him on their "radar" and in May 2010 began an investigation. Around the same time, our local employee David Dunn took part in a SWAT operation in Coeur d'Alene, Idaho, at the famous fast food chain Shlotsky's Deli over a customer credit card leak. He examined computer equipment there and confiscated RAM, where he unexpectedly discovered that Shlotsky's Deli was connected to the network via a Russian IP address. David took note of this fact, and after a few weeks or a month, a lot of stolen credit cards surfaced on the network, which were tracked to the place of the data leak, and this point turned out to be the computer of the restaurant "Schlotsky".
Detective Dunn examined the suspect's computer, which he confiscated at the restaurant, and found that the guy was browsing these two sites: Track2.name and Bulba.cc and chatting with a person named Track2.
The latter told him that his Track2.name website had been shut down, but a restaurant employee could sell card numbers on another website, Bulba.cc. The detective began to research both of these sites to find out if one hacker is hiding under these two "nicknames." He researched the domain registration and found out the e-mail box from which the registration took place, researched other boxes located in the United States, also associated with these accounts. The East Virginia region supported a joint investigation with the CIS, and in October 2010 they began collecting warrants for information. Detective Dunn had been waiting for the information for several weeks, because this is not a case that can be done overnight. In addition, some orders were returned, as there were cases when the registrars of postal services refused to provide information.
And while he waited, on October 21, 2010, a second hack took place - this time at one of the oldest restaurants, Broadway Grill on Capitol Hill in Washington.
Detective Dunn arrived in Washington and, along with a local detective, began to study the computers of the point of sale. They found that the computers were very loosely configured to ensure the security of visitors' information, as they stored the data of 32,000 credit cards in the form of simple text files. And that information went to the same IP address that was used on computers at Shlotsky's Deli in Idaho. Here, the detective managed to move a little further, as he was able to discover that someone had placed malicious software on Broadway Grill computers that redirected data to a malicious server when manually typing an address associated with the same IP address as Shlotsky's Deli.
Detective Dunn realized that he now had the opportunity to investigate a crime at home, so there was no longer a need to travel to Virginia or Idaho and a case could be brought here in the western area of Washington.
Then the case began to develop rapidly. During November 2010 - February 2011, the detective found out who registered the carding sites. He found Yahoo mailboxes that led to a HopOne server in McLean, Virginia. Here he found out that the card numbers were sent to a server in Russia from the IP addresses of computers in Shlotsky.
While researching Yahoo accounts, he found out who bought the HopOne server in McLean. To do this, he conducted legal penetration testing on the Yahoo server in order to track incoming and outgoing connections. This did not allow the content to be examined, but gave it the IP addresses of incoming and outgoing connections, some port numbers, and the amount of data transferred. In addition, he saw that this server was connected to hundreds of computers throughout the United States, many of which were installed in restaurants. When he began checking their IP addresses, he learned that almost all of these computers were connected to the HopOne server, and found dozens of victims across the country using the points of sale at those restaurants.
The next slide shows evidence of malicious computer tampering that processed credit card payments in many restaurants and cafes.
This shows the IP devices that this malware connected to and sent map data to the same HopOne server.
The following is the infrastructure of this criminal scheme. There is nothing special here - this is a common botnet network that uses several layers of data transfer.
Roman's computer is shown in the upper left corner. Detective Dunn discovered many hacking tools on the HopOne server that allowed him to recreate Seleznev's scheme. The Russian hacker scanned the ports of the victim's payment terminal for open RDP connections. As soon as he found such a connection, he hacked it using a Brute-force attack with a password guessing and downloaded the card data to the user's server under the "nicknames" Shmak / Smaus with the IP address 188.120.255.66, the HopOne server with IP 66.36.240.69 and the Ukrainian server with IP 188.95.159.20. From there, the data was sent to the websites of carders - sellers under the nicknames Track2 and Bulba.
On the left, you see the Yahoo mailbox that was used to register the Shmak / Smaus server, on the right, the Yahoo mailboxes for Track2 and Bulba. With this, the middle mailbox associated with Track2 was also associated with the HopOne server. Research on the HopOne server resulted in hundreds of files containing nearly 400,000 credit card numbers. All of them were stored very conveniently for us, as they contained the IP addresses of the victims. This allowed us to quickly identify all victims and collect more evidence.
As for the email addresses, they allowed us to identify Seleznev. He used one of the addresses of the Yahoo mail service, which received various notifications. In the mailbox [email protected] we found a letter about the successful registration of Roman Seleznev in the PayPal payment system on September 19, 2009. This served as one of the strongest pieces of evidence against Roman that Detective Dunn found. In the previous slide, you can see that rubensamvelich's account led to the sites of stolen card sellers, so using this PayPal registration box was Roman's biggest mistake.
He did not think that the basis of American payment systems is to keep copies of such messages about user registration, where all his identification data are present. Here is the address of his registration in Vladivostok, which served as the identification of the person during the passport check upon arrest.
The second account we found, [email protected], was used by Roman for many years. This was another mistake of Seleznev, since he used this box back in 2006.
...
The boookscafe mailbox did not help in the investigation of the modern infrastructure of Seleznev's hacker network, but did help establish his connection with the user known by the "nickname" nCux. We tracked down many related things, including ordering a bouquet of flowers for his wife. It was accompanied by a postcard with the words that “you are the most beautiful, but Eve is still more beautiful than you”! Eva is the name of his daughter, which was also entered in his passport, and served as another proof of identification during the arrest. We also found his order for a Russian online store, with a home address in Vladivostok, placed using this box.
