On the humid morning of July 5, 30-year-old Roman Seleznev was passing through security screening at Male International Airport in the Maldives, about 400 miles southwest of India in the Indian Ocean, when he was asked to step out of the line. Traveling with his partner and her daughter, the muscular, lightly bearded Russian computer whiz was winding up a vacation trip to the island nation that bills itself as “the sunny side of life,” and was hoping to catch a noon jet to Moscow.
Instead, more than a month and five flights later, detoured by a hurricane and slowed by two planes with mechanical trouble, he’d wind up in a Seattle prison, claiming he was kidnapped by U.S. marshals.
He might have a good argument, though he’s unlikely to win it—or any sympathy, for that matter. Seleznev, considered a flight risk, is being held without bail at the Sea-Tac federal detention center, facing trial in Seattle federal court next month for hacking credit card-numbers and reselling them online. The millionaire son of a Russian lawmaker was originally thought to have stolen the data of as many as 200,000 credit-card holders. But investigators, after seizing Seleznev’s laptop following his capture, today put the figure at two million.
Officials say the financial losses also run into the millions. In a letter to the court, businessman Sid Fanarof outlined what Seleznev’s alleged electronic break-in cost in just his five-store California ZPizza chain. Besides a “great deal of distress,” his tab for forensic audits and fines to MasterCard and Visa totaled $50,000, he said. “We also lost many customers who would not trust our credit-card system.”
U.S. prosecutors this month revised their original 29-count grand jury indictment against Seleznev, filed under seal in March 2011 but not revealed until after the July takedown, adding new details and 11 more felony counts, including aggravated identity theft. They also produced an expanded list of U.S. businesses allegedly hacked by Seleznev. From his computer den in Vladivostok, the Russian national would store collections of stolen credit-card numbers—or dumps—on black-market websites known as carding forums, which use servers in the Ukraine, Virginia, and elsewhere to cloak the perps’ identities. Seleznev’s victims include “hundreds” of shops and eateries in western Washington, such as Broadway Grill, Grand Central Baking, and Mad Pizza in Seattle, along with pizza joints in Anacortes, Duvall, and Yelm. The eclectic victim list stretches from Schlotzsky’s Deli in Idaho and the Phoenix Zoo in Arizona to the Latitude Bar and Grill in New York City and Day’s Jewelers in Waterville, Maine.
Seleznev—working with others, prosecutors say—used 22 online aliases, including Track2, 2pac, James Chow, and Boris Grechkin, and sold the pirated number “dumps” using online currency such as Bitcoin, Paymer, and eGold. He even offered crime lessons to his customers at one site, posdumps.com. “This is a tutorial [on] how to buy dumps and use in store (POS) (Make and using fake credit card),” the notice stated. “Here I will explain you how to earn money. From $500 to $50,000 or even $500,000. Remember this is illegal way! Process from start to finish!” The site explained how to use equipment to encode fake credit cards with stolen data, how to obtain card templates, and how to select and purchase dump numbers.
The site also referred customers to another site run by Seleznev, the feds claim: “You can buy dumps in online shop called 2pac.cc,” the referral read; “that’s the only one real shop who is legit and they have dumps from almost all the world countries. More than 1 million of stolen dumps.”
Seleznev was illegally abducted by the Americans, according to Russian officials and court papers. His father, a Russian parliament member, says his son was kidnapped to be used as trade bait for NSA leaker Edward Snowden, who has been granted asylum in Moscow. In a court filing, Seleznev’s attorneys say a Maldivian judge refused to grant the U.S. an arrest warrant (the country has no U.S. extradition treaty), but the marshals took him into custody claiming he’d been expelled by the Maldives’ president. He was put on a private plane and flown to Guam, an American territory, an act similar to the notorious rendition flights first allowed under the Bush administration. Once extradition was granted in Guam, three attempts to fly Seleznev to the U.S. mainland were thwarted by mechanical problems and a rare hurricane around Hawaii, where Seleznev had been moved prior to arriving in Seattle on August 8.
FBI Director James Comey has since made it clear that such “kidnappings” are legal tactics in the war against cyberthieves. “It’s too easy for those criminals to think that ‘I can sit in my basement halfway around the world and steal everything that matters to an American,’ ” he told 60 Minutes two weeks ago. “ ‘And it’s a freebie, because I’m so far away…’ ” Well, he added, the U.S. policy these days is to “lay hands on them if they leave those safe havens, to impose a real cost on them. We want them looking over their shoulders when they’re sitting at a keyboard.”
randerson@seattleweekly.com
Rick Anderson writes about sex, crime, money, and politics, which tend to be the same thing. His latest book is Floating Feet: Irregular Dispatches From the Emerald City.