Feds: Russian Hacker Stole Millions From U.S. Zoo, Pizzerias, and Even a Deli

The son of a Moscow politician, Roman Seleznev allegedly stole credit card info from hundreds of businesses—and his lawyer represented Ted Bundy.

A small army of pizza restaurants in Washington state is prepared to face off against one of the world’s most notorious accused hackers.

On Monday, Russian native Roman Seleznev appeared in a federal courtroom in Seattle for the first day of trial on a 40-count indictment. Seleznev, the son of Russian parliament member Valery Seleznev, is accused of stealing and selling credit card data from Arizona’s Phoenix Zoo, an Idaho deli, and at least eight Washington pizzerias. Following a controversial 2014 arrest (which his politician-father characterizes as an illegal kidnapping), reports of a planned escape attempt (which his father denies), and rumors that the U.S. planned to swap him for Edward Snowden (which the U.S. denies), Seleznev is finally getting his day in court—represented by the lawyer who defended serial killer Ted Bundy.

He’ll face a number of pissed-off pizzeria owners.

From 2008 until his 2014 arrest, Seleznev is accused of stealing credit card and bank information and selling them in shadowy online forums. Selezenev allegedly earned a profit of $200,000 from the racket that targeted approximately 200,000 credit cards at 200 businesses, according to an indictment (PDF). Operating under screen names like “nCux” (Russian for “psycho”) and “2Pac,” Seleznev allegedly sold credit card numbers for as little as $7 to buyers who racked up over $170 million in expenses on the compromised accounts.

While these buyers spent big with stolen credit cards, Washington pizzerias paid the cost.

Red Pepper Pizzeria serves up pizza and pasta in the small Washington city of Duvall. Owner Steve Bussing wasn’t prepared for a hacker to target his restaurant from thousands of miles away. “It was a huge expense,” he told the Associated Press. After their computers were compromised, Red Pepper was forced to close while Bussing and his wife spent approximately $10,000 upgrading their system.

Bussing is expected to testify against Seleznev, joining a list of Washington pizzeria employees from Village Pizza in Anacortes, Red Pepper Pizza in Duluth, Casa Mia in Yelm, and multiple Mad Pizza and ZPizza franchises statewide.

They’re the lucky ones: some restaurants targeted in the hack, like the Broadway Grill in Seattle, have been forced to close.

“We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing,” Broadway Grill owner Matthew Walsh told local news after their 2010 hack. “I am seriously worried about the future of our business without the support of our community.”

It’s not clear why Washington state pizza restaurants were targeted, but restaurants—even major franchises—are favorite targets for hackers looking for troves of credit card information.

Earlier this year, customers at Wendy’s noticed suspicious activity on their bank accounts after using their credit cards at the restaurant. Wendy’s later announced that credit card information had been stolen from more than1,000 franchises. The credit card-scraping hack followed a December attack on Landry’s Inc., a restaurant group that owns more than 500 restaurants including Rainforest Cafe and Bubba Gump Shrimp Company, and a 2014 hack on Chinese restaurant chain P.F. Chang’s.

Like many hacks on restaurants, Seleznev’s alleged scheme targeted point-of-service software. These systems, which track customers’ bills, often run on old computers with outdated security—but they’re connected to so-called house computers in the back of the restaurant, which process credit card information. By targeting point-of-service machines, Seleznev was allegedly able to upload malware to the house computers, intercepting customers’ credit card information and transmitting it to Seleznev every five minutes, the U.S. attorney’s indictment charges (PDF)