We ended up finding the most significant piece of evidence on HopOne's server, where he kept all of his hacking tools and stolen credit card numbers. Seleznev used this server to book an air ticket for the Indonesia-Singapore flight, and his personal data and the number of his foreign Russian passport were indicated in the booking form. The coincidence of the data of this order with the data of the passport served as further evidence at the time of his arrest. His second home was located in Indonesia.
The Secret Service put all this evidence together, and together with Detective Dunn began to look for possible evidence of Seleznev's involvement in other carder scams. The next slide shows evidence that all such cases are somehow connected with each other, and carders have been working with each other for a long time and are connected with one another by common interests.
This 2007 chat is from an investigation by the East New York Department. If you remember, the investigation began back in 2002-2003. It was about the Carder Planet hacking community and was very successful for the New York office. Mr. Carranza was one of the detainees in this case, and a chat was found in his computer between him and a certain nCux 111, who gave him his real data - name, surname, home address in Vladivostok, two mailboxes, including [email protected]. These data were required by Karranza for a deal with Seleznev.
Having collected all this evidence, Detective Dunn and a representative of the prosecutor's office turned to the Grand Jury in 2011 and received an indictment, which charged Roman Seleznev, known by his 9 hacker "nicknames", of committing computer crimes, fraud with bank cards, using funds to hack traffic and etc.
Unfortunately, shortly thereafter, Roman, while in Morocco, was seriously injured in a cafe explosion in Mogadishu on April 28, 2011, during a terrorist attack. He and his wife were sitting on the 2nd floor of a restaurant that was badly destroyed by a bomb. He was taken to Moscow, where he spent several months in a coma and underwent several operations. Detective Dunn visited bulba.cc several times to check the activity of its administrator, however, this account of the seller-administrator was not used, only messages from users appeared on the site who knew that an accident had occurred with the "boss" and wished him a speedy recovery ... Finally, in January 2012, this store of stolen cards was closed.
During 2011-2013, Detective Dunn continued to study Roman's past and present movements around the world, looking for confirmation of his criminal activities and related records. He found out that Seleznev often flew to his home in Indonesia through Korea, and agreed with the Korean authorities to obtain an arrest warrant for Roman there, so that he could be transported from Korea to America. Unfortunately, direct flights from Russia were soon introduced and this opportunity was no longer possible.
There was a mistake in Germany, when a guy with a similar name was almost detained there, and Interpol realized at the last moment that it was not him. There have been attempts to try and detain him in Australia if he had used that country when traveling to Indonesia, but none of these attempts were successful.
You may ask why you did not apply directly to the Russian authorities and demanded his extradition, but the fact is that Russia does not extradite its citizens to other countries. As we saw earlier, our hope of kind-hearted cooperation has failed.
Meanwhile, Roman founded a new empire - the site 2pack.cc, which existed from 2013 until the moment of his arrest in 2014. There he positioned his site as a collection of the best sellers of stolen data in the world, promised 24/7 customer support and daily updates of the assortment of a wide variety of bank cards. This site sold the greatest amount of data, and it again hit the radar field of the CIS Secret Service. Seleznev not only sold his malicious exploit, he wanted not only to sell the data of the cards he had stolen, but was so world-famous that the largest hackers-carders from Home Depot Neiman and Marcus Target approached him about reselling their cards. A whole bunch of hackers rushed to his forum, so he gave the best prices for their product.
He lived luxuriously, rested in beautiful places, had excellent cars - the following slides show photographs from his personal archive saved on his computer. He traveled to the Maldives, lived in Indonesia, in China, taking advantage of the income from his hacker empire. Now he has changed his luxurious apartment for a cell in the prison on the island of Guam.
Now I will tell you where we were still able to detain him - in the Maldives. I started working on this case in early July 2014, when Katherine Wormer invited me to participate in the process as an assistant, but then I did not yet know all the circumstances of the case. I got a call from Harold's office when I was in my car and said: “We found Roman Seleznev in the Maldives!” To which I answered: “Where are these Maldives and who is Roman Seleznev?
About 20 people from the State Department and the DOJ Secret Service were involved in this case, our embassies in Moscow and Sri Lanka were in touch. It was a unique operation carried out by the US Secret Service - two days of continuous surveillance, no extradition threats, and well-coordinated interaction of many agencies.
A typical extradition takes from 6 months to 4 years depending on the country with which we interact. We learned about Seleznev's vacation in the Maldives on July 1, intelligence agents arrived there on July 3 and 5 and, with the assistance of local authorities, detained Roman when he arrived at the airport for 3 hours at the end of his vacation. They immediately put him on a private plane and after 3 hours he was already on the island of Guam. This operation is the greatest example of cooperation between the US government and the Maldives.
Further our conversation will be continued by Harold, who will tell about the course of the process.
We were lucky not only with the arrest, but also with the fact that we managed to get a lot of evidence that was with him - a laptop, an iPhone, a passport, travel documents. We were able to link the data contained in them with the evidence collected over the years, find his letters on servers, establish an irrefutable connection with the "nicknames" nCux, Smaus, Ochko123. There was the same template that he used in emails - the same usernames and passwords smaus, shmac, ochko. Guess what his laptop password was. Ochko123! I'll tell you why you shouldn't use the word "point" as your password for your hacker empire - in Russian it means "butthole".
