Threat Research lead Assaf Dahan discusses new discoveries about Iranian APTs Moses Staff and Phosphorus that blur the line between state-sponsored attacks and criminal activity - check it out…
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
March 6th, 2019. Seattle, Washington. 600 University Street, 7th floor, Courtroom 2.
“[Lobsons] Good morning, Your Honor. My name is Jim Lobsons. I did recently, about three weeks ago, I was retained by Mr. Seleznev’s other lawyers to represent him at oral argument here.
[Judge] Thanks, Mr. Lobsons. It’s nice to see you.
[Lobsons] Nice to see you.”
Lobsons, standing at a podium before two judges, representing the defendant-appellant, Roman Valeryevich Seleznev, a Russian national then 34 years-old.
Just behind Lobsons: Michael Morgan, representing the United States of America, the body that sent Seleznev to prison.
“[Lobsons]As to the sentencing issue, it’s my position that there was both a procedural error and the sentence is also substantively unreasonable. The two are very intertwined. It’s hard to tease them apart. But the procedural error is really failure to consider and failure to explain the very lengthy sentence imposed on Mr. Seleznev.”
Two years earlier, Roman Seleznev had been convicted for computer crimes, and received a jail sentence that would make any hacker shake in their boots.
“[Lobsons] Was it really necessary to get a 27-year sentence to protect the public from Mr. Seleznev and future crimes?”
A sentence that’d make any criminal quiver.
“[Lobsons] And in this case, Mr. Seleznev has received a sentence which is longer than you can get if you have no prior criminal convictions for first-degree premeditated murder in state court in Washington.”
So here’s the question: did he deserve it?
It’s trickier than it might seem at first. On one hand, it’s hard to imagine any nonviolent computer crime worth 27 years in prison. But then what is an appropriate sentence for such a man as Seleznev was?
Five minutes into his lawyer’s argument, one of the judges interrupts.
“[Judge] Could I interject a question?
[Judge] What was the guidelines range?
[Lobsons] Life. Life. But because it’s treated, sort of maxed out at a level 43, but it’s life.
[Judge] Okay, so if the maximum was life and the court gave 27 years,
[Judge] then you think it’s not substantively reasonable?
[Lobsons] I do not.
[Judge] It’s not, right?
[Lobsons] I do not.
[Judge] What would have been substantively reasonable? What’s the most you think the district court should have sentenced him to?”
The attorney is clearly rattled. He averts his gaze, thinking into the air, the way you used to do in class when your teacher asked you a question you didn’t know the answer to.
“[Lobsons] I’m trying to think. If I had been the district court judge, what is the most that I could say I can justify this?”
The lawyer shakes his head and puts his hands out, trying to come up with a number off the top of his head. Considering that he’s Seleznev’s defense, the one he ultimately lands on is a bit surprising.
“[Lobsons] 15 years? I don’t know. He’s 32 years old, and I haven’t yet addressed the fact that he doesn’t have all of his brain because half of his skull was blown off and because he’s got a serious traumatic brain injury.”
Hi, I’m Ran Levi, welcome to Cybereason’s Malicious Life podcast.
The kinds of numbers thrown around that appeals court begs the question: what kind of punishment is fitting for a cybercriminal? Can any digital wrongdoing warrant nearly 30 years in jail?
Roman Seleznev — the 33 year-old, slightly pudgy Russian with a beard and receding dark hair — realized the situation he was in in the days before he was set to be handed that sentence. So he penned an 11-page apology letter to try and elicit some sympathy from his judge. To get a sense of his story, we’re reading from it now, with some slight edits to smooth over the broken English. Quote:
“I was born in the city of Vladivostok, Russia, July 23, 1984. I was just 2 years old and my parents got divorced. My mother and I lived in a room that was approximately 10 square meters. We lived with 4 other families during those very difficult times.
[. . .]
Most of the time I was home alone while my mom worked hard. I taught myself about computer technologies. I had great skill at a young age and it was clear that I could do great things with my life.
[. . .]
So I studied hard in school to try someday to help my mom.”
Roman was building up to a degree in mathematics and computer science when the defining event of his childhood struck. Quote:
“I came home from school, and I found my mother in our bathtub, drowned. She died of this because of alcohol poisoning. [. . .] I panicked and cried so badly from this pain and loss of my mom. The next day, my mom’s brother came to our apartment and took all my mom’s jewelry and some of her good clothing and told me I must leave the apartment[.]”
Roman quit school, without money to fall back on. He was unemployed, until he found a job at a computer store. It paid just five dollars a day, so he left. “And this becomes the foolish point where my life fell down to the side of criminal activity,” he wrote. “I started to become a hacker.”
