32-year-old Roman Valeryevich Seleznev was sentenced to 27 years in prison for various cyber crimes on Friday.
This is the longest prison sentence the United States has ever handed out for hacking related charges, surpassing the former record of 20 years. In total, his crimes affected small businesses and financial institutions to the tune of over $169 million in damages.
The Russian hacker has been convicted of a total of 38 computer-related crimes: two counts of aggravated identity theft, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices, and 10 counts of wire fraud.
“Today is a bad day for hackers around the world,” said U.S. Attorney Annette L. Hayes in a press release from the Department of Justice. “The notion that the internet is a Wild West where anything goes is a thing of the past. As Mr. Seleznev has now learned, and others should take note, we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind. Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”
Roman Seleznev is the son of Valery Seleznev, who is part of the lower house of the Russian Parliament. In a letter to a judge earlier this month, Roman pointed to his difficult upbringing as the cause of his life of cyber crime, and asked for leniency in his sentencing.
He said after a life of poverty and an alcoholic mother, who died when he was 17, he turned to cyber crime in an attempt to pay his bills.
Seleznev joined a forum called CarderPlanet, and used his computer skills that he learned after dropping out of college to hack into businesses and steal credit card data.
From 2009 to 2013, Seleznev stole payment card data from over 500 U.S. businesses and 3,700 financial institutions by installing malware on point-of-sale systems. He then sold the data on the dark web, under the name Track2, 2pac, and nCuX.
When his laptop was seized in 2014 following his arrest, he had a database of more than 1.7 million stolen credit card numbers.
He was arrested in the Maldives at the request of U.S. authorities, and was flown to Guam where he was eventually extradited.
Over the past few years, law enforcement has had difficulties bringing cyber criminals to justice in the United States, as extradition laws differ across the globe.
After Seleznev's sentencing, his lawyer read aloud a letter very different from the original plea to the judge:
"This decision made by the United States government clearly demonstrates to the entire world that I'm a political prisoner," Seleznev wrote. "I was kidnapped by the U.S. Now they want to send a message to the world using me as a pawn. This message that the U.S. is sending today is not the right way to show Vladimar Putin of Russia, or any government in this world, how justice works in a democracy."
As for the length and severity of his sentencing, Nathan Wenzler, Chief Security Strategist at AsTech, says:
"Will this serve as a deterrent? I don't think so. Consider it like speeding laws. Everyone knows it's wrong and what the speed limits are, but not everyone who speeds gets caught and ticketed. And the benefits to most who break those laws outweigh the potential fines. Low potential risk coupled with high potential gains means you don't really deter people from speeding by giving out some tickets. The same would hold true here. The amount of money to be had from cyber crime is very, very high, and since it's well established that very few hackers of this type actually are caught and prosecuted, I don't see that much will change due to this ruling. It will certainly set some precedent for future cases in terms of the scope of any punishments, but ultimately will not change the minds of any hacker or cybercrime organization from pursuing these kinds of activities.”
Seleznev has also been charged in Nevada and Georgia for separate cyber crimes that are still awaiting due process.
