WEBVTT

00:00:00.000 --> 00:00:05.600
JACK: A stolen credit card can be worth hundreds of dollars. It’s actual money. When hackers steal

00:00:05.600 --> 00:00:10.320
thousands of them, they don’t have the time or capability to cash out on all these cards

00:00:10.320 --> 00:00:14.160
so they turn to online marketplaces to sell their cache of stolen cards.

00:00:14.160 --> 00:00:17.760
In this episode we’ll track down a hacker who’s stealing credit cards

00:00:17.760 --> 00:00:22.960
and selling them. JACK (INTRO): [INTRO MUSIC]

00:00:22.960 --> 00:00:29.760
These are true stories from the dark side of the internet.

00:00:29.760 --> 00:00:33.680
I’m Jack Rhysider. This is Darknet

00:00:33.680 --> 00:00:49.920
Diaries. [INTRO MUSIC ENDS] JACK:

00:00:49.920 --> 00:00:54.640
Carder’s Market, Carder Planet, Carding World. [DARK MUSIC] In 2007 these were

00:00:54.640 --> 00:00:58.960
the websites you’d go to to buy stolen credit cards. People would join the site. Sometimes

00:00:58.960 --> 00:01:04.640
there’s a registration fee. They’d look at the forum to find posts of things they want to buy

00:01:04.640 --> 00:01:09.200
and then agree to buy some stolen credit cards. But the process isn’t straightforward. Your

00:01:09.200 --> 00:01:13.360
credit card and PayPal are not accepted here. They require too much identifying

00:01:13.360 --> 00:01:19.440
information to process these transactions. It’s too risky. This is very illegal.

00:01:19.440 --> 00:01:24.720
Western Union is doable but it’s not instant and Bitcoin wasn’t around yet in 2007,

00:01:24.720 --> 00:01:30.000
so Liberty Reserve was the best option to transfer money. This is sort of like PayPal but

00:01:30.000 --> 00:01:35.040
they don’t require much identification to make an account. Money can be transferred electronically,

00:01:35.040 --> 00:01:40.000
quickly and easily, and almost anonymously. You send your money to the person selling stolen

00:01:40.000 --> 00:01:45.360
credit cards and tell them what you want, and they’ll send you the credit card dumps. A credit

00:01:45.360 --> 00:01:50.480
card dump is the digital information stored in the credit card like name, expiration date,

00:01:50.480 --> 00:01:55.840
card number, and the bank info. This by itself can sometimes be used to make purchases but some

00:01:55.840 --> 00:02:01.520
people will buy card writers and actually turn a blank credit card into a stolen credit card. Then

00:02:01.520 --> 00:02:06.160
they try to buy things like gift cards at stores to convert the stolen money into something more

00:02:06.160 --> 00:02:11.360
legal. You can buy credit card dumps anywhere from one dollar to $40 each depending on where you live

00:02:11.360 --> 00:02:16.320
and how much info you get with it. But you’ve got to be careful. Some cards you buy might be old,

00:02:16.320 --> 00:02:21.040
expired, or already cancelled due to someone else using it, or it being reported stolen.

00:02:21.040 --> 00:02:25.440
You really need to find a good vendor that you can trust. As you can imagine some vendors are better

00:02:25.440 --> 00:02:30.400
than others. They have a high success rate like 60%, 80%, and they have a big inventory.

00:02:30.400 --> 00:02:34.720
Some have fresher cards that were just stolen yesterday so finding good credit card dump

00:02:34.720 --> 00:02:39.920
vendors is highly sought after. But you know who else is really interested in these vendors?

00:02:39.920 --> 00:02:46.800
The US Secret Service. [MUSIC] The Secret Service has two main objectives. First is to protect the

00:02:46.800 --> 00:02:51.120
president, vice president, their families, and ex-presidents, and their second objective

00:02:51.120 --> 00:02:56.560
is to investigate criminal activity relating to financial and payment industries within the US.

00:02:56.560 --> 00:03:02.080
Secret Service is very tuned into the illegal carding markets. You can bet your bottom dollar

00:03:02.080 --> 00:03:06.720
that they know about every one of them. They’re on there, making accounts, exploring the site,

00:03:06.720 --> 00:03:11.600
watching key players buying credit cards, and taking notes. Because what these carding websites

00:03:11.600 --> 00:03:16.400
are doing is very illegal. Not only is stealing someone’s credit card illegal but then selling

00:03:16.400 --> 00:03:21.520
that is also illegal, and then someone else using the stolen credit card is illegal too. It doesn’t

00:03:21.520 --> 00:03:26.080
matter where in the world they’re doing it from; they’re stealing money from US companies.

00:03:26.080 --> 00:03:30.960
While these carding markets are often operated in other countries, US banks are frequently the ones

00:03:30.960 --> 00:03:36.320
having their customer’s cards get stolen, making US citizens, banks, and shops victims of these

00:03:36.320 --> 00:03:42.240
crimes. The US Secret Service has a mission to find these criminals and bring them to justice.

00:03:42.240 --> 00:03:46.640
The Secret Service went on to one of these sites, CardingWorld.cc, and they started

00:03:46.640 --> 00:03:51.680
looking to see who’s selling dumps. They found one vendor rising up in popularity.

00:03:51.680 --> 00:03:58.160
Their name was nCux. nCux would come up on the forum and go crazy selling dumps. They’d say

00:03:58.160 --> 00:04:04.160
American Express cards; $1, VISA, Mastercard, Discover; $5 per dump, minimum $1,000 order,

00:04:04.160 --> 00:04:09.680
60-80% valid rate. They’d post this frequently on Carding World and a few other forums. The Secret

00:04:09.680 --> 00:04:15.120
Service started to build a case on this person. [MUSIC] They started examining the history of nCux

00:04:15.120 --> 00:04:20.320
by looking at other forums posts and their online activity. The Secret Service started finding a

00:04:20.320 --> 00:04:24.720
lot of clues about this person. They determined nCux is a Russian word

00:04:24.720 --> 00:04:29.360
pronounced ‘seek’ and it means ‘psycho.’ They tracked his username back a few years

00:04:29.360 --> 00:04:34.080
and found they were first selling stolen identities online, things like name, birthday,

00:04:34.080 --> 00:04:40.720
and social. Then in 2005 nCux switched to selling more profitable stuff; credit card dumps.

00:04:40.720 --> 00:04:45.920
Investigators searched more and discovered nCux’s identity. It’s unclear how they found this but

00:04:45.920 --> 00:04:52.160
they discovered his name was Roman Seleznev and he was living in Vladivostok, Russia.

