A DOJ Cybercrime Round Up

Cybersecurity has not suffered from a lack of scrutiny in the national media. But in recent months—as with all things in 2016—we’ve viewed it almost exclusively through the lens of the presidential election and Russia’s alleged attempt at interfering with our political process. But a spate of important cybercrime cases is unfolding at this moment. Below is a round-up of a few cases worth attention.

Roman Seleznev—“Pizza Restaurant Hacker”

The trial of infamous cyber-criminal Roman Seleznev began on Monday in the Western District of Washington. Seleznev, a Russian national, was indicted in March 2011 for bank fraud, wire fraud, and federal computer crimes in connection with the theft of credit card numbers from local pizza parlors and other businesses. Separately, a grand jury in the District of Nevada indicted him in 2012 under the Racketeer Influenced and Corrupt Organizations Act (RICO) for his involvement with a stolen credit card ring on a website called carder.su.

In addition to being one of the Secret Service’s “most significant busts of an alleged hacker dealing in stolen credit card information,” the Seleznev case has garnered significant attention because of the international political intrigue surrounding it. Seleznev’s father, a minister in the Russian Parliament, accused the United States of kidnapping his son in the Maldives — which does not have an extradition treaty with the United States. He even suggested that Seleznev might be used as a bargaining chip in exchange for Edward Snowden. The Department of Justice replied that “Seleznev was arrested by another country at the request of the U.S. and was taken into U.S. custody following his expulsion from that country, which acted under its own laws.”

As for the case itself, Seleznev is alleged to have sold over 140,000 credit card numbers from businesses in Washington and throughout the United States, making over $2 million for himself and resulting in over $170 million in fraudulent purchases. According to the indictment, he first used automated techniques to identify vulnerable computers that processed credit card information at businesses. He then installed malware that would steal credit card numbers and send them to a dedicated server. Seleznev then used online forums to sell the stolen credit cards.

Like the Home Depot and Target attacks, this scheme targeted vulnerable point of sale (POS) computers — the terminals where you actually swipe your card in the store. These POS computers typically link to a “back of the house computer,” which sends the data to the credit card processor (e.g. Visa) for approval. The vulnerability arises when the credit card numbers are not encrypted until reaching the back of the house computer or until they are sent to the card processor. In one instance, for example, the indictment alleges that Seleznev stole over 32,000 unique credit card numbers saved as a text file in a back of the house computer. The malware he installed on a business’s network would also monitor unencrypted communications and automatically send more credit card numbers as they were processed. Seleznev’s defense team plans to raise questions about attribution, i.e. that the government cannot prove that the hacks were done by Seleznev.

The RICO charges in Nevada add an interesting twist. The indictment, which names a number of defendants including Seleznev as part of a stolen credit card criminal organization, marks the Department of Justice’s first attempt to use a “mob busting tool” against an international network of hackers. In December 2013, a jury convicted one of the defendants, agreeing with the government that the website was an organized criminal enterprise under RICO. As of mid-2014, DOJ stated that 25 of the defendants had been convicted. If these cases hold up on appeal, look for the government to make expanded use of RICO in targeting cyber-crime.

Cyber-Criminals Delve Into Securities Fraud

In August 2015, grand juries in the Eastern District of New York and the District of New Jersey returned indictments on nine people for wire fraud conspiracy, wire fraud, securities fraud conspiracy, securities fraud, and money laundering conspiracy. In what the DOJ called “the largest scheme of its kind ever prosecuted,” two of the defendants—Ukrainian nationals Ivan Turchynov and Oleksandr Ieremenko—allegedly hacked into newswire companies and stole not-yet-released press releases of publicly traded companies. They then shared this information with a number of traders throughout the United States, who profited from making favorable trades on this inside information before the press releases were made public. The scheme netted over $30 million.

Within the last year, many of those charged have entered guilty pleas. Four of the traders, father and son Arkadiy and Igor Dubovoy, Leonid Momotok, and Alexander Garkusha pled guilty to conspiracy to commit wire fraud. One of the hackers involved in the scheme who was not named in the indictment but later charged by information, Vadym Iermolovych, pled guilty earlier this month to conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft. Several of the alleged conspirators are still at large, and one has pled not guilty. With sentencing still to come, stay tuned for further developments.

Evgeny Tarasovich Levitskyy—“Money Mule”

The DOJ recently announced that it had extradited a “major cyber-criminal from the Czech Republic.” Evgeny Tarasovich Levitskyy allegedly stole $500,000 as part of a sophisticated computer fraud scheme that netted over $9 million in 12 hours. The operation targeted RBS WorldPay’s payroll debit card systems, which are used by some companies to pay their employees using an ATM. Once the hackers had access to the network, they raised the account limits and issued counterfeit cards to “mules.” The mules would then physically visit ATMs and use the cards to withdraw money. The government alleges that Levitskyy was a mule responsible for withdrawing almost $500,000. Although the government touts Levitskyy as a “major cyber-criminal,” it is not clear the extent to which Levitskyy was involved in the more complicated technical aspects of the scheme. He is charged with conspiracy to commit bank fraud, bank fraud, conspiracy to commit wire fraud, and wire fraud. As of August 5, 2016, the government has charged 14 people in connection with the heist, including Roman Seleznev. The ring leader, Sergei Nicolaevich Tsurikov, was convicted in 2014 of conspiracy to commit wire fraud and computer intrusion, and was sentenced to 11 years in prison.

Ercan Findikiglu—Mastermind

In March 2016, Ercan Findikiglu, the mastermind of a scheme similar to the one in which Levitskyy participated, pled guilty to computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices. Findikiglu’s organization hacked into debit card processing companies, eliminated withdraw limits on prepaid debit cards, stole PINs, and then used a number of mules to make withdrawals at thousands of ATMs in dozens of countries over the course of three distinct operations. Findikiglu and his associates stole more than $55 million.