Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev

Video Statistics and Information

Video

Captions Word Cloud

Captions

thank you folks good afternoon my name is Normand Barbosa I'm a computer crimes prosecutor from the US Attorney's Office up in Seattle my co-counsel Harold Chun is a former trial attorney from Maine justice in Washington DC's now with Google he took the big money after we won this case and I'm happy to have him here with me I also have to thank a friend of ours in the audience who supplied the laptop because as I was coming here yesterday my computer started screaming and immediately had an error that said I'm about to experience a catastrophic failure and I thought well it's either these guys or the FSB I'm not really sure I recognize many of you play the game spot the Fed we amongst the trial team on this lesson of case play spot the FSB agent if you see one let us know the original title to this to this presentation was nixed by our minders I wanted to go with OTO one two three why you shouldn't use butt-hole one two three is the password to your hacking empire it doesn't work well this this is a rare opportunity for us in the Department of Justice community to talk at length about the evidence that we develop in a prosecution in a computer crimes case what actually convinces a jury of attribution the issue that many of you deal with what is it that we actually need to present to a jury of 12 people to convince them that this was the man behind the computer and because he went to trial and we were in a situation where we had to lay out all the evidence in such detail there is a lot more in the public sector in the public files and then there is in most cases that resolved by a plea or just don't go to trial we were really lucky to have the opportunity to try this case Harold and myself you know and another attorney from my office Seth Wilkinson it was a long investigation and and we didn't indict this case we didn't investigate this case either another assistant US attorney from my office who retired before Romans capture led the investigation her name was Katherine Worman and she was my mentor in the office an excellent computer crimes attorney and she worked it up with an agent who had also left the government before the capture David Dunn who I'm sure many of you might know he's here this week an excellent investigator who we were lucky enough to work with and he came back for the trial out quick outline of what we're gonna do today I'm gonna go through the investigative stage of this case and the capture and then Harold's going to talk about some of the evidence that we retrieved as a result of Romans arrest the forensic challenges that came up during trial and how we dealt with those so a little overview of mr. solez Neff he was one of the world's largest traffickers and stolen credit cards between approximately two thousand five and his capture in 2014 before he was captured he had been indicted in three different federal courts for a variety of computer crimes he's a Russian national he had homes in Vladivostok Moscow as well as Bali Indonesia and between 2011 and when we finally got him in 2014 we've made several attempts to capture him without success his political ties in his father's position in the Russian government were a significant issue in the case can't be ignored there was a lot of tension between our governments as a result of his capture in the Maldives in 2014 unfortunately as a result of that myself and the rest of the trial team were blacklisted by the Russian government were no longer allowed to travel there hopefully those tensions will resolve at some point I'd like to go to Russia again someday I actually studied Russian language in Moscow but at the moment none of us can go there he made a lot of money as a result of this scheme which also was a driving factor I think in some of his efforts to frankly obstruct justice during that and during the course of this trial so he had a very well financed defense team to his history as a Carter on the Internet really breaks down into three chapters and these chapters trace the different online identities he used the Knicks that he used in the Karndean forums and in this sails across the internet between 2002 and when we captured him he he went through three different periods of as a hacker his first as NC UX he then moved into using the identity track 2 and finally Tupac before he was arrested his NC UX identity he began establishing as early as 2009 he showed up on a variety of carding forms including this one here that you see a quick snippet of from carding world this is a post from 2009 but he had been on several carding forms and other hacking forums since 2002 largely involved in trading and stolen identity information not credit cards with full identities names dates of birth social security numbers by 2005 he'd picked up on the fact that that credit cards were a very valuable and easy way to monetize hacking and he got into credit card hacking and the sales of credit cards pretty heavily that resulted in him getting on the radar of the Secret Service cyber intelligence section in DC they began following him on the internet noticing that he had become a big player and collecting information about who this might be who might be in Cu X and we keep use I keep using that name NC u X it actually transliterate s-- in russian to seek or psycho which was a nickname that many of his friends had given him because