00:04:52.160 --> 00:04:56.480
The Secret Service went to Russia and met with the FSB to see if they can help track him down. The

00:04:56.480 --> 00:05:02.080
FSB was formally the KGB and they conduct criminal investigations. When the Secret Service met with

00:05:02.080 --> 00:05:07.760
them and started asking about Roman Seleznev, the FSB offered no help at all, like almost

00:05:07.760 --> 00:05:14.720
suspiciously unhelpful, which sent the Secret Service back home. Very soon after that meeting,

00:05:14.720 --> 00:05:20.960
nCux announced one last dump for sale and that they’re quitting the carding world. After that,

00:05:20.960 --> 00:05:26.560
nCux went completely dark. The trail to find him had gone cold.

00:05:26.560 --> 00:05:33.120
A few months after that in April 2010, the owner of CardingWorld.cc was arrested and the servers

00:05:33.120 --> 00:05:38.320
were seized. This gave the Secret Service a few extra clues and more incriminating evidence.

00:05:38.320 --> 00:05:43.040
They found an e-mail address for nCux and some other information. But the FSB and Russian

00:05:43.040 --> 00:05:48.560
government refused to cooperate to help capture him. Even if he was arrested in Russia, there was

00:05:48.560 --> 00:05:54.160
no extradition treaty with the US so there’d be no way to bring him to the US for a trial.

00:05:54.160 --> 00:05:58.480
Around the same time, the Secret Service was watching another illegal carding market called

00:05:58.480 --> 00:06:05.360
Carder.su and out of nowhere a new vendor showed up there named Track2. [MUSIC]

00:06:05.360 --> 00:06:10.400
Their forum post read, “Hi, dear customers. We glad to present our new shop of dumps.

00:06:10.400 --> 00:06:16.160
We selling dumps only stolen by us. This means we are first hands owner.” They were even offering a

00:06:16.160 --> 00:06:21.760
48-hour exchange for new dumps if the one you had was bad. This really caught the attention

00:06:21.760 --> 00:06:26.320
of the Secret Service. Who is this new vendor and where are they stealing cards from?

00:06:26.320 --> 00:06:31.280
But what was really odd is this brand new vendor was marked by the admins as being

00:06:31.280 --> 00:06:38.240
a trusted vendor. This is a hard-to-earn rank on the site and this person had it on day one. Also,

00:06:38.240 --> 00:06:43.600
this Track2 person became the only dump vendor on the site. Other vendors were being removed

00:06:43.600 --> 00:06:48.560
from the site. Something odd was definitely with this Track2 person so the Secret Service

00:06:48.560 --> 00:06:55.280
began watching them very closely. In May of 2010, the same time all this is going on,

00:06:55.280 --> 00:06:59.920
the Secret Service investigator in the state of Washington was sitting at his desk investigating

00:06:59.920 --> 00:07:05.920
a case. His name was Detective Dunn. The phone rang on Detective Dunn’s desk. Schlotzsky’s Deli

00:07:05.920 --> 00:07:10.960
in Coeur d’Alene, Idaho was reporting it had been hacked and he had to go investigate. Detective

00:07:10.960 --> 00:07:15.600
Dunn had previously worked with the Seattle Police Department investigating computer crimes and was

00:07:15.600 --> 00:07:22.160
good at doing digital forensics so he took a trip down to Schlotzsky’s Deli to investigate. [MUSIC]

00:07:22.160 --> 00:07:25.600
He arrived at the deli and on the front counter where the customers order their food

00:07:25.600 --> 00:07:30.400
were two registers next to a soda fountain. These were touch screen displays powering the

00:07:30.400 --> 00:07:36.000
menu software but also handling credit card transactions. As Detective Dunn examined the

00:07:36.000 --> 00:07:40.320
registers closer he found they’re just regular Windows computers running the cash register

00:07:40.320 --> 00:07:46.080
software. He found they both had malware running on them called Kameo with a K. The malware would

00:07:46.080 --> 00:07:50.640
listen for keystrokes made and look for credit cards being swiped and then transmit that data to

00:07:50.640 --> 00:07:56.000
a server in Russia. The detective had determined this malware had been present on the computer for

00:07:56.000 --> 00:08:01.280
six months. He examined the event logs and the internet history and determined that somebody

00:08:01.280 --> 00:08:05.920
had installed this malware by browsing to a website, downloading it, and installing

00:08:05.920 --> 00:08:12.160
it that way. This meant that the malware was put there by someone who had control of that computer.

00:08:12.160 --> 00:08:18.800
Detective Dunn wasn’t sure what that meant and wondered if an employee installed the malware.

00:08:18.800 --> 00:08:24.080
About a month later, a person in Ohio gets arrested for attempting to buy things with stolen

00:08:24.080 --> 00:08:29.040
credit cards. The Secret Service was contacted and were given a forensic image of the computer.

00:08:29.040 --> 00:08:33.040
They looked through the computer and found a bunch of stolen credit cards on it.

00:08:33.040 --> 00:08:40.160
[MUSIC] They ran a report on each of these cards to see if there’s a common purchase point

00:08:40.160 --> 00:08:44.720
because if a lot of these cards have charges in the same physical place, then chances are

00:08:44.720 --> 00:08:50.000
that place might be where the cards got stolen from. The reports came back and there was a common

00:08:50.000 --> 00:08:55.520
purchase point; Schlotzsky’s Deli in Coeur d’Alene, Idaho. The Secret Service contacted

00:08:55.520 --> 00:09:00.560
Detective Dunn, the agent who investigated that Schlotzsky’s Deli hack and gave him a forensic

00:09:00.560 --> 00:09:05.520
image of the PC to see if he could make any connections between the two cases.

00:09:05.520 --> 00:09:11.040
Detective Dunn examined the PC and found credit cards were bought from two different websites,

00:09:11.040 --> 00:09:19.040
Bulba.cc and Track2.name. This was the same Track2 from that Carder.su forum. You know;

00:09:19.040 --> 00:09:24.480
that suspicious trusted vendor? This computer contained ICQ chat logs with someone named

00:09:24.480 --> 00:09:31.120
Track2. This gave the Secret Service the ability to chat with Track2. The detective then started

00:09:31.120 --> 00:09:37.760
looking at these two carding websites, Bulba.cc and Track2.name. First of all, they look identical

00:09:37.760 --> 00:09:42.560
except for two different background colors. The detective started chatting with Track2 over

00:09:42.560 --> 00:09:47.760
ICQ to learn more and he found out that Track2.name was where untrusted customers

00:09:47.760 --> 00:09:53.360
go to buy stolen cards. Then once you’re trusted or you pay a $1,000 registration fee,

00:09:53.360 --> 00:09:59.520
you can then be invited to Bulba.cc, a more elite carder site. The detective determined the websites

00:09:59.520 --> 00:10:04.400
were probably owned by the same person and he logged into the site and looked around. He found

00:10:04.400 --> 00:10:11.040
thousands of credit cards for sale here claiming to be 90% from the US with a 60% valid rate.