It was a big mistake to use the same technology, the same passwords when creating the infrastructure of your hacker empire. About 1.7 million credit card numbers were found on his computer, and you don't have to say anything else when you have over 1.7 million stolen cards on your laptop during your holidays.
We found web pages on his laptop that proved that he, like many in this room, was a marketer trying to teach people how to use stolen card numbers. He created an entire textbook that told how to buy a product in a store using such numbers, however, he posted information that it was illegal. He wrote that you can buy the MSR 206 magnetic card encoder, recode your own cards and use them in stores, and taught how to write stolen data purchased from his website onto plastic cards, etc. This is how he built his empire.
Do you know what else was in his laptop? PACER - public access to electronic court records, which allowed the user to study cases in the US federal, appellate, district and arbitration courts. The novel was cunning - before going on a trip, he checked to see if information about him or his "nicknames" had appeared in any criminal case, including old pseudonyms such as Bulba.
You may ask why, with so many irrefutable evidence, he agreed to a trial at all, instead of immediately admitting his guilt and hoping for a mitigation of the sentence?
The fact is that Roman had 2 strategies of behavior in court. He hoped that his father would be able to "collect the cream" from his political position and be able to negotiate with influential people in the United States. They could think of nothing else but to bribe the prosecutor, and they openly discussed this during their joint telephone conversations. The father told him: "We can pay them all, and that's the end!" To which Roman replied: "That's what I'm talking about, offer them this." The father said: "Yes, I am studying this question ... I think this is an option."
We later learned that the bribe was up to $ 10 million. I do not know for whom he took those working on this case, but no one would have returned the money to him for sure.
Then there were calls from the prison, which used such code phrases as "uncle Andrey", "trip to the hospital", "magic potion", "fishing trip" and so on. Probably, it was a discussion of escape options and Uncle Andrei meant an opportunity to get him out of prison. Here is a photo of Uncle Andrey on the slide, so if anyone sees him here at the Black Hat conference, let the guards know about it.
His defense chose the well-known tactics, which consisted in the fact that Seleznev was framed by someone, no matter the US government or another hacker. His lawyers said in court that someone planted evidence on his laptop, or a hacker, or the government, after agents took his laptop at the airport. They stated that after the laptop was returned, the dates of several thousand files were modified and this was confirmed by forensics. He had a Windows 8 laptop, a hybrid tablet computer that never turned off and was always on standby.
In standby mode, this OS really does its job of checking the data, overwriting some information, so it is natural that the time and date stamps of the service files have been changed. Therefore, we turned to forensics specialists, who performed an exhaustive comprehensive analysis of the data on the laptop and answered key questions about the network, user and system activity, that is, we established who was the last person to use the laptop.
They investigated Windows “footprints” such as registry keys, event log, system activity monitoring usage, USN log, and shadow copy volume. The first question they looked at was about network connections. According to the records, the computer first connected to the network on Saturday June 21st and disconnected from it on July 3rd, and the user's profile was named KANIFUSHI. This very "Kanifushi" was the name of the hotel where Seleznev stayed during his vacation in the Maldives. So a hacker who wanted to plant evidence on Roman's computer would have to pay more than $ 20,000 for a stay in this hotel. This computer also had a SIM card, which showed that the last connection was to the network of the Russian cellular operator Megafon. Network activity logs also showed
So a solid evidence base was presented at the trial. Next, we used the records of computer security events to trace who was the last user of this computer, to prove that it was impossible to control it from somewhere remotely using a remote control, and a physical user was working behind it. And then we found the familiar smaus login, which meant that it was this person who last used the computer.
The SRAM System Resource Usage Monitor showed that the last program launched by the user was the TOR browser. Further, this log contained the logs of the automatic activity of the operating system, which proved that no other person had interfered with the work of the computer.
We also examined hidden evidence such as deleted files and fragmented hard disk clusters slack space, archived records as shadow copies. We extracted a solid shadow copy file that showed all the data on the computer before Seleznev's arrest. We also used the stored evidence in the form of cell phone records, the photographs saved in the "cloud" and on the computer, examined his passport, and so on. And the evidence presented by us served as convincing evidence for the trial, which lasted 8 days. As a result, a federal judge found Seleznev guilty on 38 counts and sentenced him to 27 years in prison.
And now I am ready to answer your questions.
Norman Barbosa answers the question:
- Indeed, we did not have an agreement with the Maldives on the extradition of criminals, on their part it was not extradition, but expulsion from the country. We settled the legal side of this issue, and we were told that if we had a warrant for his arrest in our hands, then when the agents of the Maldives special service were deporting Seleznev to Indonesia, we could bring charges against him and arrest him.
Question:
- Was there any encrypted files on his computer that you had to decrypt?
Harold Chen's answer:
- No, he didn't use any encryption at all.
Question:
- Have you learned any positive lessons from the fact that several operations to detain Roman failed?
Harold Chen's answer:
- Yes, the security services are starting to work better and better, and if your equipment fails you or you make some mistakes, the security services will be able to track down what this error led to and unwind the whole tangle.
