Skip to content ↓ | Skip to navigation ↓

A Russian computer computer has pleaded guilty to helping to perpetrate an ATM fraud scheme in hundreds of cities worldwide.

On 8 September, Roman Valerevich Seleznev, 32, submitted a guilty plea in connection with a hacking attack that targeted RBS Worldpay, a payment processing company.

The hack occurred back in November 2008 when Estonian national Sergei Tšurikov and more than a dozen other individuals gained unauthorized access to the computer network of a Worldpay office that then serviced the Royal Bank of Scotland Group PLC in Atlanta, Georgia. After breaking the encryption algorithm that the payment processing company used to protect customers’ data on payroll debit cards, the attackers got to work by making a withdrawal run at ATMs worldwide. The U.S. Attorney’s Office for the Northern District of Georgia provides additional details about this step:

“Once the encryption on the card processing system was compromised, the hacking ring raised the account limits on compromised accounts to amounts exceeding $1,000,000. The hackers then provided a network of cashers, equipped with 44 counterfeit payroll debit cards, withdrew more than $9 million from over 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours. In addition, the hacking crew obtained access to files containing 45.5 million pre-paid payroll and gift card numbers.”

It’s at this time that Seleznev is believed to have advanced the scheme by cashing out $2,178,349 from ATMs using five compromised debit card numbers.

Roman Seleznev. (Source: SCMagazine)

Tšurikov and another member of the computer criminal group monitored the ATM withdrawals in real-time by abusing their unauthorized access to RBS Worldpay’s network. The attackers then tried to destroy data stored on the network in an attempt to conceal their malicious activity.

But they weren’t successful in that regard. RBS Worldpay discovered the breach and reported it to the authorities. Since then, law enforcement has charged Tšurikov and 13 others in connection with the hack.

Local police arrested Seleznev in the Maldives back in 2014 while he was vacationing with his girlfriend. He subsequently received a prison sentence of 27 years from a federal district court in Seattle for a string of attacks he conducted against U.S. businesses between October 2009 and February 2011.

Seleznev has yet to receive a sentence in connection with the RBS Worldpay hack from a federal Georgia court. Also on 8 September, the computer criminal submitted a separate guilty plea to participating in a racketeering enterprise pursuant to outstanding charges filed in the district of Nevada. He will receive a sentence for that plea on 11 December.

SANS White Paper: Security Basics