00:10:11.040 --> 00:10:16.400
He also found that in order to buy cards here you have to use Liberty Reserve to transfer the money.

00:10:16.400 --> 00:10:20.720
The detective looked at the Whois records for these two websites. Each website in the world

00:10:20.720 --> 00:10:25.040
has to be registered and the registration information is public for anyone to see.

00:10:25.040 --> 00:10:29.200
This information can be faked, though. But the Whois data on the websites

00:10:29.200 --> 00:10:33.840
said they were registered by two different Yahoo e-mail addresses. The detective filed

00:10:33.840 --> 00:10:38.400
a warrant and sent it to Yahoo, the company, so he could see the e-mails for this address.

00:10:38.400 --> 00:10:43.200
See, the FBI and Secret Service can request from Yahoo to view e-mails for certain people if

00:10:43.200 --> 00:10:48.320
a warrant is processed. Then it’ll be reviewed by Yahoo and they’ll supply the e-mails to the feds

00:10:48.320 --> 00:10:52.560
and they won’t even tip off the user, either. But getting a warrant and access to e-mails

00:10:52.560 --> 00:10:57.440
takes a while to process so the detective had to just sit there and wait for it to be

00:10:57.440 --> 00:11:04.320
ready. [MUSIC] While waiting for the warrant to go through, Detective Dunn got a call from the Boeing

00:11:04.320 --> 00:11:10.800
Engineers Credit Union or BECU in Seattle. The BECU was reporting that a number of fraudulent

00:11:10.800 --> 00:11:15.760
charges have showed up on some credit cards with the common purchase point of the Broadway Grill

00:11:15.760 --> 00:11:21.280
right in Capitol Hill in Seattle. Since the detective was in Seattle he drove over

00:11:21.280 --> 00:11:25.360
to the restaurant and started conducting a forensic analysis of the computers there.

00:11:25.360 --> 00:11:30.160
Their cash registers were Windows computers running a credit card processing software.

00:11:30.160 --> 00:11:33.440
These computers had the same Kameo malware that the detective found

00:11:33.440 --> 00:11:37.520
on the Schlotzsky’s Deli computers. The malware was slightly different, though. This

00:11:37.520 --> 00:11:42.320
one would grab copies of the cards being processed and stick it into a text file and then send that

00:11:42.320 --> 00:11:48.880
text file to the exact same server in Russia. This text file contained 33,000 credit cards in clear

00:11:48.880 --> 00:11:55.360
text. Detective Dunn was shocked and the Broadway Grill had no idea they had even been hacked.

00:11:55.360 --> 00:12:00.080
The detective did more forensics investigations on the computers and found the malware was installed

00:12:00.080 --> 00:12:05.120
the same way, too; by someone getting access to this computer and browsing to a website,

00:12:05.120 --> 00:12:10.080
downloading it, and installing it. The detective ran a report on the credit cards in the text file

00:12:10.080 --> 00:12:14.560
and the report showed that within a day or two of the cards being stolen they already had fraudulent

00:12:14.560 --> 00:12:20.080
charges on them from around the world. This meant that whoever stole these cards had a way to move

00:12:20.080 --> 00:12:27.120
them quick. About the same time, the warrant for those yahoo e-mails completed and Detective Dunn

00:12:27.120 --> 00:12:32.880
got a copy of the inbox for the addresses used to register Bulba.cc and Track2.name.

00:12:32.880 --> 00:12:37.200
He found a lot of e-mails for transactions through Liberty Reserve which indicated the

00:12:37.200 --> 00:12:43.200
account numbers this person had there. He also found an e-mail about a PayPal account. PayPal

00:12:43.200 --> 00:12:48.240
does require you to provide a real name and this e-mail said this PayPal account belonged to Roman

00:12:48.240 --> 00:12:55.360
Seleznev. [MUSIC] The same Roman Seleznev that was nCux, the big-time carder the Secret Service

00:12:55.360 --> 00:13:01.280
was tracking years ago but went dark. Now they were able to connect the dots and see that nCux

00:13:01.280 --> 00:13:06.800
and Track2 and Bulba were all the same person. Not only did the names match but the physical

00:13:06.800 --> 00:13:12.160
address matched, the ICQ number matched, the web money accounts matched. Roman didn’t disappear; he

00:13:12.160 --> 00:13:16.640
probably got tipped off by the FSB that the Secret Service were after him and he just changed his

00:13:16.640 --> 00:13:22.640
name. Now the Secret Service was once again hot on the trail to bring down this big-time carder,

00:13:22.640 --> 00:13:28.400
Roman Seleznev. Detective Dunn continued reading through the e-mails he found and

00:13:28.400 --> 00:13:34.480
found one indicating Roman was renting a server from a company called Hop One in Virginia.

00:13:34.480 --> 00:13:39.120
A warrant was issued right away to request a pen trap and a backup copy of the server.

00:13:39.120 --> 00:13:43.040
Hop One complied with this search and provided a copy of the server which was done without

00:13:43.040 --> 00:13:47.680
any disruptions since it was a virtual server. The detective looked at the data on the server.

00:13:47.680 --> 00:13:54.720
First he found there were over 400,000 credit card dumps stored on this server. That’s a lot.

00:13:54.720 --> 00:13:59.920
That alone is worth millions of dollars and it seemed like Roman was selling a lot of these.

00:13:59.920 --> 00:14:04.880
The detective started finding some hacking tools on the server. This server was being used to

00:14:04.880 --> 00:14:11.840
mass-scan the internet looking for computers that have port 3389 open, or Remote Desktop. Windows

00:14:11.840 --> 00:14:16.960
machines have the capability to connect to them remotely. This is called Remote Desktop. The tools

00:14:16.960 --> 00:14:21.520
on the server were actively looking for computers with this service exposed to the internet.

00:14:21.520 --> 00:14:24.960
Then once the scanner found the computer on the internet was running Remote Desktop,

00:14:24.960 --> 00:14:28.480
they would then attempt to brute force login to it by cycling through thousands

00:14:28.480 --> 00:14:33.200
of commonly-used usernames and passwords. Then if the password had been guessed correctly,

00:14:33.200 --> 00:14:38.320
the hacker can access the computer as if they were sitting right in front of it. This is a sloppy,

00:14:38.320 --> 00:14:44.320
noisy, and easy way to hack into computers but it seemed to be working. The reality is that nobody

00:14:44.320 --> 00:14:49.760
should have Remote Desktop exposed to the internet like that yet thousands of computers were which

00:14:49.760 --> 00:14:54.960
might also mean they weren’t using good passwords, either. The detective was able to put the pieces

00:14:54.960 --> 00:14:59.760
together now. Roman would hack into Windows computers that he would find exposed online,

00:14:59.760 --> 00:15:03.040
see if they’re running any kind of credit card processing software and if so,

00:15:03.040 --> 00:15:07.760
he’d install malware on it to scrape the cards off it and then send it to his server.