he was a bit of a hothead so Secret Service CIS is following him since 2005 by 2009 they had developed quite a bit of information just based on open-source trolling of the internet digging good old-fashioned detective work and they had come to the conclusion that he was probably Roman visa lesnar of Vladivostok they approached the FSB in 2009 along with the FBI and had a meeting in Moscow where they shared a great deal of information about their investigation including their belief that the suspect known as seek was probably Roman solez Nev unfortunately approximately a month later seek completely disappeared from the Internet he closed all of his accounts he made this post as well as several others on the card informs that he was retiring and going out of business forever kind of putting the Secret Service investigation back a step and causing them to rethink how they would go about seeking international cooperation on the case obviously he hadn't actually retired he had just began establishing his newest empire and his newest identities tracked to and Bulba which he used between 2009 and 2012 this post here on the internet the card inform Carter su from September of 2009 is one of the first posts he put as put up his track to in September 2009 in fact this is from the very day that he joined Carter SEO and it was significant to the Secret Service because the first day he shows up on this karting forum which was one of the largest at the time he's immediately listed as a trusted vendor of dumps which is in the upper left-hand corner of this slide here of that post what that told the Secret Service was well this isn't just some brand-new hacker some brand new Carter that has a small stash of credit cards this is somebody who already must have some kind of reputation in the background of the carding community you don't just come on to Carter s you on day one and get listed as a trusted vendor of dumps and in fact he was actually given a monopoly on Carter su for some time where the administrators of the forum would kick off other Carter's who offered their wares for sale so CIS realizes this is this is probably a big player this is some of they're gonna immediately put on their radar and by May at 2010 they had opened up in an investigation and we're looking pretty hard at track two about the exact same time detective David Dunn in Seattle who was a member of our local a crimes task force is called to an intrusion at a Schlotzsky's Deli in Coeur d'Alene Idaho up in the Panhandle and when he goes out there he images the computers images our point-of-sale systems and he grabs RAM and he immediately fine that Schlotzsky's is beaconing out to a Russian IP address he starts putting together that case is not a whole lot to go on a couple weeks later maybe a month or so later a large volume of cards that had traced back by common point of purchase analysis to this Schlotzsky's intrusion were found on a suspects computer in Idaho and Secret Service contact a detective done they knew that he was involved in the in the Schlotzsky's investigation and said hey you know we got something we have an image of this guy's computer you want to take a look at it detective Dunn looks into that computer and on the suspect in Ohio's computer he found that that suspect had been Bruton browsing these two websites track to name and bulbous CC and they've been chatting with somebody with the neck track to who told him hey my sight track to dot name is closed but my reseller bolded CC is somewhere you can get the numbers so detective Dunn he looks at these sites and what do you think they definitely appear to be the same guy and he decides you know I'm gonna I'm gonna look into these sites let's see what we can find about who is running these two vending sites and his goal was to look into the domain registrations just basic internet research find the dome the emails that were used to register those domains search any us-based email accounts that might have been involved in it and see what he could find the Eastern District of Virginia begins supporting the case in conjunction with main with Secret Service CIS and they began obtaining warrants in September of 2010 well detective Dunn is waiting for those warrant returns that often takes quite a while to get with it this is not a process that that happens overnight he's probably waiting weeks for the warrant returns to come back from the various email providers and about as he's waiting there's another intrusion in his backyard this is a photograph of the Broadway Grill which was a restaurant that had run on Capitol Hill in Seattle for many many years detective Dunn gets a call from a bank investigator in the Seattle area he says we just noticed a huge spike in fraud coming back to Broadway grill I think you got to go out there he goes out and right off the bat him and another detective as they're examining the image of their point-of-sale system finds that their computers had been configured very poorly and unfortunately had 32,000 credit card numbers stored in plain text that had gone out to the same IP address that he'd seen at Schlotzsky's Deli and as he dug a little further he found that whoever had planted the malware on Broadway Grill had manually browsed to his malware server by typing in an address that correspond with the same IP address that he'd seen at Schlotzsky's Deli so he realizes well now I got a case in my backyard I'm gonna open up a case in the Western District of