The traditional image of a mob boss at the head of the table directing his cronies is rapidly being replaced with its digital equivalent: cyber gangs, often tenuously connected and spread across international boundaries.
From data breaches to online fraud schemes, the booming field of cyber financial crime is increasingly dominated by organized criminal groups. A 2013 analysis by the InfoSec Institute found that nearly 80 percent of cybercrime incidents were estimated to originate from some form of organized activity.
Despite increased media attention and efforts to augment security in both public and private sectors, cyber financial crime remains lucrative for transnational gangs. In a joint report released last month, McAfee and the Center for Strategic and International Studies pegged the annual costs of cybercrime between $375 and $575 billion globally. “Cybercrime produces high returns at low risk and (relatively) low cost for hackers,” the report stated.
Though there is some overlap between online and “real-world” organized crime groups, many cyber-gangs bear little resemblance to more traditional mafia organizations. Loosely affiliated groups offering “cybercrime as a service” may meet for one-off jobs, associating only through online forums or dark web sites. While many cybercrime rings are centered in various states of the former Soviet Union, participants may be scattered across the globe, and act with a decentralized leadership structure.
These differences haven’t stopped US law enforcement from leveraging a decades-old law designed for organized crime rings, the Racketeer Influenced and Corrupt Organizations Act (RICO), to take down what they are calling modern versions of mafia groups.
The US Department of Justice is increasingly turning to RICO as a tool to prosecute cyber financial crime operations. The first successful application of the law in the cybercrime arena came late last year, when identity thief David Ray Camez was convicted on RICO charges by a federal jury for purchasing fake driver’s licenses off dark web marketplace Carder.su.
Now federal prosecutors have widened the net to ensnare other merchants on Carder.su, including Russian national Roman Seleznev, whom the Secret Service once called “one the world’s most prolific traffickers of stolen financial information.”
Online cybercrime sites function as criminal gangs, prosecutors allege
Indicted in the Western District of Washington state in March 2011, Seleznev allegedly conspired with other cybercriminals around the world to sell more than $2 million worth of stolen credit card numbers.
Seleznev, known online under various aliases such as Ruben Samvelich, Bulba, and Zagreb, allegedly installed malware on point-of-sale systems of restaurants and retailers to steal credit and debit card data. He would then post large volumes of credit card numbers and other personal information on Carder.su, among other sites. The site’s registered members could then purchase the stolen data in packages ranging from individual card numbers to bundles of 1,000. Along with credit card information, members could buy fake IDs and other sensitive information. The scheme incurred than $50 million in losses for card providers, according to court documents.
Prosecutors are now in the middle of using RICO to dismantle a ring of 39 participants that ran as well as profited from the stolen information hub. Under RICO charges, Seleznev and his buyers are being treated as one cohesive crime ring. This makes each liable for the criminal acts of the entire organization, in addition to the individual charges they face for bank fraud and identity theft. All told, defendants in the Carder.su case are alleged to have committed roughly 7,900 crimes.
The indictment and statement of facts unsealed earlier this month delineate the connections between Carder.su’s actors, and compare them to the way a crime family operates. Prosecutors argue RICO applies because Carder.su operated with a hierarchical structure and code of conduct for its members, with Seleznev acting as capo.
Attorneys for the defendants in several cases have countered those claims, saying that the use of RICO is overreach and the site operated more like a criminal version of eBay than any kind of organized crime ring.
So far, those arguments have failed to convince a jury. Along with the conviction of Camez, a nine other low-level buyers arrested in the Carder.su case have already pleaded guilty. Seleznev’s case will now test the use of RICO charges against an alleged “mob boss” of a cybercrime operation.
Success in Seleznev case likely to strengthen RICO as cybercrime weapon
If prosecutors are successful in securing a conviction against Seleznev, it will solidify the legal theory that RICO can be used against all levels of participants in forums and online markets related to cybercrime. Buyers and sellers on the online drug bazaar Silk Road, for example, may be vulnerable to RICO claims.
For US prosecutors seeking tougher enforcement tools against cyber criminals, RICO has three primary benefits. RICO charges bring stiff penalties, including prison sentences of 20 years to life. The law can also block defendants from using their proceeds gained from alleged racketeering to fund their defense.
As the law holds all members liable for the acts of a “corrupt organization,” it can also allow prosecutors to reach higher-level members of criminal gangs that directed others in illicit acts without actually participating in them.
Since it came into effect in 1970, the law known as RICO has taken down a diverse cast of criminals – from Mafia families in New York City, to corrupt members of the police department in Key West, to high-ranking officials in the Catholic clergy.
In the Carder.su case, members of the alleged criminal organization are all being individually charged with an array of separate violations of federal and sometimes state laws, so the main advantage for prosecutors comes in RICO’s stringent penalties.
“It was designed to have enhanced punishment for the members of an organized crime family,” says Gregory D. Lee, a former Supervisory Special Agent for the U.S. Drug Enforcement Administration and consultant on organized crime.
RICO applies to a hierarchical structure of actors with strong ties, Lee explained, even if they do not interact personally and live on opposite sides of the globe.
“You have leadership within the organization,” Lee said. “There are leaders and followers – and everyone is equally culpable.”
US adopts more aggressive tactics to investigate, extradite cybercriminals
Roman Seleznev has filed a motion to be released and discharged, and the Russian government has since issued a statement saying that his arrest was akin to that of a kidnapping of a Russian citizen. Seleznev’s father is reportedly a member of the Russian parliament, mixing a twist of geopolitical intrigue into the cybercrime case.
The investigation into Carder.su and the nature of Seleznev’s arrest points to a growing shift toward more aggressive tactics against cybercriminals by US law enforcement. The case stemmed in part from evidence gathered during a four-year undercover operation by the US Secret Service called “Operation Open Market,” the same investigation that led to the takedown of Liberty Reserve.
Seleznev himself was arrested while vacationing in the Maldives, and extradited to the US territory of Guam. His apprehension marks a rare instance in which a cybercriminal from Russia or Eastern Europe has successfully been brought to the United States to stand trial.
Costs of cybercrime spiral upward
Despite increased pressure on cybercriminals by US law enforcement, the prevalence and price tag attached to cybercrime continues to rise.
In 2013, the average cost of cybercrime incurred by a sample of US businesses and other organizations per year was $11.56 million, with a range of $1.3 million to $58 million, according to a study by security firm the Ponemon Institute. A 2013 report by Symantec found that the greatest cost of cybercrime per country was reported in the United States, with a grand total of $38 billion.
Cybercrime is also accounting for all larger portion of financial crime as a whole. According to InfoSec, fraudulent activity that starts at the keys of a computer now makes up about one third of all fraud schemes.