00:15:07.760 --> 00:15:12.400
It’s actually not that sophisticated of a hack. The detective also issued a pen trap

00:15:12.400 --> 00:15:17.600
on the server. With this he could see the metadata about the traffic going in and out of that server.

00:15:17.600 --> 00:15:22.320
Things like IP addresses, ports, and volume of traffic, but not the full packet capture.

00:15:22.320 --> 00:15:26.720
Upon putting a pen trap on the server they found hundreds of computers around the world

00:15:26.720 --> 00:15:32.720
are connecting to the server and uploading credit card data to it. [MUSIC] He examined what IPs are

00:15:32.720 --> 00:15:38.480
connecting to it and found that most of them are restaurants; places like Grand Central Baking,

00:15:38.480 --> 00:15:45.840
Z Pizza, Jet’s Pizza, Mountain Mike’s, Extreme Pizza, Cosa Mia, and Day’s Jewelers.

00:15:45.840 --> 00:15:50.240
Detective Dunn started visiting any of these places that were local to Washington State

00:15:50.240 --> 00:15:55.600
where he was based out of. First he went to Grand Central Baking right in downtown Seattle.

00:15:55.600 --> 00:16:00.640
Yeah, sure enough, same situation. Similar point of sale software, similar malware,

00:16:00.640 --> 00:16:04.480
logs showed Remote Desktop connection, and then the malware was downloaded.

00:16:04.480 --> 00:16:08.960
The detective also checked out another local Seattle place called Mad Pizza which had

00:16:08.960 --> 00:16:14.480
been communicating to the Hop One server. Both locations he visited had also been hacked. One

00:16:14.480 --> 00:16:19.760
had malware on it for four months, the other, six months. Then the detective drove down to a little

00:16:19.760 --> 00:16:24.960
town called Yelm in Washington to visit Cosa Mia. But he didn’t go for the all-you-can-eat

00:16:24.960 --> 00:16:30.240
spaghetti. Instead he was hungry to see what was on their point of sales computers. Once again,

00:16:30.240 --> 00:16:35.520
all the same signs. Remote Desktop enabled on it, malware installed, and it was scraping

00:16:35.520 --> 00:16:41.360
credit cards and sending them to either Ukraine or this Hop One server. At this point Detective Dunn

00:16:41.360 --> 00:16:46.800
had visited five restaurants, all of which had been hacked in the same way presumably by Roman

00:16:46.800 --> 00:16:52.560
Seleznev. They all had the same signs and were communicating to the same servers. Some of these

00:16:52.560 --> 00:16:57.520
restaurants had no clue they were hacked until the Secret Service came to their door.

00:16:57.520 --> 00:17:01.840
Others had been notified by a payment card processor that a theft had occurred.

00:17:01.840 --> 00:17:06.080
The Secret Service had poured through even more e-mails that were in Roman’s inbox.

00:17:06.080 --> 00:17:10.640
They were able to determine his phone number, his Russian address, that he had a wife and a young

00:17:10.640 --> 00:17:15.920
daughter, and even that he had a second house in Indonesia that he would sometimes vacation to.

00:17:15.920 --> 00:17:20.480
At this point the evidence was clear and overwhelming. Roman Seleznev was allegedly hacking

00:17:20.480 --> 00:17:25.200
into hundreds of restaurants and shops around the world, stealing credit cards, and selling them on

00:17:25.200 --> 00:17:33.040
his two websites Bulba.cc and Track2.name. In March 2011, Roman Seleznev was indicted which

00:17:33.040 --> 00:17:36.880
means the Secret Service had enough evidence on him that they were accusing him of doing these

00:17:36.880 --> 00:17:42.000
crimes. But the feds couldn’t catch up with him since he was in Russia and the feds there weren’t

00:17:42.000 --> 00:17:46.640
cooperating with the US. The Secret Service investigated Roman some more and discovered

00:17:46.640 --> 00:17:53.360
his father was Valery Seleznev, a deputy of the Russian Duma which is the Russian parliament. This

00:17:53.360 --> 00:17:59.040
big-time hacker and carder had a father with a lot of political juice that can protect him.

00:17:59.040 --> 00:18:04.400
This explains why Roman went dark right after the Secret Service met with the FSB in Moscow.

00:18:04.400 --> 00:18:18.640
With his father in this position, this was going to make it even harder to catch Roman. [MUSIC]

00:18:18.640 --> 00:18:24.000
The Secret Service continued to monitor the Bulba.cc and Track2.name websites.

00:18:24.000 --> 00:18:30.720
They saw at one point a total of 747,000 credit cards were for sale on the site. Detective Dunn

00:18:30.720 --> 00:18:36.960
bought sixteen of them off the site, specifically for the local credit union BECU so he can analyze

00:18:36.960 --> 00:18:42.320
them closely. Sure enough, this gave him leads to even more local places that may have been hacked.

00:18:42.320 --> 00:18:46.080
The detective monitored the site for the next few weeks to try to see how many cards were

00:18:46.080 --> 00:18:53.120
being bought in a week. It was around 96,000 cards so within a week’s time Roman had brought

00:18:53.120 --> 00:19:00.240
in 2.4 million US dollars. This was a big-time operation.

00:19:00.240 --> 00:19:04.400
The Secret Service was able to track Roman’s whereabouts using two different techniques.

00:19:04.400 --> 00:19:08.640
First, well, they had access to his e-mail so they could see any flight plans he had and all this

00:19:08.640 --> 00:19:14.080
kind of stuff. But second, they found he used the Hop One server to do his personal web browsing on,

00:19:14.080 --> 00:19:18.720
and it was on that server that he would often purchase flights. This also gave the Secret

00:19:18.720 --> 00:19:24.560
Service his passport number. In April 2011, Roman and his wife took a vacation to Marrakech

00:19:24.560 --> 00:19:28.880
in Morocco. The Secret Service had learned he was in Morocco and started trying to figure out

00:19:28.880 --> 00:19:33.120
ways to capture him while he’s there. Roman and his wife went for dinner in the Argana

00:19:33.120 --> 00:19:38.720
Café, a very popular restaurant for tourists in Marrakech. Roman and his wife were at a table

00:19:38.720 --> 00:19:44.720
upstairs overlooking the square. While they’re enjoying their fancy dinner, the unthinkable

00:19:44.720 --> 00:19:55.840
happened. [EXPLOSION, SCREAMING] REPORTER: A massive explosion has ripped

00:19:55.840 --> 00:20:01.280
through a busy café in the Moroccan city of Marrakech, killing at least fifteen people

00:20:01.280 --> 00:20:08.480
and wounding twenty others. The Argana restaurant on Jemaa el-Fnna Square is popular with tourists.

