32-year-old Roman Valeryevich Seleznev, aka Track2, has been handed the longest US hacking sentence to date: 27 years in prison.
He was convicted in August 2016, of 38 counts (intentional damage to a protected computer, obtaining information from a protected computer, possession of unauthorized access devices and aggravated identity theft) related to his scheme to hack into point-of-sale computers to steal credit card numbers and sell them on dark market websites.
The unprecedentedly long prison sentence he received is believed to be partly the result of his role as a pioneer in the carding industry.
“Under the nickname ‘Track2,’ Seleznev created two automated vending sites, an innovation that made it possible for criminals to efficiently search for an purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecutors noted.
“Later, under the nickname ‘2Pac,’ Seleznev built a global resale operation, creating an online marketplace where scores of notorious hackers offered for sale the credit card data they had stolen through their own hacking activities. And, at the same time Seleznev was organizing the supply of credit card data in this manner, he worked to stimulate the demand for stolen card data by establishing a website known as ‘POS Dumps,’ which trained throusands of new criminals in the basics of how to use the data to commit fraud.”
Seleznev was arrested in July 2014 in the Maldives, and the laptop in his custody at that time contained more than 1.7 million stolen credit card numbers. The laptop also contained additional evidence linking Seleznev to the servers, email accounts and financial transactions involved in the scheme.
According to evidence presented at trial, between October 2009 and October 2013, Seleznev hacked into retail point-of-sale systems and installed malware that allowed him to steal millions of credit card numbers from more than 500 US businesses and send the data to servers that he controlled in Russia, the Ukraine and McLean, Virginia. He then bundled the credit card information into groups called “bases” and sold the information on various criminal “carding” websites to buyers who used them for fraudulent purchases, according to evidence introduced during the trial of this case.
Many of the businesses targeted by Seleznev were small businesses, and included restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault. Testimony at trial revealed that his scheme caused approximately 3,700 financial institutions more than $169 million in losses.
Seleznev still faces charges in other US federal courts.
He is also charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a racketeer influenced corrupt organization, as well as two counts of possession of 15 or more counterfeit and unauthorized access devices, and in the Northern District of Georgia with conspiracy to commit bank fraud, one count of bank fraud and four counts of wire fraud.
Seleznev hails from Vladivostok, Russia, and is the son of Russian parliamentarian Valery Seleznev. According to the prosecutors, he “has been engaged in cybercrime his entire adult life.”