He started by stealing small amounts of cards here and there, and selling them on the dark web. It was enough to cover the bills. A breakthrough came in 2007, when he came upon a larger database of credit cards, and sold them off for a lot more money. Soon, quote, “I was becoming greedy and out of control.”
At this point in the story, he claims, came the turning point in his cybercriminal career. He recounts an event in 2009 when his wife and daughter were on vacation, and thieves broke into his house, stole his money and equipment, and “tortured” him “all night.” Quote:
“At this time I wanted out of this life and planned to stop these crimes to do honest and respectable things with my skill as my mom wanted for me. And I made it clear to all “I am done!!! I am out.” I made a clear announcement on the internet that I quit selling credit cards. I attempted to protect my family and find an honest career.”
A screenshot of his notice to the cybercrime underworld has survived to this day. So we’ll quote now from “cardingworld.cc,” June 21st, 2009 — the moment Roman began his life of doing “honest and respectable things.”
“Hello My Dear Customers
SALES will be until 20.JULY.2009. DON’T LOSE YOUR CHANCE.
After that we will end our work. (FOREVER)
Minimum order $1,000
All clients will get a free checker on the amounts of dumps you buy!
American Express – $1 per card
Visa, Mastercard, Discover – $5 per card.”
Clearly, this was an honest family man who felt deep remorse about his cybercrimes.
As Norman Barbosa and Harold Chun — two attorneys involved in the Seleznev case — explained in a 2017 Black Hat presentation, Roman started hacking not in 2007, as he claimed, but five years earlier, in 2002, still just a teenager. Back then he was stealing a wealth of personal information from innocent people — names, dates of birth, social security numbers, known in the forums as “fullz” — for purposes of identity fraud.
By 2005, he’d developed a specialty in credit cards. He was known to the underground as “nCuX” — a transliteration for the Russian word for “psycho” — a name he earned for being a hothead. (You can only imagine what it takes to be labeled a hothead in a community of criminals.)
In the years that followed, according to Seattle district court judge Richard A. Jones, nCuX had become, “one of the world’s leading providers of stolen credit card data,” and “was revered in the carding underworld and admired by thousands of other criminals.”
Meanwhile, as he started to build a significant profile on carding forums, the U.S. Secret Service was building up a case. The agency had it on good evidence that the individual known as nCuX was, in fact, Roman Seleznev of Vladivostok.
In a move that certainly wouldn’t happen today, U.S. authorities took their evidence to the FSB — Russia’s successor agency to the KGB. On May 19th, 2009, members of the Secret Service and the FBI met with their Russian counterparts in Moscow, and presented a theory tying Roman Seleznev to years of identity and credit card theft. The down-on-his-luck carder was now clearly within the sights of two major world powers.
Yet, remarkably, he was the one with the trump card.
nCuX’s fire sale wasn’t a sales tactic — within weeks, after years as one of the most prominent names in the dark web, he disappeared from the web without a trace, removing all posts and deleting all accounts that could tie back to his identity. It wasn’t enough to clear any case against him, of course, but it certainly helped complicate it. And, equally, it was a signal to the authorities who’d been after him all those years.
You see, there’s one very important fact about Roman that he didn’t emphasize in his sob story. As often as he writes of his alcoholic, dead mother, he leaves out how his father was not only very much alive, he was — is, still today — an entrepreneur and prominent politician, as a member of the Russian state duma (their parliament).
After the meeting in Moscow, word of his case “clearly got back to Mr. Seleznev,” Jones would later note. Roman had contacts inside of the FSB, through his powerful father. In online messages a year earlier, he bragged to an associate about how the computer crime squad within the FSB — the very agency tasked, supposedly, with bringing people like him to justice — in fact was protecting him, enabling him to carry out his wanton cybercrime.
The FSB’s betrayal not only derailed their plan, Barbosa explained, but it also caused the Americans to, quote, “rethink how they would go about seeking international cooperation on the case.” End quote.
This change in attitude will have major ramifications later on. But for now, it was up to Roman what to do next, now that the era of nCuX was behind him. In his sympathy letter, he wrote of the precarious position he was in: with his grandmother dying, the pressures of supporting his family without carding, and the difficulty of finding gainful employment with his lack of education.
All of it was lies, of course, as he was hardly done retiring as nCuX by the time he was building up two new online personas — Bulba, and Track2 — that would be even bigger and better than anything he’d done before.
As nCuX, Roman would distribute stolen personal data and credit cards manually, to each criminal that wanted to use them. Now he was taking his business to the next level, with a fully automated website. It “functioned like an Amazon.com for carders,” Jones wrote, “allowing buyers to automatically search, select, and purchase credit card data by choosing criteria such as financial institution or card brand.”