Washington and I no longer have to travel to Virginia or Idaho to deal with my process which is pretty fortunate for our office because at that point the case really really sped up he's pulling the Whois records for the venting sites searching the Yahoo register in email accounts and as he's going through the yahoo email accounts he finds some leads to a server in McLean Virginia the original intrusion that kicked us off the Schlotzsky's Deli intrusion the numbers were being sent off to a server in Russia but as he's looking at the yahoo accounts he finds that right as his investigation is going on the suspect running those yahoo accounts had bought a server at hop one servers in McLean Virginia which was a huge break in his case he was able to get a pen trap on that server a pen trap is a legal process that allows us to examine the connections coming in and out doesn't allow us to examine content but it gives us the IPS that are coming in and the IPS that are going out as well as some other data port port numbers volume of data and he sees that this server is connecting to hundreds of computers all over the country that he quickly realizes many of them are restaurants and as he begins to research more of those IP addresses he's a pattern that almost every one of these IPS that is connecting to the hop one server are restaurants that appear to be running a similar point-of-sale system and as a result of that he starts event identifying dozens of victims all over the country in addition he begins pulling apart some of the malware and this is just some of the this is some of the forensic evidence the detective done had pulled off of the Schlotzsky's Deli system another victim Grand Central baking and Broadway grill that shows some of the connections including these iPS and the manually entered malware server that had talked about earlier these exhibits helped him put together kind of the infrastructure or these this evidence helped him put together the infrastructure of Romans entire hacking Empire it's not a terribly complicated one this isn't a botnet with all kinds of multiple layers of stuff this was pretty basic you've got Romans sitting up in the upper left hand corner detective Dunn had found a number of his hacking tools on the hop one server that showed that he was just doing some basic port scanning looking for open RDP connections whenever he found one he'd hit it with the brute force password attack or the password that he'd figured out that all of them were using the same time and get into the victims POS system and start siphoning off numbers to one of his three collection servers which were the top one server the Ukraine server and the SH Mac and Smouse server the search of the hop one server ultimately led to a discovery of hundreds of files we found approximately 400,000 credit card numbers on that computer and they were all stored very conveniently for us by the IP number of the victim that had sent them Roman had configured his malware to post them automatically and create a file with a named by the IP number of the IP address of the victim and so we were able to quickly identify the victims and start getting out notifications and collecting more evidence as he went through the email accounts this is where the case really broke open and we got to some strong evidence of attribution this is one of the first emails that Detective Dunn found tied to Romans infrastructure this is from an account that we called the Reuben sembei Lynch account if I go back to our infrastructure slide you'll see that that was an email account that was used to register his track to vending site and in that email account he found that Roman had at least once made the mistake of using it for some of his personal business opening up a PayPal account unfortunately another American business that we were able to serve legal process upon and get copies of his records you'll see there's a home address listed in the bottom right hand bottom corner of that Austria Cova 25 cava 113 that was his home address that was later found in his passport at the time of his arrest the second account that we'd found which had been used for many years is another heir and Romans operational security he'd used this account books cafe at yahoo.com since as early as 2006 it was tied to not just his track to infrastructure but it went back many many years through his days as NC UX and we found a number of things tracing back to him including a flower order that he had placed for his wife in his own name with a phone number that showed up in other records tied to him with a message to her in that it had said you are the most beautiful but little Ava is more beautiful in all his daughter's name is Ava which was also in his passport at the time of his arrest we also found an order he had placed with a Russian internet store again sent to an address that was one of his one of his addresses in Vladivostok and finally we found a great deal of attribution evidence on the hop 1 server itself in addition to using that to collect the stolen credit card numbers post malware hosts some of his hacking tools he would often do his private internet browsing on that and make his travel reservations and we found this very convenient cashed order for a ticket with his full passport number on it which again matched the passport that was found on him at the time he was arrested and this was for a trip to Indonesia where he had a second home so the Secret Service is