00:20:08.480 --> 00:20:13.840
Ten foreigners have been confirmed dead. Authorities suspect a suicide bombing after

00:20:13.840 --> 00:20:19.200
nails were found in one of the dead bodies. If proved to be the work of Islamic militants,

00:20:19.200 --> 00:20:24.640
it would be Morocco’s biggest terrorist attack since suicide bombings killed forty-five people

00:20:24.640 --> 00:20:29.200
in Casablanca eight years ago. JACK: The blast ripped the café apart

00:20:29.200 --> 00:20:35.360
all around where Roman was sitting. Shrapnel and parts of the building came down right on his head,

00:20:35.360 --> 00:20:40.880
hitting him hard. He was thrown into the back of an ambulance and taken to the airport where

00:20:40.880 --> 00:20:49.760
he was medevaced all the way back to Russia. [MUSIC] For the next few months no new credit

00:20:49.760 --> 00:20:54.800
card dumps showed up on his websites. Customers started complaining they weren’t getting dumps.

00:20:54.800 --> 00:20:59.840
Someone was replying by saying things like well, the boss is ill. You have to wait. Nine months

00:20:59.840 --> 00:21:08.560
later, both Bulba.cc and Track2.name had shut down completely. Roman Seleznev went dark once again

00:21:08.560 --> 00:21:14.240
and the Secret Service wasn’t sure what his condition was. They thought he’s probably still

00:21:14.240 --> 00:21:19.840
alive and needing time to recover but if he does get better he’ll probably want to spend some time

00:21:19.840 --> 00:21:25.520
in his vacation home in Indonesia. They started getting prepared in case that happened.

00:21:25.520 --> 00:21:28.720
They also saw he likes to travel through South Korea to get there

00:21:28.720 --> 00:21:33.520
so they issued some warrants for him in Korea. But then the Secret Service got a tip saying

00:21:33.520 --> 00:21:38.800
Roman Seleznev has just arrived in Germany. Quickly they started booking plane tickets

00:21:38.800 --> 00:21:42.960
to go there. They were calling up Interpol trying to find someone to help arrest him, but just then

00:21:42.960 --> 00:21:49.120
they found out the passport numbers didn’t match and it was a different Roman Seleznev altogether.

00:21:49.120 --> 00:21:54.000
Roman did go to Indonesia to take short trips but he was buying plane tickets last minute to avoid

00:21:54.000 --> 00:21:59.520
being tracked. He took direct flights and didn’t go through Korea like he normally did. There’s

00:21:59.520 --> 00:22:04.560
no extradition treaty in Indonesia either, so the feds just didn’t have a way to capture him there.

00:22:04.560 --> 00:22:09.280
The Secret Service was getting impatient. They tried to lure him to Australia but that didn’t

00:22:09.280 --> 00:22:16.800
work either. They just had to wait and be patient and watch for him to make some kind of mistake.

00:22:16.800 --> 00:22:21.600
About a year goes by and then another carding site opens up called 2pac.cc.

00:22:21.600 --> 00:22:28.400
[MUSIC] This one had a huge inventory of credit card dumps. One reason for this is because it

00:22:28.400 --> 00:22:33.200
was also a reseller. When the Home Depot and Neiman Marcus were hit with their massive credit

00:22:33.200 --> 00:22:39.040
card breaches, those hackers were selling the dumps on 2pac.cc and getting 50% of the sales.

00:22:39.040 --> 00:22:43.040
Pretty quickly this attracted the attention of the Secret Service who started investigating

00:22:43.040 --> 00:22:50.720
who might be behind 2pac.cc. In May 2013 the Secret Service, Department of Homeland Security,

00:22:50.720 --> 00:22:55.040
and the IRS Criminal Investigation Unit had been fed up with Liberty Reserve and decided

00:22:55.040 --> 00:22:59.360
to shut it down. They arrested the owner and seized the site. This was a Costa Rica

00:22:59.360 --> 00:23:04.080
based company and it was being charged with processing money used for illegal purposes.

00:23:04.080 --> 00:23:08.240
I think it’s illegal to process money if you know the money is being used for

00:23:08.240 --> 00:23:13.040
criminal activities and Liberty Reserve attracted a lot of criminals.

00:23:13.040 --> 00:23:16.480
With the Liberty Reserve site in the hands of the Secret Service, they started going through the

00:23:16.480 --> 00:23:21.360
transactions that were in the database and this gave the Secret Service a lot more information

00:23:21.360 --> 00:23:25.920
about him. They found Roman’s old accounts and added up the transactions and found he had over

00:23:25.920 --> 00:23:31.200
15 million dollars in incoming transactions. They followed the accounts further and noticed some

00:23:31.200 --> 00:23:36.160
were recently active. As they investigated they found information that connected Roman Seleznev

00:23:36.160 --> 00:23:41.920
to be the person behind the 2pac.cc website. These transactions also gave the Secret Service

00:23:41.920 --> 00:23:47.920
more relevant information about Roman like his most recent address and phone numbers.

00:23:47.920 --> 00:23:53.840
On July 1st, 2014, the Secret Service got a tip that Roman was in the Maldives. The problem though

00:23:53.840 --> 00:23:57.680
is that the Maldives doesn’t have an extradition treaty with the US either, so they aren’t

00:23:57.680 --> 00:24:02.240
going to help the US in capturing him. Roman was smart and knew exactly what countries

00:24:02.240 --> 00:24:07.200
he could go to in order to avoid being caught, but the Secret Service spoke to the Maldives police

00:24:07.200 --> 00:24:12.240
and explained how important this case was. The Maldives government agreed that if the

00:24:12.240 --> 00:24:16.400
Secret Service would catch him, they would expel him to allow the Secret Service to

00:24:16.400 --> 00:24:22.800
take him. The Secret Service immediately jumped on a plane and headed to the Maldives. [MUSIC]

00:24:22.800 --> 00:24:27.280
Roman had been taking a high class vacation around the islands and the Secret Service

00:24:27.280 --> 00:24:32.560
was hot on his tail. First he stayed in the nicest room possible in a fancy hotel which

00:24:32.560 --> 00:24:37.920
cost around $20,000 for just a few days. Then he took a small plane to a private

00:24:37.920 --> 00:24:42.560
beach on another island which is where he was. The Secret Service thought he’ll probably come

00:24:42.560 --> 00:24:49.760
back to the International Airport to return to Russia so they waited for him at the airport.