Unlike nCuX, who’d taken 7 years to reach the pinnacle of the carding world, Bulba and Track2, quote, “achieved instant success, and were perhaps the leading source of stolen credit data during the period they operated.”
Track2, for one, became the exclusive provider for carder.su, one of the world’s leading carding forums, servicing over 25,000 members. 25,000 customers seems like a lot to handle for just one man, but his supply could support it.
Often, when we talk about dark web dumps, we’re talking about a single kind of event: a hacker steals a database worth of passwords, credit card numbers, what have you, then plops it on a webpage.
Roman, with help from criminals working for him, would do that. At the Broadway Grill in Seattle, Washington, for example, they made off with a database of 32,000 credit cards, from customers that’d visited the restaurant between December 1, 2009 and October 22, 2010.
But that wasn’t all. Instead of merely running away with tens of thousands of cards, Roman planted infostealers to capture the live data transmitted to the database from point-of-sale machines. So picture a waiter at the Broadway Grill: when they swipe a new customer’s credit card into their computer, the data is transmitted to the company’s central server, but on its way it has to pass through the malware. The malware records the information and, every five minutes, compiles that card data along with every other card swiped in that time frame, sending it all to Roman’s remote servers.
Maintaining a foothold even after stealing untold thousands of cards gave Roman a constant, steady stream of new supply, and the volume of businesses he stole from was staggering. In Washington alone — just one of the 50 states — he claimed seven businesses, at least. Around the country, hundreds more. Every five minutes, each one of these companies would feed fresh card numbers to Roman Seleznev’s servers in Russia, Ukraine, and Virginia.
So you can begin to see how one man alone could support a large swath of the Eastern hemisphere’s carding community. As just one example: there was a day in April, 2011 when Track2 released one million new stolen credit cards for sale. These are the kinds of numbers we’re dealing with here.
They’re the kind of numbers that tend to attract attention and, once again, U.S. authorities were closing in.
Roman had made the mistake of using the same email address to register his popular Track2 website, and open a PayPal account. Authorities obtained a legal order to access the relevant account information which, among other things, included his personal address. Authorities went one by one, connecting every new bit of personal information to another — an address and an email, a phone number, a fake name (Roman Ivanov, Ruben Samlevich) — reaching further and further back, and deeper and deeper into Roman’s past. They went so far that they could see his purchase histories: like an order for flowers for his wife, and plane tickets to Bali, which included his passport information. Together, the information tied Track2 not just to Roman, but also nCuX.
The United States of America indicted Roman Seleznev on March 3rd, 2011, on 29 felony counts. But as authorities closed in on him for the second time, yet again, their plan was thrown off course.
From the case docket, you can see exactly when everything turned upside down. Throughout March and April of 2011, over a dozen motions and orders progressed the case against Seleznev. Authorities were moving fast. Two sealed orders were filed on April 27th and then, suddenly…nothing. For the entire rest of the year, the prosecution appears to have completely abandoned the case.
That’s because on the morning of 28th of April, a 25 year-old shoe salesman named Adil El-Atmani walked into the Argana in Marrakech, a three-story, touristy cafe at the Jemaa el-Fnaa square, in the center of the city. The man had with him a backpack containing two pressure cooker bombs, which he detonated at 11:50 AM local time, killing 17 people and injuring another 25. Quote:
“My wife and I wanted to have breakfast at the hotel, so we went into the restaurant but they told me they cannot serve me food. I ask them why and they say I need to put a suit on. I had no suit to put on, so we took a walk to the closest local cafe.
The waiter said we must wait 30 minutes before he can start preparing breakfast for us, so I say we’ll wait. [. . .] Then the waiter brought us juice, and the suicide bomber blew himself up. The entire cafe blew up with blood and dead people everywhere.”
Seleznev was rushed onto an emergency flight to Moscow, where he’d receive high-risk cranial surgery. A part of his skull had blown off, and he went into a monthslong coma. Quote:
“In the middle of 2012, my wife and I got divorced. My wife told me that the reason she left me that day in the hospital — she didn’t want to take care of a vegetable. She fled from Russia to the United States, taking our daughter and all our money. She left all the divorce details with an attorney and she left. [. . .] My life was terrible and I hated the man I saw when I looked into the mirror. I asked God why he saved me. Why?”
Even after all he’s done, it’d be hard not to feel any sympathy for Roman at this point in the story.
If what he was saying was true.