putting this all together locking down the evidence of attribution the cyber intelligence agents that were on the case and helping out detective Dunn they began combing through other evidence that they still had in their files from other cases and that this is this is one of the more interesting things I learned as I was going about this investigation and I think it really illustrates how so many of these cases are intertwined and many of these players over the years know each other and work with each other this chat is from an investigation in the Eastern District of New York the chat is from 2007 but that investigation had started I believe as early as 2002 or 2003 involving the Carter Planet case a very successful prosecution out of New York mr. Carranza sazar Carranza was just one of many subjects that were prosecuted there he was prosecuted for money laundering and on his computer that Secret Service had was a chat between him and NCU x-111 in which NCO x-111 not exercised in any operational security at all gives his full name and address as well as a couple of emails that tied to many of his carding carding forum registrations which was another helpful exhibit further confirming his identity so with all that evidence in hand detective Dunn & AUSA wormer they went to the grand jury and obtained an indictment in 2011 charging him with a number of counts of bank fraud Computer Crimes possession of stolen access devices trafficking and access devices a very thorough indictment and they began looking for him unfortunately very shortly after Roman was indicted he was injured in a serious terrorist attack in Morocco this is the cafe our ganya and Morocco Roman and his wife were sitting on the second floor there where most of the bomb damage was done and he was medevacked back to Moscow and pretty serious condition he was in a coma for a couple of months went through a number of surgeries as this was going on detective Dunn continued to monitor his websites bold ICICI he had a number of communications with him trying to see if this you know again get further confirmation that Roman was in fact the hacker behind these and he saw that bulb ICICI no longer had as many numbers available somebody running the site for him would post things such as sorry the boss has been in an accident you know you got to hold on you got to wait and eventually the shop closed and approximately I think it was January of 2012 when bold Assisi closed detective done however an AUSA warmer they continued their efforts to find him they had noticed that records showed that he often flew through Korea to get to his house in Indonesia hopeful that he might after he recovered returned to his to his vacation home in Indonesia they worked with Korean authorities to obtain a warrant form there the goal was hopefully to get him arrested in Korea and then extradite him to the United States unfortunately he ended up getting direct flights to Indonesia after that they had a false hit on an on a name similar to his in Germany whole fire drill working up Interpol last-second wait no that's the wrong guy so Germany didn't work there were some efforts to try and see if we could get him to go to Australia if we if we could possibly extra item from their efforts to get him out about Indonesia none of which ultimately came to fruition all the while you might be asking well why didn't we ask Russia to extradite him unfortunately Russia will not extradite their citizens and as you'd seen earlier we didn't have a great history of cooperation on the case with them in the meantime Roman is starting up a new empire this is a this is an ad from the last vending site that he was running to poxy see and this is actually the ad that was on his desktop it's probably beaconing out to the Russians right now that site had a huge volume of stolen credit cards and again got immediately on to the radar of the cyber intelligence section because of the volume and as well as because of the the source of those credit cards he was vending he'd he'd become not just a his own exploits he wasn't just selling the cards that he had hacked he was so well respected that many of the biggest credit card hackers in the world were coming him to resell their cards he had cards from home and Home Depot Neiman Marcus Target and a ton of other hacks and he advertised on the card Ian forms as somebody had come to with your dumps and all get the best prices for him many of the chats that we ultimately seized on his computer showed just his business dealings as he worked worked through that he was doing very very well these are some photographs we found on his computer a lot of tropical vacations some pretty nice cars he was traveling primarily to the Maldives Indonesia a few trips to China and just enjoying his time and joined the proceeds of his of his hacking Empire until he ended up here that is the huh got you know detention facility in Guam so where did we find him this is the Maldives I got a call the first my first involvement in this case was around July 1st or 2nd 2014 Catherine warmer had put me as the secondary on on the process for him but I didn't really know what was going on but I get a call as I'm coming into work on July 1st or 2nd and it's a an attorney in DC one of the supervisors and Harold's office and he says to me as I'm illegally talking on my cell phone in my car hey we found Romans lezin if he's in the Maldives and I'm like where the hell is the Maldives and who is