Question:
- What do you think, how difficult it would be to convict Roman if you could not find the password to his computer and not collect all the evidence available there?
Norman Barbosa answers the questions:
- I think that the evidence we have collected would have been enough for the trial even before Seleznev's arrest. It might have taken more time, but we had very strong evidence of his guilt long before we managed to arrest him.
Question:
- Was there a reason to wait after the injury of Seleznev in 2011 right up to 2014?
Answer:
- We simply did not have any opportunity to detain him before the circumstances developed for us in such a successful way, and we could only hope that he would appear in the country with which we had an agreement on the extradition of criminals.
Question:
- I met here in the United States with a well-known Russian lawyer who was offered to act as Seleznev's defender and he refused, calling him a "die-hard idiot." So, have your principles of cooperation with the FSB changed since then, and do you hope to interact with them?
Answer:
- You know, I cannot discuss issues related to the political course of the government, I can only say that the experience we have received has influenced the strategy of relations in such matters.
Question:
- Do you think that a sufficient sentence was passed on Seleznev?
Answer:
- As you know, based on the totality of the charges, the judge appointed him a 27-year term of imprisonment, which took into account a number of circumstances, including the amount of damage caused by Seleznev, which was estimated at $ 169 million. And this was based solely on the data of the maps found on him, but many things could not be accurately estimated, for example, what damage he caused with the rest of his activities. Another important circumstance for the judge was that Seleznev tried to deceive the court during the trial and persisted in his lies. There are many things that cannot be calculated according to the manual, here you need to be guided by the meaning of life and its values. We had over 400 victims, and most of them weren't big financial corporations, they were ordinary mums and dads visiting cafes and restaurants with their kids.
Question:
- Why didn't you contact the authorities of Indonesia, where Seleznev lived?
Answer:
- I cannot comment on this decision, because such a decision was made within the department, and we were only connected at the stage of completing the operation to capture Seleznev.
Question:
- How did you use Seleznev's iPhone?
Answer:
- We gave Apple a warrant and they helped us get access to the phone, but there was no significant evidence, mostly personal photos.
Question:
- How many banks did you have to interview during the investigation?
Answer:
- We had to deal with about 3,700 banks around the world.
Question:
- Can you tell us what was the topic of the meeting between our and Russian special services in 2009?
Answer:
- No, I can't.
Question:
- How were those companies punished, the security system of which allowed the theft of customer personal data by placing card data in plain text in POS terminals?
Answer:
- I do not think that they were brought to criminal responsibility, information in such an open form was available only in one restaurant, where the data of 32 thousand cards were stored, but they were probably seriously fined.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for users on a unique analogue of entry-level servers, which was invented by us for you options available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Russian carder Roman Seleznev, son of a deputy, was sentenced to 27 years in prison in the United States
Carder and son of a deputy Roman Seleznev said that since 2008 he worked under the protection of the FSB
In today's translation, we will reveal the details of how the feds caught Russian mega-carder Roman Seleznev.
Good afternoon, my name is Norman Barbosa, and I'm a computer crime prosecutor in Seattle's US Attorney's Office, and my second assistant, Harold Chen, is a former prosecutor at the Washington, DC General Directorate of Justice, now working for Google. He received a lot of money after we won this case, and now he is happy to be here with me.
I want to thank our friend here for providing me with the laptop. Yesterday, when I came here, my computer started beeping and immediately gave a critical error. I thought it might be "these" guys or the FSB. I'm not sure, but I know that many of you are playing the game of Feds. When we were working on the Seleznev case, among other things, we also played the game "find an FSB agent", so if you see him, let us know.
Our presentation is not intended to guess the password for your hacking empire, because that doesn't work anyway. It's just a real opportunity for us, the Justice Department, to talk in detail about how we investigate cases of computer crimes so that our accusations sound convincing to the jury. We have to prove to 12 jurors that this man was sitting at the computer, and provide detailed evidence for which he was put on trial.
There was a situation when we were forced to present all our evidence in such details that far exceed the publicly available amount of information. And then, there are cases that are resolved if the accused admits his guilt or simply does not come to court.
We are very lucky to have this case - Harold, me and another attorney in my office, Seth Wilkinson. It was a long investigation, and we were involved in it from the beginning, this case was handled by another assistant district attorney who retired before Roman was arrested. Her name was Catherine Worman, she was my management mentor and was well versed in computer crime. She worked on this case with agent David Dunn, who also left government service before Seleznev's arrest.
I'm sure many of you have heard of him here this week, and he's an excellent investigator who returned to work specifically to attend court hearings.
So, today I'm going to tell you about the progress of the investigation, and then Harold will talk about the evidence we obtained from the arrest of Roman, about the difficulties of the process caused by the results of the forensic medical examination of the accused and how we had to deal with them.
Here is a small characteristic of Roman Seleznev: he was one of the world's largest thieves of credit card data, was charged by three federal courts in different states, a Russian, who has real estate in Vladivostok and Bali, Indonesia.
He was involved in the theft of bank card data from about 2005 until we were able to arrest him and bring him to trial in 2014. From 2011 to 2014, we made several attempts to arrest him, which were unsuccessful.
The position of his father in the Russian government was of great importance, which the court could not ignore (Valery Seleznev is a State Duma deputy from the LDPR party). Tensions arose between our government and the Russian government after Roman was detained in the Maldives in 2014, which resulted in the inclusion of me and other participants in the process on the Russian government's “black list” and a ban on entry into Russia. Fortunately, this tension has subsided, and I can again go to Moscow, where I studied Russian. But at that time none of us could go there.