00:24:49.760 --> 00:24:54.720
Two days later Roman, his wife, and his daughter landed in a small plane at the airport and

00:24:54.720 --> 00:24:59.760
tried to switch planes to go to Russia. But the Secret Service caught him just in time.

00:24:59.760 --> 00:25:04.240
They showed him the arrest warrant and placed cuffs on him. Roman reminded the Secret Service

00:25:04.240 --> 00:25:09.520
that the Maldives don’t have an extradition treaty with the US. But the Maldivian police just stood

00:25:09.520 --> 00:25:14.000
there and watched the whole thing happen. The Secret Service through a jacket over Roman’s wrist

00:25:14.000 --> 00:25:18.560
to hide that he was handcuffed and walked him through the airport. They took the luggage he

00:25:18.560 --> 00:25:25.840
had which contained the following: a Sony Vaio Ultrabook running Windows 8, an iPhone, an iPad,

00:25:25.840 --> 00:25:30.720
a Samsung phone, and his identifications. The Secret Service were able to confirm the

00:25:30.720 --> 00:25:35.440
passport number and address of his identifications and they all matched the same Roman Seleznev

00:25:35.440 --> 00:25:39.680
that they’ve been tracking for all these years. They escorted him to a private jet, leaving his

00:25:39.680 --> 00:25:44.880
wife and daughter behind. The Secret Service took Roman directly to Guam, a US territory,

00:25:44.880 --> 00:25:51.280
and put him right in prison. The Secret Service kept his laptop powered on the whole way back home

00:25:51.280 --> 00:25:56.480
but it was password protected. They explained to Roman the long list of evidence they had gathered

00:25:56.480 --> 00:26:01.680
on him for the last ten years. A news crew caught up with Roman while in prison in Guam.

00:26:01.680 --> 00:26:05.120
Here’s Roman. ROMAN: The Secret Service

00:26:05.120 --> 00:26:15.760
took me from Maldives Republic on private jet to Guam. They tell me I’m arrested and

00:26:15.760 --> 00:26:24.000
I need to go to court. I’m not guilty, no. JACK: Because Roman continued to plead innocent

00:26:24.000 --> 00:26:29.120
the case had to go to trial. Roman was not fully recovered from the bombing incident in Morocco

00:26:29.120 --> 00:26:34.080
and needed daily medicine. After a while in Guam he was taken to Washington State where the Secret

00:26:34.080 --> 00:26:39.120
Service continued to investigate. The Secret Service needed the password to access his laptop.

00:26:39.120 --> 00:26:43.360
They had already been going through his past e-mails and the e-mails had a familiar pattern.

00:26:43.360 --> 00:26:48.800
He frequently used the username smaus1 on many of his accounts. Registering to buy movie tickets

00:26:48.800 --> 00:26:54.720
online, username smaus1; registering to buy flowers online, username smaus1.

00:26:54.720 --> 00:27:01.200
The movie ticket website he registered at had terrible security. Upon registering at this site

00:27:01.200 --> 00:27:06.480
they sent him a welcome e-mail which displayed his username and password in clear

00:27:06.480 --> 00:27:15.040
text. The password he used was ochko123 which is Russian for butthole. This gave the Secret

00:27:15.040 --> 00:27:19.120
Service a username and password to try on Roman’s laptop.

00:27:19.120 --> 00:27:24.560
What do you know, it worked first try. The very first password guess the Secret Service made was

00:27:24.560 --> 00:27:31.200
correct; ochko123. This was a big failure for Roman. To reuse passwords like this and to use

00:27:31.200 --> 00:27:37.200
such a simple one on his personal laptop while being a big carding kingpin? Not a good idea.

00:27:37.200 --> 00:27:41.440
The Secret Service took forensic copies of the laptop and gave it to Roman’s lawyers.

00:27:41.440 --> 00:27:45.840
The first thing the investigators found was that there were 1.7 million credit card

00:27:45.840 --> 00:27:52.000
dumps on his laptop. That’s a lot of stolen credit cards to take with you on vacation

00:27:52.000 --> 00:27:56.560
but Roman’s lawyers looked over the forensic copy and saw something else. They pointed out

00:27:56.560 --> 00:28:02.400
that some of the incriminating files had a Last Modified date that was after his arrest.

00:28:02.400 --> 00:28:06.320
The lawyers was indicating the evidence was planted there by the Secret Service

00:28:06.320 --> 00:28:10.960
but the Secret Service tried to explain that antivirus and normal system processes

00:28:10.960 --> 00:28:16.080
update some of the timestamps while in connected standby, but the lawyers stuck to this as part of

00:28:16.080 --> 00:28:21.280
their case. The Secret Service had to continue to do forensic work to build a case against Roman.

00:28:21.280 --> 00:28:27.040
First they saw that 2pac.cc website had no admin activity since the date of Roman’s arrest.

00:28:27.040 --> 00:28:33.120
Also, some Liberty Reserve e-mails connected Roman to 2pac.cc, too. Then on the laptop they

00:28:33.120 --> 00:28:38.480
found more evidence, things like documents that Roman wrote on how to use stolen credit cards and

00:28:38.480 --> 00:28:43.440
they also found that before Roman would travel he would search for warrants and police reports about

00:28:43.440 --> 00:28:48.400
him to see if he was wanted in the US. He wasn’t just searching for his name either but all his

00:28:48.400 --> 00:28:54.160
aliases and old names like Bulba and nCux. The laptop also had a plain text password file

00:28:54.160 --> 00:29:00.000
which gave the Secret Service access to everything Roman had; the website, the hacking servers,

00:29:00.000 --> 00:29:05.040
and the servers he used to store dumps on. This gave the Secret Service a ton of more evidence.

00:29:05.040 --> 00:29:09.920
Forensics experts investigated the laptop closer and they looked at network logs, users, and system

00:29:09.920 --> 00:29:14.560
activity. They looked at the registry keys and the system resource usage monitor. They found

00:29:14.560 --> 00:29:20.000
the last WiFi connection on the laptop was at that fancy hotel in the Maldives and he was logged into

00:29:20.000 --> 00:29:25.280
the laptop with the username smaus1 and the last application he used was a Tor browser.

00:29:25.280 --> 00:29:30.080
The computer forensics team also tried to see what deleted files they could dig up. Of course

00:29:30.080 --> 00:29:35.280
they checked out the Recycling Bin but they also looked in the slack space. When a file is deleted

00:29:35.280 --> 00:29:39.280
on a computer, it’s not really wiped. The computer just kind of forgets there’s a

00:29:39.280 --> 00:29:42.640
file there and then says that part of the disc is available to write again,

00:29:42.640 --> 00:29:47.360
so if data doesn’t overwrite that part of the disc, then deleted files can still be there.