Romans Leslie he says y'all you got to get on this call right now we've got like 20 people from the State Department we've got people from DOJ Secret Service the embassies in Moscow and Sri Lanka get on the call get on the call all right whatever we'll see what's going on this was an incredible operation to be a part of your typical extradition in any given case can take anywhere from six months to three four years depending on the country you're dealing with we learned about Roman Romans vacation in the Maldives July 1st Secret Service agents were on the ground in the Maldives July 3rd and on July 5th in a three-hour period of time Roman landed at the main airport from his private beach vacation agents with the help of the Maldivian government confronted him at the airport showed him the arrest warrant put him on a private jet and he was on his way to Guam in about three hours it was a very very successful operation an incredible example of helpful international cooperation in a in a tricky situation we do not have an extradition treaty with the Maldives but based on a formal request from our government where we emphasize the importance of this case and the significance of this player they agreed to cooperate and handed him over to Secret Service agents so we had them in custody in US on US soil by July 6 a little bit longer to get him into Seattle he fought he fought for a while and and Guam I'm not really sure why because that was a nasty-looking that in prison in Guam but ultimately had his initial appearance in August so I'm gonna turn it over to Harold at this point he's going to talk about some of the trial challenges we had so not only was a great thing that he was arrested but you know what comes with an arrest there's a lot of evidence typically and that was very true of this case when he was arrested law enforcement was able to grab his laptop his iPhone his passport his travel documents and what these things did was confirm all of the attribution that had been gleaned throughout the investigation year after year in his emails from the server's and such and you can see what occurs is you're able to then start matching things up so where you had his email accounts and you saw things like NC UX smells Oh Chico repeatedly in various emails it's just a pattern he used for his infrastructure of crime you saw it over and over Smouse Shmack Oh Joe so what does a law enforcement do when they sit down with the laptop and they're like oh god how do you get into this thing well why don't we type that in Oh Chico one two three and what do you know they nailed it the case agent wanted me to say that it was his very first guess uh hum the slide why you shouldn't use that to go one two three as the password to your hacking empire I think norm touched on it earlier but og Cohen Russian means butthole and on that computer what law enforcement was able to find was 1.7 million credit card numbers there's not much to say when you have 1.7 million credit card numbers with you when you're on vacation this was made the case more or less a slam dunk it's really funny this slide initially when we gave to law enforcement had a whole bunch of credit card numbers I was an exhibit from Jiraiya and we're like we can't show that to this audience somebody's gonna go plug all of those in edited for blackhat what else was on his laptop we found wet pages he had set up and like many of you in this room he was also a marketer and what he was trying to do with teach people how to use stolen credit card numbers and so he had set up a site that taught them whoever went to it very much that right there in the middle it says or on top it says this is a tutorial how to buy dumps and use in store making using fake credit card and he wasn't you know scared or nervous about someone knowing that this is illegal he actually put it right there this is the legal way and he laid it out step by step because this was marketing for him he knew if he could teach people that you could buy an MSR 206 you could buy dumps from his website you can then start coding them on plastic cards and start using them in stores this was how he was building his empire you know what else was on that laptop paster records I'm gonna guess many of you are familiar with pacer Pacers the court docketing system for federal courthouses everywhere in the United States and it's where indictments would be found search more motions things of that sort so usually lawyers sign up for it so that they can get their court documents well Roman was clever before he traveled he ran pacer searches for an account he had himself looking for his identity his name his nicknames the downside is when that's found on your laptop after law enforcement arrests you it becomes pretty obvious who you were and you can see there in those boxes he wasn't just looking for his own name but he actually tied it back to his old aliases from years ago like Bulba so now you ask laptop 1.7 million credit cards lots of evidence on there why in the world would he go to trial it's a great question and he had a strategy first there is a general political thought is you know his father had some juice and so perhaps they could put pressure on the United State just give him over so there are jail conversations about that and when that didn't work then there is other talk one of them hey what about we bribed the prosecutor and here's a little snippet from a jail call his father says we can just pay them all in advance and