Thanks to his criminal scheme, Seleznev stole a lot of money, so he hoped with the help of them to destroy the trial. He had a very monetary "support team" to protect him.
Seleznev hacked card services using three different "nicknames": nCux, Track2, and 2Pac, associated with three periods of his hacking activity.
He used the first one on carders' forums, where he had been selling stolen card data since 2002, then he started using the Track2 nickname and used the 2Pac nickname before being arrested.
Identification of nCux took place in early 2009, when he "lit up" on many carder forums, on this slide you can see his message about the sale of these cards: "Dear customers, do not miss your chance - all AMEX cards are at $ 1 apiece, VISA, MC , DISCOVER - $ 5 each. " The "Great Sale" stems from the fact that in May 2009, Roman announced that he was retiring and would stop hacking. His activity in this field has been tracked since 2002, when he began selling cards with all the details, including name, password, date of birth and social security number. In 2005, he realized that stolen credit card information was very popular and purchasing power, and he developed a vigorous activity. Thanks to this, he came to the attention of the Washington Cyber Intelligence Unit of the Secret Service. They began to monitor his activity on the Internet and realized that he was a "big player" and began to try to find out who exactly was hiding behind the "nickname" nCux. In fact, the transliteration of this "nickname" in Russian meant "psycho" - this nickname was awarded to Roman by friends for his "explosive" character.
While tracking him from 2005 to 2009, the CIS Secret Service obtained quite a lot of information based on the "excavation" of open Internet trolling - good "old-fashioned" investigative work.
In May 2009, together with the FBI, they met with the FSB in Moscow and reached agreements on the exchange of information, after which literally a month passed, and Seleznev disappeared from the Internet, destroying all accounts known to the FBI. He posted this post in May and disappeared in June.
This set the Secret Service back and forced it to rethink the way it would conduct international investigations and exchange information in this particular case.
Naturally, Seleznev was not going to retire - he simply changed his “nickname” and during 2009-2012 used the “nicknames” Track2 and Bulba. This slide shows a new post by Seleznev, who began to re-create his empire on carder.su, the most authoritative resource for carders, where Roman already had a reputation as a solid seller. This is evidenced by the mark in the upper left part of the message under “nickname”. This prompted the Secret Service that this is not just some new hacker who got some stolen cards from his "stash", he has weight and popularity among the users of this resource. The administration of the site even gave him a monopoly in this matter, throwing out Seleznev's smaller competitors who offered a similar product.
CIS came to the conclusion that this is a really big player, and they immediately tagged him on their "radar" and in May 2010 began an investigation. Around the same time, our local employee David Dunn took part in a SWAT operation in Coeur d'Alene, Idaho, at the famous fast food chain Shlotsky's Deli over a customer credit card leak. He examined computer equipment there and confiscated RAM, where he unexpectedly discovered that Shlotsky's Deli was connected to the network via a Russian IP address. David took note of this fact, and after a few weeks or a month, a lot of stolen credit cards surfaced on the network, which were tracked to the place of the data leak, and this point turned out to be the computer of the restaurant "Schlotsky".
Detective Dunn examined the suspect's computer, which he confiscated at the restaurant, and found that the guy was browsing these two sites: Track2.name and Bulba.cc and chatting with a person named Track2.
The latter told him that his Track2.name website had been shut down, but a restaurant employee could sell card numbers on another website, Bulba.cc. The detective began to research both of these sites to find out if one hacker is hiding under these two "nicknames." He researched the domain registration and found out the e-mail box from which the registration took place, researched other boxes located in the United States, also associated with these accounts. The East Virginia region supported a joint investigation with the CIS, and in October 2010 they began collecting warrants for information. Detective Dunn had been waiting for the information for several weeks, because this is not a case that can be done overnight. In addition, some orders were returned, as there were cases when the registrars of postal services refused to provide information.
And while he waited, on October 21, 2010, a second hack took place - this time at one of the oldest restaurants, Broadway Grill on Capitol Hill in Washington.
Detective Dunn arrived in Washington and, along with a local detective, began to study the computers of the point of sale. They found that the computers were very loosely configured to ensure the security of visitors' information, as they stored the data of 32,000 credit cards in the form of simple text files. And that information went to the same IP address that was used on computers at Shlotsky's Deli in Idaho. Here, the detective managed to move a little further, as he was able to discover that someone had placed malicious software on Broadway Grill computers that redirected data to a malicious server when manually typing an address associated with the same IP address as Shlotsky's Deli.
Detective Dunn realized that he now had the opportunity to investigate a crime at home, so there was no longer a need to travel to Virginia or Idaho and a case could be brought here in the western area of Washington.
Then the case began to develop rapidly. During November 2010 - February 2011, the detective found out who registered the carding sites. He found Yahoo mailboxes that led to a HopOne server in McLean, Virginia. Here he found out that the card numbers were sent to a server in Russia from the IP addresses of computers in Shlotsky.
