The opsec blunders that landed a Russian politician's fraudster son in the clink for 27 years
Pro tip from the US DoJ: Don’t reuse passwords
Blowout and back in business
But the following month the Feds – and Seleznev – suffered a serious setback. The Russian was seriously injured in a terrorist attack while holidaying in Morocco, and spent several months in a coma.
A message on Bulba.cc said that services were being slower because “the boss” had had an accident and the number of credit card numbers for sale on the site fell off dramatically. The following year, the site shut down completely.
Seleznev appears to have laid low for a while, but in 2013 reappeared with a website called 2Pac, and from there was again selling large numbers of credit cards. The IP address of 2Pac site was the same as the Bulba.cc address, thus the Feds assumed Seleznev was up to his old tricks.
The government put a warrant out for his arrest and tried to find a way to bring him in. Seleznev owned a house in Bali and would fly there regularly via Korea. However, by the time a deal had been sorted out with the Korean authorities to arrest him in transit, Seleznev had started flying directly.
“On July 1, I got a call as I drove to work from an attorney in Washington, DC,” Norman Barbosa, assistant United States attorney in the US Attorney's Office for the Western District of Washington, told the conference.
“He said that they’d found Roman in Maldives. I was talking illegally while driving at the time but we got into action immediately.”
Within 48 hours, federal agents were in the Maldives and the government there had been persuaded to help the US authorities. While the tiny island state didn’t have a formal extradition agreement with the US, they ejected Seleznev from the country and into the arms of the Feds.
Microsoft to the rescue
Seleznev and his wife had been staying at an exclusive hotel in the Maldives costing $20,000 per week. When he was arrested at the airport, police managed to seize his Windows 8 hybrid laptop, his iPhone, and his passport.
From the intelligence they had gathered, the investigating team knew Seleznev reused passwords, so they tried one he had used recently – Ochtoko123. (Fun fact: Barbosa says that Ochtoko is Russian slang for the anus.) That passphrase was found among the emails lifted from his Yahoo! account.
The password worked, and they got into his laptop and found 1.7 million stolen credit card numbers. They also found legal documents Seleznev had downloaded about his own indictment, a list of the Wi‑Fi hotspots he had used, and his last used application – Tor.
Investigator Harold Chun said that the Windows 8 machine was a goldmine for the case, because it took regular backups for restore points in case of failure, so recorded lots of artifacts, event logs and system keys that were very useful to the Feds. It also helped that Seleznev didn’t use encryption at all.
Seleznev, now in prison in Guam, planned to use Microsoft Windows in his defense. His lawyers found that some files had been altered after Seleznev was arrested, and based their defense on claims that either hackers or the US government had tried to set him up.
However, a forensic study of the laptop showed that the changes were the result of the laptop now being powered down, and were all normal operating system backups. The resulting evidence was enough to get him convicted by a jury who deliberated for less than three hours on the case.
In two years, the Feds say Seleznev cleared over $17m in illicit profits and many of the businesses he hit have since gone out of business. There are two more Federal cases now ongoing against him, so he’s unlikely to be taking any more beach holidays for a while. ®