that's it Roman says it is what I'm saying offer them this dad yes I am leaning towards this I think it's an option a Roman just to make sure they know how much money they will get right away as they would get in a whole year now later we heard that that number was about 10 million dollars I don't know who he thinks we work for but we don't get paid that but you know what else this does if there's talk about bribing a prosecutor you know what it makes it really hard for a prosecutor to do to plea a case out right everything you do is now being scrutinized at that moment yeah what else there is talk on these Jail calls about very strange things in code and the codes all talked about an uncle Andre trips to the hospital magic potions and like sorcerers fishing expeditions there are very odd things in this calls I might have made some of that up right now at home and it came now we actually are able to identify uncle Andre so this we called the uncle Andre option get out of jail if you see him here in black hat or Def Con this week please tell security we'd like to know and then lastly they decided to hey we'll put on in the fence and what's the defense gonna be they're gonna try to say I've been framed by somebody whether that be the US government or another hacker out in the world and so that was the the defense they took at trial that a hacker had planted all this evidence on his laptop or the government planted all this evidence on his laptop and he had one thing to hang his hat on and is that there are thousands of files on his laptop that had a modified file date that was after his arrest and what had occurred and why that was true is because when he was arrested in the Maldives and they took his laptop back from him they never turned it off and it was a new Windows 8 laptop that was basically like a tablet hybrid and it was in connected standby and so the operating system was on in the background until I canti virus would throw it every once in a while it would make a check to do various things and that caused file modified date changes and so that was there as our access date changes and that was the defense and so what did we do a trial and response we called in our forensic experts and said hey you need to tell us what on this laptop proves that that theory is bunk and our forensic experts came out with theory of we're gonna look at network logs we're gonna look at the users on the computer and we're gonna look at system activity to figure out who was on this computer last and for the black cats out there this is how the feds are going to try to catch you take note so he was running a Windows machine and so they have Windows just naturally has lots of artifacts it's got things like registered keys event logs something called the system resource usage monitor or known as from in the forensic world there's a u.s. end journal that basically logs activity throughout the use of a computer and then shadow volume copies you know windows is constantly doing creating windows restore points so that something goes wrong you can go back to it well forensics could also go back to it as well to pull files out from it and so what were they able to show well the first thing go back to network connections they were able to show that forensics showed that khana fouché she was the last wireless network that this computer I connected to and it gave a rough date of connecting initially on Saturday June 21st and last disconnecting or so on July 3rd well what is kana foo she Conniff ooh she was the name of the resort he was staying in the Maldives and I just want to point out the life of a hacker definitely pays well because that was a $20,000 stay at that tell there is the other receipt he was doing well for himself what else did they look after network so this laptop actually had cell your capability so they looked at what SIM card was in there and the forensics showed that the last connection was mega phone Russ or a cellular connection from Russia what else did they will get they looked at event logs and similarly the event log showed that the kana foo she'd network was the last one connected to and there were numerous event logs and so we've edited here but at trial we basically had forensic artifact after our artifact showing these things in numerous places on his computer and then we went to the security event log to start looking at who's the last actual user to sit at this computer and type on it and what you saw was it wasn't some of a remote connection like somebody would be connecting from the internet but no it was a login from a user Smouse which was the original user on this laptop set up by roman celeste that what else could you see you can see through this from which is recording all of the activity on this computer that the last actual program to be run by a person and I we know it's an individual and not the operating system based on that user ID you can see it there as s - 1 - 5 etc along number going back a slide you actually see it right there above in the security ID those two lineup saying that's the actual user and what was the last activity it was a tor browser that was the actual last activity and then if you looked at pages after pages of this from what you saw was no longer user activity but even the last 3 rows there the SI the s-1 518 was the operating system itself it was just automatic features on Windows running never any human intervention and that's what the forensics showed here and