00:29:47.360 --> 00:29:52.720
That’s what the slack space is. The forensics team took a grueling task of trying to drudge up any

00:29:52.720 --> 00:29:58.080
deleted files that were in the slack space. This computer was running Windows 8 and had the Volume

00:29:58.080 --> 00:30:03.120
Shadow Copy Service enabled. This takes snapshots of the computer over time to allow the user to

00:30:03.120 --> 00:30:08.240
restore to an older version. Secret Service looked through the Volume Shadow Copy and found the same

00:30:08.240 --> 00:30:13.360
incriminating files proving these files were there before the arrest. The Secret Service also had his

00:30:13.360 --> 00:30:17.600
phones which showed him the phone numbers, locations, and photos where he was. These

00:30:17.600 --> 00:30:22.640
phones also had logins to his Cloud storage which contained even more sensitive documents.

00:30:22.640 --> 00:30:27.040
Roman continued to plead innocent and demanded he talk to his father who is a member of the Russian

00:30:27.040 --> 00:30:31.680
Parliament. Roman has just gone from a life of luxury and riches to now having nothing.

00:30:31.680 --> 00:30:35.200
He wasn’t happy with this situation at all and needed to make a plan.

00:30:35.200 --> 00:30:39.280
He was able to talk to his father in Russia. The Secret Service listened in on the calls and

00:30:39.280 --> 00:30:44.160
overheard some of their plans to get Roman free. [MUSIC] First Roman’s father, a member of the

00:30:44.160 --> 00:30:49.280
Russian Parliament, tried to use his political juice to get him home but this didn’t work. Then

00:30:49.280 --> 00:30:54.400
the plan was to pay off prosecutors. After all, Roman was worth millions of dollars so they had

00:30:54.400 --> 00:30:58.880
quite a lot to try to spring him out with. Here’s a transcript of the call. His Father: We can just

00:30:58.880 --> 00:31:04.240
pay them all in advance and that’s it. Roman: It is what I’m saying. Offer them this. His Father:

00:31:04.240 --> 00:31:08.560
Yes, I’m leaning towards this. I think this is an option. Roman: Just make sure they know how

00:31:08.560 --> 00:31:12.400
much money they will get right away would be what they’d get in a whole year.

00:31:12.400 --> 00:31:17.120
Later, the prosecutors did get a bribe of around ten million dollars to release him.

00:31:17.120 --> 00:31:22.160
The prosecutors did not accept this and it only added to his case. Then the phone calls between

00:31:22.160 --> 00:31:27.200
him and his dad grew stranger. They would say things like you know that thing we talked about

00:31:27.200 --> 00:31:32.160
that we’re not allowed to talk about? Yeah. It’s not true, okay? Then his father told him

00:31:32.160 --> 00:31:37.440
he was going to visit some doctors and then the doctors will visit Roman soon to explain the rest,

00:31:37.440 --> 00:31:42.320
and something about using Uncle Andre to create a miracle. The Secret Service thought maybe

00:31:42.320 --> 00:31:48.560
this was some kind of code for an escape plan. Around the same time, for some strange reason,

00:31:48.560 --> 00:31:54.480
the prosecutors all started getting banned from entering Russia. Maybe Roman’s father was banning

00:31:54.480 --> 00:31:59.680
them out of spite or something. During this time Roman went through six different lawyers.

00:31:59.680 --> 00:32:03.920
Some were quitting because he was very hard to work with and some Roman was firing because he

00:32:03.920 --> 00:32:08.400
didn’t like what they were suggesting. The lawyers were suggesting he takes a plea deal, like gives

00:32:08.400 --> 00:32:12.640
the Secret Service some information about carding criminals and work out a deal to do very little

00:32:12.640 --> 00:32:18.320
time. But Roman refused to cooperate with any plea deal and kept trying to find a different way out

00:32:18.320 --> 00:32:24.400
of prison. Roman’s dad was also trying to get him to stall and to give him more time to make a plan,

00:32:24.400 --> 00:32:29.600
suggesting he get sick or fire another lawyer to postpone the trial. After three years of being

00:32:29.600 --> 00:32:35.280
held in prison, his trial day finally came. Roman ran out of ways to stall and delay the trial. He

00:32:35.280 --> 00:32:40.640
was being charged with forty counts of criminal activity and Roman was pleading innocent. His

00:32:40.640 --> 00:32:45.200
lawyers had only two positions to defend him with. First, that the files on his laptop were

00:32:45.200 --> 00:32:49.200
tampered with but the Secret Service was able to prove the files were there in the Volume

00:32:49.200 --> 00:32:53.200
Shadow Copies before the arrest. Second, the defense attorney was saying

00:32:53.200 --> 00:32:57.120
the arrest in the Maldives was illegal and essentially kidnapping,

00:32:57.120 --> 00:33:01.840
accusing the US that this is a retaliation because Russia is harboring Snowden. The

00:33:01.840 --> 00:33:06.720
trial took about one and a half weeks and after the jurors though it over for about three hours,

00:33:06.720 --> 00:33:13.680
they found Roman Seleznev guilty. [MUSIC] He was found guilty on thirty-eight out of forty counts.

00:33:13.680 --> 00:33:18.560
This included ten counts of wire fraud, nine counts of obtaining information from a protected

00:33:18.560 --> 00:33:24.080
computer, two counts of aggravated identity theft, fifteen counts of possessing unauthorized

00:33:24.080 --> 00:33:28.800
equipment, and eight counts of international damage to protected computers. He was accused

00:33:28.800 --> 00:33:34.560
of hacking into a pizzeria in Duvall, Washington but the jury found him not guilty for doing that.

00:33:34.560 --> 00:33:39.600
At this point Roman finally started to try to get a plea deal worked out but it was too late.

00:33:39.600 --> 00:33:43.840
There are guidelines suggesting on how long of a prison sentence a person should get who’s guilty

00:33:43.840 --> 00:33:49.600
of this many crimes. The guidelines were off the charts, suggesting he gets life in prison.

00:33:49.600 --> 00:33:55.600
But Roman’s lawyers tried to talk the judge down to not very many years, but because Roman refused

00:33:55.600 --> 00:34:01.760
to cooperate and continuously lied to prosecutors the judge did not see favorably on him and gave

00:34:01.760 --> 00:34:08.960
him twenty-seven years of prison time for his crimes. Roman was thirty-two when he was sentenced

00:34:08.960 --> 00:34:13.840
meaning he’ll get out when he’s almost sixty, missing most of his daughter’s life and half of

00:34:13.840 --> 00:34:18.960
his own. Roman was still recovering from his injuries from the bombing years ago

00:34:18.960 --> 00:34:24.560
and he had to take daily medication for it because it damaged his head. The lawyer thought Roman was

00:34:24.560 --> 00:34:30.480
so sick that twenty-seven years is a life sentence. The lawyer said quote, “He’s not

00:34:30.480 --> 00:34:36.400
going to live that long. He’s going to die in jail. I’m certain of that.” End quote.

