With the plethora of data breaches that have occurred over the past five years reaching a crescendo with the Equifax breach, it should surprise no one that a criminal’s end goal is the use of identity theft to effect monetization. Yes, each piece of personal identifying data, financial data or medical information on an individual feeds into this equation, and moves the concerted criminal one step forward toward achieving identity theft.
Identity theft is how criminals turn their dastardly deeds, or those of another, into cold hard cash.
The U.S. Department of Justice (DoJ) recently reported how Roman Valeryevich Seleznev (aka Track2, aka Bulba, aka Ncux) entered guilty pleas in two separate cases (racketeering and bank fraud) for his part in the credit card fraud ring, “Carder.su”. Seleznev, active in the cyber underworld, and his colleagues managed to monetize their efforts to the tune of US$50 million. Yes, $50 million.
What/Who is Carder?
Carder, as the name may suggest, is an internet-based international criminal entity whose members trafficked stolen credit card data and counterfeit identification, as well as a group of individuals who committed identity theft, bank fraud and computer crimes.
Interestingly, Carder the entity utilized methods of communication that many small/medium businesses would be envious and enterprises desirous to emulate. Carder was designed from the beginning to protect individual users’ identities, and Carder members communicated via secure or encrypted forums (private messaging, chat rooms), encrypted email, utilized proxies and encrypted virtual private networks.
To become a member of Carder, two current members were required to vouch for the candidate member.
How Did Carder Conduct Identity Theft?
Carder successfully separated $50,983,166.35 from its victims. The volume of stolen credit cards associated with Seleznev was such that he created an automated website within the Carder community. The DoJ describes Seleznev’s website:
His automated website allowed members to log into and purchase stolen credit card account data. The defendant’s (Seleznev) website had a simple interface that allowed members to search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information. Payment of funds was automatically deducted from an established account funded through L.R. (Liberty Reserve), an on-line digital currency payment system. Seleznev admitted that he sold each account number for approximately $20.
Seleznev demonstrated his understanding of the U.S. banking systems, when he, acting as the “casher” (along with other indicted and convicted individuals), infiltrated RBS Worldpay, stole 45.5 million debit card numbers and withdrew more than $9.4 million from 2,100 ATMs in 280 cities around the world in less than 12 hours—an impressive display of global reach and logistical acumen. Their successes caught the eye of the global law enforcement community. A global criminal investigation, “Operation Open Market,” specifically targeted Carder and resulted in 55 individuals being charged in in the United States under four separate indictments.
What is Liberty Reserve?
Liberty Reserve, the digital currency provider, was registered in Costa Rica. In 2013, it was estimated that Liberty Reserve had more than 100 million global users, had processed more than $6 billion and had conducted more than 55 million separate money laundering transactions. According to the DoJ, on May 24, 2013, there were multiple arrests of the Liberty Reserve principals.
Who is Seleznev?
Roman Valeryevich Seleznev of Vladivostok, Russia, is the 33-year old son of Russian lawmaker, Valery Seleznev. Upon his son’s arrest in 2014, Valery Seleznev said he believed the United States had kidnapped his son to arrange a swap of Edward Snowden. While anything is possible, a Seleznev-Snowden swap is highly unlikely, as Seleznev was convicted by a Seattle jury in August 2016 on 38 of 40 criminal accounts, and in April was sentenced to 27 years in federal prison, the longest sentence ever imposed in the United States for a cybercrime. In addition, he was ordered to pay $170 million in restitution.
Seleznev, who was adroit in manipulating banking systems, clearly lacked basic operational security. He was arrested on vacation in the Maldives by U.S. law enforcement and then immediately transported to Guam, and then moved to Seattle. In his possession were three pieces of evidence that nailed his subsequent conviction:
- Details on 1.7 million stolen credit cards were on his laptop;
- He had searched online court records in the United States to see if he was under investigation; and
- A “password cheat sheet” that linked him to “a decade’s worth of criminal hacking.”
Sentencing for the racketeering and bank fraud associated with the identify theft crimes to which Seleznev pleaded guilty will occur in December.
Coupled with his prior 27-year sentence, it is safe to say Seleznev is going to be a resident in the U.S. prison system for a many years. It makes one wonder if his handle “Bulba” will evolve to “Bubba.”