where else was exhibits found from I can just go through these generally law enforcement for this case we looked at deleted files so searching slack space for things he had deleted archive evidence I talked again about the shadow volume copies for all of our trial exhibits absent one I believe we were able to actually go into the shadow volume copy and extract the entire exhibit entire file what had an earlier date stamp on it showing that that was actually on the computer well before his arrest showing that it was there when he was using the computer and then where else is law enforcement looking at where we found a lot of evidence here which we didn't talk about much here in the cloud on his phone he had photographs he had backup documents he has Passport everything was saved in numerous places tying him together to his laptop his external infrastructure and two items he had on him like his passport and so what did that end in well that's him in a great shirt convicted and really a matter of a few hours by a Seattle jury of 38 counts and so that was the case the Romans Lesnar and we'd like to open up the questions if there are questions here it was the if people could use the microphones when you're asking a question I'll repeat this one the question is that the Maldives doesn't have an extradition treaty and that's correct it was not an extradition this was an expulsion the mall we asked the Maldivian government if they would expel him into our custody on the basis of a US arrest warrant and indictment and they said yes we didn't ask Indonesia ultimately we decided not to there's a question of the mic over there were there any encryption hurdles that you had to overcome encrypted file system anything that you guys could share on that there was not there actually wasn't encryption that was an issue here blessin you should encrypt devices do you mind step into the microphone if you can so go ahead and say the question I'll repeat it for you yeah was he given Hughes only one person obviously this is the whole empire was anything more that was done other than just the one guy because I mean this is just didn't die with him and is honestly there's a lot of political component of this thing involved this is a lot of other people because you saw the other people responding to it did to stop here or did you continue the obviously you could say we did so let's put it this way well we can't we can't comment on open investigations are ongoing investigations but I'm still employed crime has not gone away I have job security and I will continue to work on this problem I would say also the a lot of this criminal activity though was done by him right I mean that's your questions did he have a huge team he was very much the central figure to this yes sir so a couple of catastrophic operational security failures by this guy seem to make your jobs a lot easier I'm thinking particularly reference to the alphabet case like just a few weeks ago of another catastrophic operational security failure of you know having your personal hotmail address in the head for your you know password reset for alpha Bay so I mean there seems to be a bit of a trend here have you noticed any more any more of a shift towards better operational security by these actors especially for these big players with sophisticated models yes I think that's true I think operational security gets better and better this case is you know fairly dated for this criminal activity and I would say yes operational security generally is better today I do think though the the hard part of a ongoing hacking Empire however is keeping yourself your online profile and your actual self separate completely you know your VPN fails sometimes sometimes you have an IP weak sometimes mistakes just happen on your on your hardware and if law enforcement sees that one mistakes it's something to run on a related question how difficult do you think it would have been to convict him if you guys weren't able to crack or guess the password do you feel like with evidence he collected prior to the accident that would have been enough to convict him I think we still would have convicted him with the evidence prior to the arrest and may have been a few more hours of deliberation but it was it was already very very strong evidence and we indicted it without his laptop in custody because we believed we have it had evidence that would prove beyond a reasonable doubt that he was the one responsible for this and so I think we still whatever any victim what was the sorry I have a follow-up what was the reason for the delay then for after the accident to wait till 2014 - oh just it often takes a very long time for us to get lucky and get a tip as to where somebody might be we were looking the whole time and hopeful that we'd catch him in a country that would cooperate with US law enforcement but it just it just took that long for us to get a lucky break all right I've got a comment and a question thank you for doing this I spoke to a well-known Russian attorney here in the United States who offered to represent him and and it didn't work out and he later told me he called him hard-headed and an idiot so my question for you is going back to that interaction with the FSB I want to know if you learned anything from that interaction and if that has changed the way law enforcement here in the u.s. reaches out to law enforcement over there since then you know I can't comment on on the broader policy perspectives