While researching Yahoo accounts, he found out who bought the HopOne server in McLean. To do this, he conducted legal penetration testing on the Yahoo server in order to track incoming and outgoing connections. This did not allow the content to be examined, but gave it the IP addresses of incoming and outgoing connections, some port numbers, and the amount of data transferred. In addition, he saw that this server was connected to hundreds of computers throughout the United States, many of which were installed in restaurants. When he began checking their IP addresses, he learned that almost all of these computers were connected to the HopOne server, and found dozens of victims across the country using the points of sale at those restaurants.
The next slide shows evidence of malicious computer tampering that processed credit card payments in many restaurants and cafes.
This shows the IP devices that this malware connected to and sent map data to the same HopOne server.
The following is the infrastructure of this criminal scheme. There is nothing special here - this is a common botnet network that uses several layers of data transfer.
Roman's computer is shown in the upper left corner. Detective Dunn discovered many hacking tools on the HopOne server that allowed him to recreate Seleznev's scheme. The Russian hacker scanned the ports of the victim's payment terminal for open RDP connections. As soon as he found such a connection, he hacked it using a Brute-force attack with a password guessing and downloaded the card data to the user's server under the "nicknames" Shmak / Smaus with the IP address 188.120.255.66, the HopOne server with IP 66.36.240.69 and the Ukrainian server with IP 188.95.159.20. From there, the data was sent to the websites of carders - sellers under the nicknames Track2 and Bulba.
On the left, you see the Yahoo mailbox that was used to register the Shmak / Smaus server, on the right, the Yahoo mailboxes for Track2 and Bulba. With this, the middle mailbox associated with Track2 was also associated with the HopOne server. Research on the HopOne server resulted in hundreds of files containing nearly 400,000 credit card numbers. All of them were stored very conveniently for us, as they contained the IP addresses of the victims. This allowed us to quickly identify all victims and collect more evidence.
As for the email addresses, they allowed us to identify Seleznev. He used one of the addresses of the Yahoo mail service, which received various notifications. In the mailbox [email protected] we found a letter about the successful registration of Roman Seleznev in the PayPal payment system on September 19, 2009. This served as one of the strongest pieces of evidence against Roman that Detective Dunn found. In the previous slide, you can see that rubensamvelich's account led to the sites of stolen card sellers, so using this PayPal registration box was Roman's biggest mistake.
He did not think that the basis of American payment systems is to keep copies of such messages about user registration, where all his identification data are present. Here is the address of his registration in Vladivostok, which served as the identification of the person during the passport check upon arrest.
The second account we found, [email protected], was used by Roman for many years. This was another mistake of Seleznev, since he used this box back in 2006.
...
The boookscafe mailbox did not help in the investigation of the modern infrastructure of Seleznev's hacker network, but did help establish his connection with the user known by the "nickname" nCux. We tracked down many related things, including ordering a bouquet of flowers for his wife. It was accompanied by a postcard with the words that “you are the most beautiful, but Eve is still more beautiful than you”! Eva is the name of his daughter, which was also entered in his passport, and served as another proof of identification during the arrest. We also found his order for a Russian online store, with a home address in Vladivostok, placed using this box.
We ended up finding the most significant piece of evidence on HopOne's server, where he kept all of his hacking tools and stolen credit card numbers. Seleznev used this server to book an air ticket for the Indonesia-Singapore flight, and his personal data and the number of his foreign Russian passport were indicated in the booking form. The coincidence of the data of this order with the data of the passport served as further evidence at the time of his arrest. His second home was located in Indonesia.
The Secret Service put all this evidence together, and together with Detective Dunn began to look for possible evidence of Seleznev's involvement in other carder scams. The next slide shows evidence that all such cases are somehow connected with each other, and carders have been working with each other for a long time and are connected with one another by common interests.
This 2007 chat is from an investigation by the East New York Department. If you remember, the investigation began back in 2002-2003. It was about the Carder Planet hacking community and was very successful for the New York office. Mr. Carranza was one of the detainees in this case, and a chat was found in his computer between him and a certain nCux 111, who gave him his real data - name, surname, home address in Vladivostok, two mailboxes, including [email protected]. These data were required by Karranza for a deal with Seleznev.
Having collected all this evidence, Detective Dunn and a representative of the prosecutor's office turned to the Grand Jury in 2011 and received an indictment, which charged Roman Seleznev, known by his 9 hacker "nicknames", of committing computer crimes, fraud with bank cards, using funds to hack traffic and etc.
Unfortunately, shortly thereafter, Roman, while in Morocco, was seriously injured in a cafe explosion in Mogadishu on April 28, 2011, during a terrorist attack. He and his wife were sitting on the 2nd floor of a restaurant that was badly destroyed by a bomb. He was taken to Moscow, where he spent several months in a coma and underwent several operations. Detective Dunn visited bulba.cc several times to check the activity of its administrator, however, this account of the seller-administrator was not used, only messages from users appeared on the site who knew that an accident had occurred with the "boss" and wished him a speedy recovery ... Finally, in January 2012, this store of stolen cards was closed.
During 2011-2013, Detective Dunn continued to study Roman's past and present movements around the world, looking for confirmation of his criminal activities and related records. He found out that Seleznev often flew to his home in Indonesia through Korea, and agreed with the Korean authorities to obtain an arrest warrant for Roman there, so that he could be transported from Korea to America. Unfortunately, direct flights from Russia were soon introduced and this opportunity was no longer possible.