No traumatic, life-threatening head injury or even a coma could’ve kept Roman Seleznev from the dark web. In 2013, he reinvented himself as “2Pac,” and evolved his business yet again, now not just selling his own cards but also acting as a medium for some of the other biggest credit card hackers in the world, offering their wares in exchange for a cut of the profits. He advertised “the best sellers in one place” at 2pac.cc, with dumps from such American corporations as Nieman Marcus, Michael’s, and Target.
To spur even more business, Roman created a sister site for 2pac.cc, called “POS Dumps.” POS Dumps provided a step-by-step guide for novices in how to monetize stolen credit cards, with tips for determining a victim’s ZIP code and available balance. Students were provided free software for writing stolen information onto blank cards, and at the completion of the course, they were directed to the marketplace to begin buying. Over 3,300 aspiring cybercriminals visited POS Dumps in only its first month after launch.
So if his wife really had stolen all his money, his life was terrible, and he hated himself, it certainly didn’t show in Roman’s behavior. Besides getting back in the game, he bought two properties in Bali, Indonesia, where he flew back and forth to often, when he wasn’t vacationing in tropical islands. Photographs taken from this time show Roman with his shirt off on beautiful sandy beaches, at five-star resorts, posing with a yellow Dodge Challenger, or sometimes just piles of cash, smiling, with his arms raised in the air with joy.
Because Roman collected his payments in difficult-to-trace currency systems like Bitcoin, we don’t have an exact measure of how much money he was making in his cybercriminal career. But we can get a sense from just one of his accounts, with a service called Liberty Reserve, which was later seized by government authorities.
Through this one company — not including any other payment methods or accounts he was using at the same time — he’d earned approximately 17 million dollars. According to his sentencing memorandum, this was all in just three years, between 2010 and 2013 (a large portion of which time, you’ll recall, was spent in the hospital or in a coma).
You start to do the math, and realize that no number of tropical vacations was ever going to make a meaningful dent in Roman’s credit card empire. At the turn of July, 2014, Roman bragged to a friend about a particularly lavish trip he was taking in the Maldives, a sliver of pretty, tiny islands in the Indian Ocean. “I took the most expensive villa,” he wrote in a chat, referring to his $20,000 villa at the Atmosphere Kanifushi, one of those resorts you only ever see on Instagram. He added: “I have my own manservant.”
Hours from the time of that chat, Norman Barbosa of the U.S. Attorney’s Office received a call while on the road. Quote:
“I didn’t really know what was going on but I got a call as I’m coming into work on July 1st, and it’s an attorney in DC [. . .] and he says to me (as I’m illegally talking on my cell phone in my car): “Hey, we found Roman Seleznev, he’s in the Maldives.”
And I’m like: “Where the hell is the Maldives and who is Roman Seleznev?”
He says: “You’ve got to get on this call right now, we’ve got like 20 people from the State Department, we’ve got people from the DOJ, Secret Service, the embassies in Moscow and Sri Lanka, get on the call, get on the call!””
Extraditions require many steps — you need to apply for and receive relevant clearances for a foreign operation, and coordinate with the country in question, and mobilize agents to perform the mission, and coordinate with local authorities in the host country, to say nothing about arranging transportation for all the agents in both countries, and the target themselves. Between all of that and more, extraditions typically take anywhere from half a year to three years.
Roman was scheduled to fly back home from the Maldives in four days.
The Secret Service had agents in the Maldives on July 3rd, within two days of receiving first notice, despite the 18 hour flight from America. Roman took a jet from his island to the Velana International Airport, where agents presented him with an arrest warrant and took him into custody.
Upon being presented with his arrest warrant, Roman noted to the Secret Service that America had no extradition treaty with the country he was in. He wasn’t dumb, after all: he only ever took lavish vacations in countries without extradition treaties with the U.S. He’d also purchased all his plane tickets last minute — part of the reason why the Secret Service received such short notice this time around — and took other, similar precautions to protect himself, like monitoring legal records on PACER for any mention of his name or aliases.
In fact, the U.S. had technically conducted an “expulsion,” agreed to with the Maldivian government in the days prior. And so Roman Seleznev boarded an all-expenses-paid flight to the land of the free.
Based on the 29 counts against him, Roman faced up to 35 years in federal prison. The final number might have turned out to be a small fraction of that, had he not done everything possible to ruin his case.
Like when he first met with prosecutors in December of 2014, as they tried to get information from him about other criminals in his circle. Records later reflected how Roman obstinately refused to cooperate. Quote:
“Defendant was combative and repeatedly refused to identify others he had conspired with or those he knew were involved in criminal behavior. When asked why he would not name others or provide information regarding others involved in cybercrime, defendant explained that he was withholding that information as bargaining chips.”
