On Thursday, a federal jury in Seattle found Roman Seleznev guilty of stealing millions of credit card numbers and selling them online to other fraudsters. Seleznev, 32, is the son of Russian Parliament member Valery Seleznev.

Seleznev, who occasionally went by the moniker “Track2” online (a reference to one of the information strips on the back of a magnetic stripe card"), had been hacking into restaurant and retail Point of Sale (PoS) systems since at least October 2009 and continued until October 2013.

According to a 2014 indictment (PDF) from the Department of Justice, Seleznev and potentially others who are unknown to the investigators “developed and used automated techniques, such as port scanning, to identify computers and computer systems that were connected to the Internet [and] were dedicated to or involved with credit processing by retail businesses.”

The hacker identified vulnerable PoS systems around the country (although specifically in Washington state, in this instance) and had them download malware from servers that he maintained. The indictment continued:

The malware that Roman Seleznev and others unknown to the Grand Jury caused to be downloaded to the victim business’ computers monitored the traffic within the business’ computer network and intercepted the communications between the point of sale terminals and the back of the house compared. The malware would extract and copy data the included credit card track data and, every five minutes, compile the stolen credit card track data and transmit and upload it to a server identified by a specific IP address.

In some cases, the victim’s security practices were startlingly deficient as well. “In the case of the Broadway Grill, in particular, every credit card number that had been swiped at the restaurant between December 1,2009, and October 22, 2010, (over 32,000 unique credit card numbers) had been saved to a text file that was stored on the business’ back of the house computer,” the 2014 indictment noted. Seleznev was then accused of placing additional malware on the restaurant’s POS to capture subsequent credit card numbers.

Seleznev then placed the stolen card numbers on so-called “carding” websites and forums, where he sold the numbers with a 95 percent guarantee of validity for $20 to $30. He also sold numbers with a 65 percent chance of validity for around $7.

Using his preferred carding websites and forums, he sold approximately 140,000 credit card numbers and raked in $2 million. But the scheme apparently was far more vast than that. Seleznev was arrested in 2014 in the Maldives with his girlfriend. According to the DoJ, “[Seleznev’s] laptop contained more than 1.7 million stolen credit card numbers, some of which were stolen from businesses in Western Washington. The laptop also contained additional evidence linking Seleznev to the servers, e-mail accounts and financial transactions involved in the scheme.” US prosecutors estimate that Seleznev stole 2.9 million credit card numbers over the years.

According to Reuters, Russia at the time called Seleznev’s arrest a “kidnapping.” The defendant’s lawyer, John Henry Browne, says that his client will appeal this week’s guilty verdict on the grounds that he was arrested illegally. Browne also took issue with a ruling that allowed prosecutors to use “evidence from a corrupted laptop seized at the time of his arrest,” according to Reuters.

Seleznev will be sentenced December 2. His lawyer told Reuters that his client faces a mandatory minimum of four years of jail time.