A small army of pizza restaurants in Washington state is prepared to face off against one of the world’s most notorious accused hackers.
On Monday, Russian native Roman Seleznev appeared in a federal courtroom in Seattle for the first day of trial on a 40-count indictment. Seleznev, the son of Russian parliament member Valery Seleznev, is accused of stealing and selling credit card data from Arizona’s Phoenix Zoo, an Idaho deli, and at least eight Washington pizzerias. Following a controversial 2014 arrest (which his politician-father characterizes as an illegal kidnapping), reports of a planned escape attempt (which his father denies), and rumors that the U.S. planned to swap him for Edward Snowden (which the U.S. denies), Seleznev is finally getting his day in court—represented by the lawyer who defended serial killer Ted Bundy.
He’ll face a number of pissed-off pizzeria owners.
From 2008 until his 2014 arrest, Seleznev is accused of stealing credit card and bank information and selling them in shadowy online forums. Selezenev allegedly earned a profit of $200,000 from the racket that targeted approximately 200,000 credit cards at 200 businesses, according to an indictment (PDF). Operating under screen names like “nCux” (Russian for “psycho”) and “2Pac,” Seleznev allegedly sold credit card numbers for as little as $7 to buyers who racked up over $170 million in expenses on the compromised accounts.
While these buyers spent big with stolen credit cards, Washington pizzerias paid the cost.
Red Pepper Pizzeria serves up pizza and pasta in the small Washington city of Duvall. Owner Steve Bussing wasn’t prepared for a hacker to target his restaurant from thousands of miles away. “It was a huge expense,” he told the Associated Press. After their computers were compromised, Red Pepper was forced to close while Bussing and his wife spent approximately $10,000 upgrading their system.
Bussing is expected to testify against Seleznev, joining a list of Washington pizzeria employees from Village Pizza in Anacortes, Red Pepper Pizza in Duluth, Casa Mia in Yelm, and multiple Mad Pizza and ZPizza franchises statewide.
They’re the lucky ones: some restaurants targeted in the hack, like the Broadway Grill in Seattle, have been forced to close.
“We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing,” Broadway Grill owner Matthew Walsh told local news after their 2010 hack. “I am seriously worried about the future of our business without the support of our community.”
It’s not clear why Washington state pizza restaurants were targeted, but restaurants—even major franchises—are favorite targets for hackers looking for troves of credit card information.
Earlier this year, customers at Wendy’s noticed suspicious activity on their bank accounts after using their credit cards at the restaurant. Wendy’s later announced that credit card information had been stolen from more than 1,000 franchises. The credit card-scraping hack followed a December attack on Landry’s Inc., a restaurant group that owns more than 500 restaurants including Rainforest Cafe and Bubba Gump Shrimp Company, and a 2014 hack on Chinese restaurant chain P.F. Chang’s.
Like many hacks on restaurants, Seleznev’s alleged scheme targeted point-of-service software. These systems, which track customers’ bills, often run on old computers with outdated security—but they’re connected to so-called house computers in the back of the restaurant, which process credit card information. By targeting point-of-service machines, Seleznev was allegedly able to upload malware to the house computers, intercepting customers’ credit card information and transmitting it to Seleznev every five minutes, the U.S. attorney’s indictment charges (PDF).
But Seleznev’s legal team is expected to put up a good fight. He has hired legendary defense attorney John Henry Browne, who has represented serial killer Ted Bundy and U.S. Army Staff Sgt. Robert Bales, who was convicted of murdering 16 Afghan civilians.
Seleznev’s legal team is the sixth set of lawyers assigned to his case, which has slowly inched toward trial in the two years since his arrest. Citing the wealth of financial information in the case (reportedly 10,000 pages and 4.75 terabytes of documents), Browne has postponed the trial for months. But the interim period between Seleznev’s arrest and trial has seen no shortage of drama.
Seleznev’s 2014 arrest in the Maldives involved local police, U.S. agents based in Thailand and Hawaii, and an Interpol warrant. The U.S. had had a warrant out for Seleznev’s arrest since 2011, but was unable to extradite him from his home in Russia. Even when traveling outside Russia, Seleznev was careful to avoid countries that might ship him to the U.S.; in 2014 he chose to vacation on a luxe resort in the Maldives, allegedly because the Maldives and the U.S. did not have an extradition agreement.
Tipped off to his travel plans, the U.S. deployed Secret Service agents to the Maldives from Hawaii and Thailand, where they planned to arrest Seleznev once he stepped off his plane. Maldivian officials required an Interpol warrant before the U.S. made any arrests in their country—and Russian officials have a history of alerting citizens of international arrest warrants, Bloomberg reported. So the Secret Service waited to file the warrant until Seleznev’s seaplane was on its way to the Maldives, leaving him with nowhere to land but in the arms of American agents, who arrested him on the spot.
The Russian government has described the arrest as a kidnapping, calling it “the latest unfriendly move from Washington… what amounts to the kidnapping of a Russian citizen” in a 2014 statement. Seleznev’s legal team has seized onto this argument, questioning the legality of his arrest.
Seleznev’s father, Russian parliament member Valery Seleznev, has also been vocal in the case. During conversations over Seattle prison phones, the father and son allegedly discussed a prison break plan.
“What can we discuss, your escape plan or what?” Valery asked his son during a recorded call on a prison phone, describing “doctors” and “magicians” who could help him “be released from the hospital.” (Seleznev’s lawyers said this was “clearly a facetious reference.”)
Stranger still are allegations that Seleznev’s arrest was part of a larger plan to arrest Snowden. In an interview with the Russia-owned RT network, Valery Seleznev accused the U.S. of arresting his son in order to force a prisoner swap for Snowden. The U.S. Department of Justice has denied the accusation.
Finally in court for the first time, Seleznev is expected to stand trial for three weeks. The man accused of running one of the world’s largest credit card frauds, and netted in an international operation with alleged ties to Snowden will face his accusers: bakery managers, restaurateurs, and pizzeria owners.