There was a mistake in Germany, when a guy with a similar name was almost detained there, and Interpol realized at the last moment that it was not him. There have been attempts to try and detain him in Australia if he had used that country when traveling to Indonesia, but none of these attempts were successful.
You may ask why you did not apply directly to the Russian authorities and demanded his extradition, but the fact is that Russia does not extradite its citizens to other countries. As we saw earlier, our hope of kind-hearted cooperation has failed.
Meanwhile, Roman founded a new empire - the site 2pack.cc, which existed from 2013 until the moment of his arrest in 2014. There he positioned his site as a collection of the best sellers of stolen data in the world, promised 24/7 customer support and daily updates of the assortment of a wide variety of bank cards. This site sold the greatest amount of data, and it again hit the radar field of the CIS Secret Service. Seleznev not only sold his malicious exploit, he wanted not only to sell the data of the cards he had stolen, but was so world-famous that the largest hackers-carders from Home Depot Neiman and Marcus Target approached him about reselling their cards. A whole bunch of hackers rushed to his forum, so he gave the best prices for their product.
He lived luxuriously, rested in beautiful places, had excellent cars - the following slides show photographs from his personal archive saved on his computer. He traveled to the Maldives, lived in Indonesia, in China, taking advantage of the income from his hacker empire. Now he has changed his luxurious apartment for a cell in the prison on the island of Guam.
Now I will tell you where we were still able to detain him - in the Maldives. I started working on this case in early July 2014, when Katherine Wormer invited me to participate in the process as an assistant, but then I did not yet know all the circumstances of the case. I got a call from Harold's office when I was in my car and said: “We found Roman Seleznev in the Maldives!” To which I answered: “Where are these Maldives and who is Roman Seleznev?
About 20 people from the State Department and the DOJ Secret Service were involved in this case, our embassies in Moscow and Sri Lanka were in touch. It was a unique operation carried out by the US Secret Service - two days of continuous surveillance, no extradition threats, and well-coordinated interaction of many agencies.
A typical extradition takes from 6 months to 4 years depending on the country with which we interact. We learned about Seleznev's vacation in the Maldives on July 1, intelligence agents arrived there on July 3 and 5 and, with the assistance of local authorities, detained Roman when he arrived at the airport for 3 hours at the end of his vacation. They immediately put him on a private plane and after 3 hours he was already on the island of Guam. This operation is the greatest example of cooperation between the US government and the Maldives.
Further our conversation will be continued by Harold, who will tell about the course of the process.
We were lucky not only with the arrest, but also with the fact that we managed to get a lot of evidence that was with him - a laptop, an iPhone, a passport, travel documents. We were able to link the data contained in them with the evidence collected over the years, find his letters on servers, establish an irrefutable connection with the "nicknames" nCux, Smaus, Ochko123. There was the same template that he used in emails - the same usernames and passwords smaus, shmac, ochko. Guess what his laptop password was. Ochko123! I'll tell you why you shouldn't use the word "point" as your password for your hacker empire - in Russian it means "butthole".
It was a big mistake to use the same technology, the same passwords when creating the infrastructure of your hacker empire. About 1.7 million credit card numbers were found on his computer, and you don't have to say anything else when you have over 1.7 million stolen cards on your laptop during your holidays.
We found web pages on his laptop that proved that he, like many in this room, was a marketer trying to teach people how to use stolen card numbers. He created an entire textbook that told how to buy a product in a store using such numbers, however, he posted information that it was illegal. He wrote that you can buy the MSR 206 magnetic card encoder, recode your own cards and use them in stores, and taught how to write stolen data purchased from his website onto plastic cards, etc. This is how he built his empire.
Do you know what else was in his laptop? PACER - public access to electronic court records, which allowed the user to study cases in the US federal, appellate, district and arbitration courts. The novel was cunning - before going on a trip, he checked to see if information about him or his "nicknames" had appeared in any criminal case, including old pseudonyms such as Bulba.
You may ask why, with so many irrefutable evidence, he agreed to a trial at all, instead of immediately admitting his guilt and hoping for a mitigation of the sentence?
The fact is that Roman had 2 strategies of behavior in court. He hoped that his father would be able to "collect the cream" from his political position and be able to negotiate with influential people in the United States. They could think of nothing else but to bribe the prosecutor, and they openly discussed this during their joint telephone conversations. The father told him: "We can pay them all, and that's the end!" To which Roman replied: "That's what I'm talking about, offer them this." The father said: "Yes, I am studying this question ... I think this is an option."
We later learned that the bribe was up to $ 10 million. I do not know for whom he took those working on this case, but no one would have returned the money to him for sure.
Then there were calls from the prison, which used such code phrases as "uncle Andrey", "trip to the hospital", "magic potion", "fishing trip" and so on. Probably, it was a discussion of escape options and Uncle Andrei meant an opportunity to get him out of prison. Here is a photo of Uncle Andrey on the slide, so if anyone sees him here at the Black Hat conference, let the guards know about it.
His defense chose the well-known tactics, which consisted in the fact that Seleznev was framed by someone, no matter the US government or another hacker. His lawyers said in court that someone planted evidence on his laptop, or a hacker, or the government, after agents took his laptop at the airport. They stated that after the laptop was returned, the dates of several thousand files were modified and this was confirmed by forensics. He had a Windows 8 laptop, a hybrid tablet computer that never turned off and was always on standby.
