When he was arrested in the Maldives in July 2014, Russian hacker Roman Seleznev had some 1.7 million credit card numbers on his laptop. On Thursday, a federal jury convicted him on 38 counts relating to how he got those credit card numbers.

Seleznev most often went by the handle “Track2” and would scrape card info from infected point-of-sale systems wherever they might be: Idaho, Nevada, Arizona, and Washington, among them. Here’s how it worked, a scheme that started in 2008.

…[M]alware would steal the credit card data from the point-of-sale systems and send it to other servers that Seleznev controlled in Russia, the Ukraine or in McLean, Virginia. Seleznev then bundled the credit card information into groups called bases” and sold the information on various carding” websites to buyers who would then use the credit card numbers for fraudulent purchases.

A Department of Justice press release about the conviction points out that small business owners were among the victimized, such as “restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.” Seleznev reportedly hacked into hundreds of POS systems, including ones at the Phoenix Zoo. In all, he cost more than 3,700 banks more than $169 million in losses and gained control of 2 million credit cards, the court learned during the eight-day trial.

Seleznev is the son of Valery Seleznev, a Russian lawmaker. After hearing about his son’s arrest in 2014, he characterized it as a kidnapping.

“This is not the first time the U.S. side, ignoring a bilateral treaty … on mutual assistance in criminal matters, has gone ahead with what amounts to the kidnapping of a Russian citizen,” his office announced. Russian media was highly critical of the arrest:

His lawyer, John Henry Browne, emphasized the arrest was more like a “kidnapping,” and vowed to appeal. Seleznev will be sentenced on December 2. He faces up to 40 years in prison.