The son of a Russian lawmaker who earlier this year received one of the longest sentences ever handed down in the United States for computer-related crimes was slammed on Thursday with two more 14-year sentences.
Roman Valeryevich Seleznev, 33, of Vladivostok, Russia, won't spend any additional time in prison, however, as both sentences will run concurrently with the 27-year jail term he began serving in April. Seleznev is doing time over his running of several underground forums that sold stolen payment card data.
The latest sentences resulted from Seleznev pleading guilty on Sept. 7 to one count of participating in a racketeering enterprise and one count of conspiracy to commit bank fraud, the Department of Justice says. The first count was filed in federal court in Georgia, and the second in Nevada federal court.
Seleznev has also been ordered to pay $50 million in restitution in the Nevada case and $2.2 million in the Georgia case, the DOJ says.
Seleznev's guilty pleas follow a separate trial that concluded in September 2016, when a jury found him guilty of defrauding 3,700 financial institutions of at least $169 million through payment card schemes. In April, Seleznev was sentenced to serve 27 years in prison (see Russian Receives Record-Setting US Hacking Sentence).
Seleznev, known by the nicknames Track2, Bulba and Ncux, is one of the more infamous "carders" - fraudsters who trade in stolen credit card details - to have ever been prosecuted by the U.S. government.
He was accused of running Carder.su, a website that sold personal details for use in identity theft schemes, as well as stolen payment card numbers. So far, U.S. law enforcement agencies have charged 55 individuals with crimes that tie to Carder.su. Thirty-three have been convicted; with the remaining individuals either remaining at large or awaiting trial, the DOJ says.
Carder.su was chock full of stolen payment card numbers for sale, some of which were obtained by hacking point-of-sale devices and installing malware to collect card details. The group behind Carder.su ran a host of affiliated forums and chat rooms that used encrypted email and VPNs to try and shield their activities.
Although Seleznev worked with Carder.su, he also ran his own carding site that allowed members to buy stolen card details. His website included a search interface so buyers could find specific kinds of cards, the DOJ says. Card numbers cost on average just $20.
The stolen card details could be paid for in Liberty Reserve, a now-defunct digital currency (see Virtual Currency Kingpin Pleads Guilty).
RBS WorldPay Fraud
As part of the Georgia case, Seleznev also admitted to helping other hackers defraud RBS WorldPay, a payment processor based in Atlanta. In November 2008, attackers infiltrated the company's systems. They compromised the encryption used to protect customer data on payroll debit cards, which are used by some companies to pay employees.
The hackers then raised the account limits for some of the payroll cards to more than $1 million. In a strike attack that took less than 12 hours, the hackers withdrew $9.4 million from some 2,100 cash machines in 280 cities around the world, the DOJ says.
Protest From Russia
Seleznev was indicted in 2011, but it took more than three years to arrest him. U.S. Secret Service agents nabbed Seleznev in July 2014 in the Maldives while he was vacationing. He was then flown to the U.S. territory of Guam and arrested. The U.S. government refers to this practice as "informal extradition" (see Russia's Accused Hacker Repeat Play: Extradition Tug of War).
Russia, which has long opposed various U.S. tactics to capture hacking suspects in friendly countries, called Seleznev's detainment a "kidnapping." The country's Foreign Ministry demanded his release.
Seleznev's father, Valery Seleznev, is a member of Russia's Parliament. After his son was sentenced in April, the elder Seleznev maintained his son was innocent and that the sentence was essentially for life, as he believed his son would not survive 27 years in prison.