In standby mode, this OS really does its job of checking the data, overwriting some information, so it is natural that the time and date stamps of the service files have been changed. Therefore, we turned to forensics specialists, who performed an exhaustive comprehensive analysis of the data on the laptop and answered key questions about the network, user and system activity, that is, we established who was the last person to use the laptop.
They investigated Windows “footprints” such as registry keys, event log, system activity monitoring usage, USN log, and shadow copy volume. The first question they looked at was about network connections. According to the records, the computer first connected to the network on Saturday June 21st and disconnected from it on July 3rd, and the user's profile was named KANIFUSHI. This very "Kanifushi" was the name of the hotel where Seleznev stayed during his vacation in the Maldives. So a hacker who wanted to plant evidence on Roman's computer would have to pay more than $ 20,000 for a stay in this hotel. This computer also had a SIM card, which showed that the last connection was to the network of the Russian cellular operator Megafon. Network activity logs also showed
So a solid evidence base was presented at the trial. Next, we used the records of computer security events to trace who was the last user of this computer, to prove that it was impossible to control it from somewhere remotely using a remote control, and a physical user was working behind it. And then we found the familiar smaus login, which meant that it was this person who last used the computer.
The SRAM System Resource Usage Monitor showed that the last program launched by the user was the TOR browser. Further, this log contained the logs of the automatic activity of the operating system, which proved that no other person had interfered with the work of the computer.
We also examined hidden evidence such as deleted files and fragmented hard disk clusters slack space, archived records as shadow copies. We extracted a solid shadow copy file that showed all the data on the computer before Seleznev's arrest. We also used the stored evidence in the form of cell phone records, the photographs saved in the "cloud" and on the computer, examined his passport, and so on. And the evidence presented by us served as convincing evidence for the trial, which lasted 8 days. As a result, a federal judge found Seleznev guilty on 38 counts and sentenced him to 27 years in prison.
And now I am ready to answer your questions.
Norman Barbosa answers the question:
- Indeed, we did not have an agreement with the Maldives on the extradition of criminals, on their part it was not extradition, but expulsion from the country. We settled the legal side of this issue, and we were told that if we had a warrant for his arrest in our hands, then when the agents of the Maldives special service were deporting Seleznev to Indonesia, we could bring charges against him and arrest him.
Question:
- Was there any encrypted files on his computer that you had to decrypt?
Harold Chen's answer:
- No, he didn't use any encryption at all.
Question:
- Have you learned any positive lessons from the fact that several operations to detain Roman failed?
Harold Chen's answer:
- Yes, the security services are starting to work better and better, and if your equipment fails you or you make some mistakes, the security services will be able to track down what this error led to and unwind the whole tangle.
Question:
- What do you think, how difficult it would be to convict Roman if you could not find the password to his computer and not collect all the evidence available there?
Norman Barbosa answers the questions:
- I think that the evidence we have collected would have been enough for the trial even before Seleznev's arrest. It might have taken more time, but we had very strong evidence of his guilt long before we managed to arrest him.
Question:
- Was there a reason to wait after the injury of Seleznev in 2011 right up to 2014?
Answer:
- We simply did not have any opportunity to detain him before the circumstances developed for us in such a successful way, and we could only hope that he would appear in the country with which we had an agreement on the extradition of criminals.
Question:
- I met here in the United States with a well-known Russian lawyer who was offered to act as Seleznev's defender and he refused, calling him a "die-hard idiot." So, have your principles of cooperation with the FSB changed since then, and do you hope to interact with them?
Answer:
- You know, I cannot discuss issues related to the political course of the government, I can only say that the experience we have received has influenced the strategy of relations in such matters.
Question:
- Do you think that a sufficient sentence was passed on Seleznev?
Answer:
- As you know, based on the totality of the charges, the judge appointed him a 27-year term of imprisonment, which took into account a number of circumstances, including the amount of damage caused by Seleznev, which was estimated at $ 169 million. And this was based solely on the data of the maps found on him, but many things could not be accurately estimated, for example, what damage he caused with the rest of his activities. Another important circumstance for the judge was that Seleznev tried to deceive the court during the trial and persisted in his lies. There are many things that cannot be calculated according to the manual, here you need to be guided by the meaning of life and its values. We had over 400 victims, and most of them weren't big financial corporations, they were ordinary mums and dads visiting cafes and restaurants with their kids.
Question:
- Why didn't you contact the authorities of Indonesia, where Seleznev lived?
Answer:
- I cannot comment on this decision, because such a decision was made within the department, and we were only connected at the stage of completing the operation to capture Seleznev.
Question:
- How did you use Seleznev's iPhone?
Answer:
- We gave Apple a warrant and they helped us get access to the phone, but there was no significant evidence, mostly personal photos.
Question:
- How many banks did you have to interview during the investigation?
Answer:
- We had to deal with about 3,700 banks around the world.
Question:
- Can you tell us what was the topic of the meeting between our and Russian special services in 2009?
Answer:
- No, I can't.
Question:
- How were those companies punished, the security system of which allowed the theft of customer personal data by placing card data in plain text in POS terminals?
Answer:
- I do not think that they were brought to criminal responsibility, information in such an open form was available only in one restaurant, where the data of 32 thousand cards were stored, but they were probably seriously fined.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for users on a unique analogue of entry-level servers, which was invented by us for you options available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