After a couple of years, clearly, the gamble hadn’t paid off, and Roman changed his tune. The government agreed to meet with him on March 28th and 29th, 2017. Quote:
“Unfortunately, he did not have any particularly useful information. Defendant acknowledged his guilt and that of his co-conspirators on the carding forums. He also identified some of those he conspired with between approximately 2005 and his capture in 2014. Much of the information that he provided, however, was already well known to the Secret Service.”
In case it wasn’t enough that Roman had waited two years to give only useless information, federal agents added one more note. Quote:
“Furthermore, Seleznev made statements that the government believes to be demonstrably false, thereby further undermining the value of any information he provided.”
In monitored phone conversations after his arrest, Roman spoke often with his father, Valery, the politician.
Sometimes they spoke in code. But early on, their open disregard for the legal system was comical. At one point, for example, they plotted how they could influence the prosecution.
“We can just pay them all in advance and that’s it!” Valery told his son.
“It’s what I’m saying. Offer them this,” Roman replied.
Valery was enthusiastic. “Yes,” he seconded, “I’m leaning towards this…I think it’s an option.”
Roman added one more thing: “Just make sure they know the money they’ll get is as much as they’d make in a whole year.”
Together, the elder and younger Seleznevs plotted different strategies, like breaking contact with his lawyers to delay the trial, or feigning sickness. They burned through lawyer after lawyer, after each one in turn recommended taking a plea deal. They came up with theories: that he was set up, either by a super hacker who managed to plant all the damning, fake evidence on his computer, or by the corrupt U.S. government itself. Valery referred to various men he knew who could help in this situation, referring to the so-called “Uncle Andrey option,” and “magicians” and “doctors” who could, quote, “create a miracle called ‘The patient got into the hospital in a wrong way, so he needs to be released from the hospital.’” End quote.
Their most ambitious plan seemed to involve arranging an outside medical visit, for Roman’s still serious brain condition — even years after the Morocco attack, he still experienced seizures and other complications. Under that pretext, they would plot the escape. Even after the conversations led to heightened security, his father was unfazed. “‘What can we discuss? Your escape plan or what?’”
For prosecutors, it was a slam dunk case. They put his sentencing recommendation in stark terms, stating that, quote, “simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court. [. . .] This prosecution is unprecedented.”
Indeed, one estimate from investigators places the number of businesses Roman breached at 3,400. That number included such names as Boeing, Chase, Capital One, and Citibank.
But the real victims were the millions of individuals — at least 2.9 million, by prosecutors’ estimates — whose cards were stolen and used by cybercriminals for identity theft and financial crimes. The 3,700 banks and credit unions that supplied those cards estimated the total financial fraud to be around 170 million dollars. Prosecutors made special note that, quote, “In addition to the known losses, there are undoubtedly many more stolen card numbers the government did not identify, and additional fraud on the known cards that was not detected by cardholders or the financial institutions.” End quote.
And then there were the smaller businesses that couldn’t as easily take the punch — the pizza chains, the retail stores, the Houston Zoo, which lost $266,000 it was planning for new enhancements for staff and animal welfare.
At trial, one Washington state business owner recounted the “horrendous” effect Roman’s attack had on his business, and the nervous breakdown he had as a result. Another said that, even six years after the fact, he was still working on paying down the debt accrued from his attack. And Broadway Grill, the one we mentioned earlier? Its owner was forced to, quote, “walk away from the business, shutter the doors, file personal bankruptcy. It was pretty devastating.”
Roman expressed sympathy for his victims in his letter, though it’s difficult to tell if any of it is genuine. “I want to cry for them,” he wrote. “Some of them lost their business because of me.” He went on to mention the degrees he was pursuing from prison, and how he was now taking bible study courses.
Is a three-decade sentence fitting for a man who so obviously lies, cheats, and steals at every opportunity to advance himself, with no honest expression of remorse and no indication that he’d ever quit cybercrime, even after being caught or in the face of life-altering events and injuries? Roman’s last lawyer recognized his client’s situation, but argued to Brian Krebs that, quote, “it’s also a draconian sentence for a person who is very gravely ill. He’s not going to live that long. He’s going to die in jail. I’m certain of that.”
That may end up being true, and, depending on how you look at it, it may also be warranted.
Towards the end of his sympathy letter, Roman finally acknowledged what was coming to him. Quote:
“I made poor choices in my lifetime and I accept responsibility for those choices. I am not perfect and did wrong. There’s nobody or nothing I can blame except me! I did this and now I will answer for my crimes as a man.”
After all the lies, that may be the truest thing he’s ever said.