00:34:36.400 --> 00:34:41.200
The Secret Service had to go through the 1.7 million credit cards found on Roman’s laptop

00:34:41.200 --> 00:34:47.520
and inform each bank of the theft. Those cards belonged to 3,700 different banks and each of

00:34:47.520 --> 00:34:53.120
them were called. In total the Secret Service counted that Roman had hacked into 400 different

00:34:53.120 --> 00:34:58.960
restaurants and shops to steal credit cards from, many of which were locally-owned businesses.

00:34:58.960 --> 00:35:04.080
Looking through the court transcripts, I see that Roman also hacked into zoos across the US and one

00:35:04.080 --> 00:35:08.880
of them he hacked into and stole credit cards from was the Phoenix Zoo which is crazy to me

00:35:08.880 --> 00:35:14.000
because I’ve actually been there. I tried to look up what Phoenix news outlets covered this hack

00:35:14.000 --> 00:35:19.360
and only one small tech website did. My guess is that the zoo never went public with this breach

00:35:19.360 --> 00:35:23.040
and when the evidence about it came up years later in Roman’s trial, it was

00:35:23.040 --> 00:35:27.920
just too old to be a news story anymore. Now, you might be wondering why so many of these

00:35:27.920 --> 00:35:33.200
small and local businesses had Remote Desktop exposed to the internet. Well, a few of the owners

00:35:33.200 --> 00:35:38.480
came to court to testify. They said they had it open like that because their IT support team

00:35:38.480 --> 00:35:44.000
needed it open to troubleshoot issues. Actually, a lot of these businesses had the same password

00:35:44.000 --> 00:35:48.720
because the same IT support group reused passwords for many of these businesses.

00:35:48.720 --> 00:35:53.120
Each of the victim companies had to spend a lot of money to fix these security issues;

00:35:53.120 --> 00:35:57.920
first they had to remove the malware, then upgrade some equipment like putting a VPN device in place

00:35:57.920 --> 00:36:02.720
so tech support can connect to them securely. But when you incur a credit card breach like this,

00:36:02.720 --> 00:36:07.280
the credit card companies start getting into your business. See, in order to process credit

00:36:07.280 --> 00:36:11.440
cards you must be compliant with the payment card industry, or PCI.

00:36:11.440 --> 00:36:16.480
This is ran by VISA and MasterCard and stuff, so the PCI requires audits to be conducted on

00:36:16.480 --> 00:36:21.920
the network also. On top of all that, because they weren’t compliant with PCI, they were fined

00:36:21.920 --> 00:36:30.240
anywhere from $5,000 to $30,000. At a minimum this breach cost each of these small businesses $20,000

00:36:30.240 --> 00:36:36.400
and some much higher. Then to top it all off, if the story got out, customers would stop coming in

00:36:36.400 --> 00:36:42.880
fear of getting their card stolen. The Broadway Grill in Seattle had just changed ownership right

00:36:42.880 --> 00:36:47.840
before this hack and this was a major setback for the new owners. They spent tens of thousands

00:36:47.840 --> 00:36:53.760
of dollars to fix the security issues on their systems. They also felt a big hit from customers

00:36:53.760 --> 00:36:57.760
who were afraid to come use their credit cards there. They suffered a lot of ridicule

00:36:57.760 --> 00:37:03.760
and shaming over this. After being there for 22 years, this hack ultimately caused the Broadway

00:37:03.760 --> 00:37:10.160
Grill to shut down and declare bankruptcy. But wait, there’s more to this story.

00:37:10.160 --> 00:37:14.880
Two other states had indictments for Roman Seleznev and wanted to try him, too.

00:37:14.880 --> 00:37:20.240
Remember how it was really suspicious that Roman, or Track2, was a trusted vendor on Carder.su

00:37:20.240 --> 00:37:25.280
the day he opened an account? Remember when he was the only vendor selling dumps on that site?

00:37:25.280 --> 00:37:29.920
Yeah, some feds in Las Vegas thought this was suspicious enough and accused Roman of being

00:37:29.920 --> 00:37:36.400
the owner of Carder.su. They brought Roman to trial for this. Sure enough, it was true. Roman

00:37:36.400 --> 00:37:41.040
pleaded guilty to these charges which resulted in him having to pay 50 million dollars in

00:37:41.040 --> 00:37:46.080
restitution which was the same amount believed to have been made from selling cards on the website.

00:37:46.080 --> 00:37:50.480
Then once that was over, federal court in Atlanta, Georgia took a shot at Roman, too.

00:37:50.480 --> 00:37:55.920
Federal prosecutors there claimed Roman, along with 14 other people, hacked into RBS Worldpay

00:37:55.920 --> 00:38:01.200
which is a payment processor in Atlanta. In 2008 the hackers got in, stole thousands of

00:38:01.200 --> 00:38:05.440
credit cards, then gave it to fourteen different cashers around the world. These people would write

00:38:05.440 --> 00:38:10.560
the dumps to blank credit cards and then go to ATMs and just go through card after card, taking

00:38:10.560 --> 00:38:15.680
out as much money as they could until the ATM was out of money. Then they move on to the next one.

00:38:15.680 --> 00:38:21.600
Within 12 hours of the breach, the cashers were able to hit 280 cities, cashing out for more than

00:38:21.600 --> 00:38:27.520
nine million dollars total. Roman was accused of stealing two million dollars himself. The

00:38:27.520 --> 00:38:33.040
federal court in Atlanta brought Roman to trial on this and Roman pleaded guilty to this, too. This

00:38:33.040 --> 00:38:39.760
resulted in fourteen more years of prison time and another two million dollars in restitution.

00:38:39.760 --> 00:38:45.120
Today Roman sits in a medium security prison in North Carolina, still recovering from his head

00:38:45.120 --> 00:38:50.480
injury, still dreaming about seeing his family again someday, and probably still wishing he

00:38:50.480 --> 00:38:59.600
was back home in Russia. JACK (OUTRO): [OUTRO MUSIC]

00:38:59.600 --> 00:39:04.160
You’ve been listening to Darknet Diaries. For show notes and links check out darknetdiaries.com.

00:39:04.160 --> 00:39:08.480
Thanks to all the people who have given on Patreon, I now have a bonus episode for people

00:39:08.480 --> 00:39:13.520
there so if you want more of this show, donate on Patreon and I’ll be regularly releasing bonus

00:39:13.520 --> 00:39:19.120
episodes to supporters there. This show is made by me, skid rock, Jack Rhysider.

00:39:19.120 --> 00:39:27.840
Theme music is made by the helmet-wearing Breakmaster Cylinder. See you again in two weeks.