of that and and and how that may affect relations that's that's something more for for people in DC and this was also a long time ago I can only say that it had an impact on this case we had to take it into consideration in this particular case and it impacted how we went forward it's curious about sentencing what did he get and was it enough he got alive he got a lot of time he was sentenced on April 21st in federal court in in Seattle the judge sentenced him to 27 years in custody his guideline rated the u.s. sentencing system is based on a series of guidelines that take into account a number of different factors including the loss amount which in this case was a hundred and sixty nine million dollars based solely on cards that we found on devices that we were able to see so that that doesn't that unquestionably leaves a lot of money on the table other factors that were very significant to the judge were this particular defendants efforts to obstruct justice throughout the process he testified in multiple hearings and and lied repeatedly in the judge saw through it and specifically found that he had lied to the court in an effort to to sway particular rulings which is never a good thing to do when you're going to be in front of that same judge for sentencing the guidelines worked out to a calculation that was literally off the chart in the guideline book and require and called for a sentence of life obviously the sentence is not life it was a departure quite a ways down from it and that's what the judge felt was appropriate in light of all the sentencing factors and one part of that also that I think gets lost often in you know carding cases is victims you know a lot of people feel like hey I'm the card owner my Kart gets stolen I was the victim well another group are the businesses actually that got hacked and he had hacked hundreds we had approximately 400 victims and most of our victims were not large well financed corporations they were mom-and-pop shops restaurants that took a huge hit as a result of this and a few of them completely went out of business Broadway Grill ultimately declared bankruptcy within months months are probably about a year of the intrusion and so there is a larger effect on a community and that here it was really nationwide we did not recover any funds at this point which is also another problem in terms of international cooperation sometimes we just don't have ability to get ahold of the accounts where the money might be yes I'm curious about Indonesia why did you decide not to contact Indonesia I you know I can't comment on that it was a decision that was made internally it just was an operation that we didn't go forward with in the back we did we did multiple searches of it we first had an Apple unlock order that produced a great deal of data before Apple ceased doing that and then later we were able to brute force the the iPhone and pulled a bunch of data off it but it was I don't think we introduced any exhibits from the phone pictures I think that picture yes this gentleman just asked about two other cases that are currently pending obviously I can't comment on ongoing litigation he is presumed innocent until proven guilty on those cases and I so I can't comment on where that may lead those cases are still there he's currently in Atlanta and we'll just have to see how that plays out did you track how many other Russian nationals stopped vacationing in Maldives following through the rest good question no I was wondering about the credit cards where do you guys do afterwards did you contact the banks or the owners of the cards I all the banks thousands I three thousand banks was thirty seven hundred thirty-seven hundred different banks were contacted and told about the cards that were discovered I didn't know there were that many banks they were and they were all over the world did we get the zero real close one quick question how do you guys coordinate with other state quarters in the US government that might be less excited about using these techniques in an open forum like a trial and is it worth it we didn't worth it to put one guy in jail and blow other techniques other people use I don't think we actually blew any techniques that weren't public that wasn't a concern here yeah I guess we're okay with us since we're standing here any last question here I was I didn't quite hear or maybe I missed it during the presentation about the tip that led to the Secret Service rushing and grabbing him no what was that tip who gave it I can't tell you yeah one more yeah so um a lot of the credit card information was in clear text on those businesses did they suffer any criminal liability for that or what was their liability for holding that day down there and most were not in clear text there was the one example where they had the thirty two thousand cards and no not criminal liability at all they all suffered some form of fines and obviously loss of business in any given instance there may have been very a variety of security flaws that you know we don't get into attribution of that and we've been given the we're out of time mark so thank you guys very much [Applause]

Info

Channel: Black Hat

Views: 371,914

Rating: 4.8193288 out of 5

Keywords: BlackHat, InfoSec, incident response, Information Security, Black Hat, data forensics, BHUSA, Human Factors, DFIR

Id: 6Chp12sEnWk

Channel Id: undefined

Length: 49min 6sec (2946 seconds)

Published: Fri Aug 25 2017

Reddit Comments