PINDROP BLOG

Russian Convicted in $169M PoS Malware Scheme

A Russian man, who is the son of a politician in Russia, has been convicted of more than three dozen counts stemming from a point-of-sale hacking scheme that allowed him to steal nearly two million credit card numbers from retailers and restaurants in the United States.

Roman Valerevich Seleznev was convicted Thursday of the crimes, which included several different counts related to hacking, along with identity theft, and his sentencing is set for Dec. 2. The conviction is the end result of a long investigation that included the arrest of Seleznev in the Maldives in 2014. At the time, FBI agents seized a laptop from Seleznev that had 1.7 million stolen credit card numbers, as well as other information that officials say connected him directly to the servers used to run the PoS malware infrastructure.

Seleznev is the son of Valery Seleznev, a member of the Russian parliament.

“Evidence presented at trial demonstrated that the malware would steal the credit card data from the point-of-sale systems and send it to other servers that Seleznev controlled in Russia, the Ukraine or in McLean, Virginia. Seleznev then bundled the credit card information into groups called ‘bases’ and sold the information on various ‘carding’ websites to buyers who would then use the credit card numbers for fraudulent purchases, according to the trial evidence. Testimony at trial revealed that Seleznev’s scheme caused 3,700 financial institutions more than $169 million in losses,” the Department of Justice said in a statement.

Seleznev is the son of Valery Seleznev, a member of the Russian parliament, who accused the U.S, of kidnapping his son at the time of his arrest in 2014. Roman Seleznev still faces more legal problems, even after the conviction in Washington.

“Seleznev is charged in a separate indictment in the District of Nevada with participating in a racketeer influenced corrupt organization (RICO) and conspiracy to engage in a RICO, as well as two counts of possession of 15 or more counterfeit and unauthorized access devices. Seleznev is also charged in the Northern District of Georgia with conspiracy to commit bank fraud, one count of bank fraud and four counts of wire fraud,” the DoJ said in its statement.

Point-of-sale malware is a highly effective tool for harvesting a large volume of data from payment terminals, which typically are not well-defended. Attackers often target PoS systems at large retailers and smaller shops to grab payment card data directly at the source, before it is encrypted and transmitted to processors or other back end systems.