Seleznev was convicted of 38 counts related to his scheme to steal credit card numbers to sell on the dark web.
Seleznev was convicted of 38 counts related to his scheme to steal credit card numbers to sell on the dark web.

U.S. authorities threw the book at a Russian hacker accused of causing more than $169 million in losses using point-of-sale (POS) malware, sentencing him to 27 years in prison, one of the longest yet for a hacking offence.

Valeryevich Seleznev, aka Track2, was sentenced April 21 in a U.S. District Court in Washington, for causing financial damage to approximately 3,700 institutions, many of which were small business including restaurants and pizza parlors, according to a DoJ statement.

Seleznev, 32, was convicted on 38 counts related to his scheme to steal credit card numbers to sell on the dark web.

Authorities said between October 2009 and October 2013 Seleznev installed malware which allowed him to steal millions of card numbers from more than 500 U.S. businesses and then send the data to his servers in Russia, the Ukraine and McLean, Virginia. He then reportedly bundled the credit card information into groups and sold the information on various. websites to buyers looking to use them for fraudulent purchases, the DoJ said in the release.

“This investigation, conviction and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize U.S. citizens and companies from afar,” Acting Assistant Attorney General Kenneth A. Blanco said in the release. “And we will not tolerate the existence of safe havens for these crimes – we will identify cybercriminals from the dark corners of the Internet and bring them to justice.”

Seleznev was taken into custody in July 2014 in the Maldives and was convicted on Aug. 25, 2016, of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft, the release said.

“Unfortunately for Track2, the U.S. Department of Justice has come down strongly and displayed a major statement to cyber criminals around the world,” Thycotic Chief Security Scientist Joseph Carson told SC Media. “When caught, they will throw everything at them and they will in fact be doing prison time. 127 years is the longest prison sentence given to a cyber-criminal yet, even when Barret Brown, known for revealing the Stratfor hack, was facing 45 years in federal prison and was ultimately sentenced to a reduced sentence of 63 months.“

Carson said that with the alleged Russian meddling in the U.S. election, and the increase in cyber-crime against U.S. government agencies, it was only a matter of time before someone felt the full force American justice.

“This may of course be used as leverage given Mr. Seleznev is the son of a Russian MP and we may have not seen the end of this,” he said. “It could be the start of the tit for tat of nation states laws coming down on a number of foreign cybercriminals.”

Other researchers showed less compassion for Track2's circumstances pointing to the damage caused buy his malware.

“The number of consumers and businesses affected by this criminal was very large and the misery he brought was long lasting,” Lieberman Software President Philip Lieberman told SC Media. “The fact that much of the crime on the Internet is carried out by criminals outside of the immediate scope of U.S. law enforcement is both frustrating and expensive to all. “

Lieberman went on to acknowledge that while it's possible the harsh sentence could deter criminals, the reality of the situation is that the shield provided by most governments harboring cybercriminals will keep them from facing any consequences from the U.S. 

“The bigger issue is to get these crimes to stop, or at least decrease, by allowing the net of law enforcement to pull in more criminals off-shore or by providing other means to project U.S. displeasure to other governments that exploit U.S. companies and citizens remotely via the Internet,” he added.

Other researchers felt the sentencing may not have the intended impact.

“Consider it like speeding laws,” AsTech Chief Security Strategist Nathan Wenzler told SC Media. “Everyone knows its wrong and what the speed limits are, but not everyone who speeds gets caught and ticketed. And the benefits to most who break those laws outweigh the potential fines.”

Wenzler said ultimately the low potential risk coupled with high potential gains means you don't really deter people from speeding by giving out some tickets, similar to how hackers may not be deterred from more crimes adding that he doesn't see much change coming after this ruling.

Pablo Garcia, CEO, FFRI North America, Inc agreed telling SC Media that he would like to think the prison sentence will be a good deterrent to black hats, but in many cases they learn from prior mistakes and refine their processes to be more effective.

“The technology providers also need to hold themselves accountable to deter these types of attacks in the future. The sad reality is the cost will eventually be pushed down the average consumer.”