Earlier this week I was chatting with one of the top experts on Russian Cybercrime (who has asked to remain anonymous here). We were discussing the news that was released on 24MAR2020 that the FSB had raided 62 addresses in 11 regions of Russia arresting cybercriminals for their involvement in the online sales of stolen credit cards.
There are some GREAT videos of the FSB in action ... this first one from Gazeta.ru
According to the Gazeta articles, the FSB arrested 30 members of an online hacking group, including programmers from Ukraine and Lithuania. Twenty-five were charged with "Illegal circulation of a means of payment," which in Russia is a violation of Section 2 of Article 187. Region15.ru adds that the raids were conducted at 62 different addresses, including operations in Crimea, North Ossetia, Kaluga, Leningrad, Moscow, Pskov, Samara and Tambov, Moscow, St. Petersburg, and Sevastopol.
An embeddable image (same video) from Kuban.kp.ru shows image after image of those being arrested in the raids ..
More than $1 million USD and 3 million Rubles were seized, as well as computer equipment, firearms, drugs, gold bullion and precious coins. Many fake identity documents were also seized, including Russian Federation passports and counterfeit law enforcement officer IDs. Several of those arrested had been previously prosecuted for similar crimes. Russia Today's coverage of the story cites a December 2019 report by Sberbank saying that criminals frequently convince victims to give up their card details through social engineering by telephone. They also mention that in October at least 60 million Sberbank credit cards were being traded on the black market. The FSB arrested a criminal who used the name "Anton 2131" and lived in Volgograd with regards to some of that data.
Other coverage by Scandaly.ru indicated that at least 15 men and 1 woman among the arrested were held without bail in a Moscow court, being accused of serious crimes that would have sentences of at least 7 years. That article also mentioned that most of the 90 criminal marketplaces run by these criminals were taken offline on March 18th and March 19th. FSB investigators are now going through these servers to identify "wholesalers." They say they are interested in any customers who purchased more than 500 credit cards from the shops.
Вячеслав Володин принял участие в расширенном заседании коллегии Генеральной прокуратуры РФ (Vyacheslav Volodin took part in an expanded meeting of the board of the Prosecutor General of the Russian Federation)
As President Putin addressed the board of the Ministry of Internal Affairs, he charged them strictly that they needed to pay "constant attention to the Internet" and "work to identify the organizers and instigators who should be deservedly punished" for their crimes. The Duma article said it like this:
"[President Putin] demanded that law enforcement agencies develop a system to combat cybercrime. Speaking at an enlarged meeting of the board of the Prosecutor General’s Office of the Russian Federation, he noted that in recent years “extremely negative dynamics have been recorded in crimes related to the use of information technology”.
“I’m asking the Prosecutor General’s Office, together with the Ministry of Internal Affairs and other relevant structures, to analyze how efficiently the work in this area has been built, how the available procedural capabilities are being used, and in general I’m asking for a system, a set of measures to reduce the number of such crimes,” the head of state said.
Guess what happens when President Putin orders the Prosecutor General to do something to reduce the number of cybercrimes in Russia? The FSB gets to work arresting people!
Now my challenge, gentle reader, what were the hacker names of these individuals, and what shops did they run? Please comment below or message me if you have more details!
CyberScoop.com's piece, Rare cybercrime enforcement in Russia yields 25 arrests, shutters 'BuyBest' marketplace, mentions Flint24 as well and suggests that wuzzup[.]com, dumpsmania24[.]com were also part of the takedown. BuyBestCC and BuyBestBiz were two of the many mirror sites.
GeminiAdvisory's story "FSB Takes Down Top-Tier Marketplace, Arrests Admins" mentions that Flint24 was a character in Sergey Pavlovich's book, "How to Steal a Milion." They also list a couple additional BuyBest mirrors, BinGo and Yohoho.
There are some GREAT videos of the FSB in action ... this first one from Gazeta.ru
According to the Gazeta articles, the FSB arrested 30 members of an online hacking group, including programmers from Ukraine and Lithuania. Twenty-five were charged with "Illegal circulation of a means of payment," which in Russia is a violation of Section 2 of Article 187. Region15.ru adds that the raids were conducted at 62 different addresses, including operations in Crimea, North Ossetia, Kaluga, Leningrad, Moscow, Pskov, Samara and Tambov, Moscow, St. Petersburg, and Sevastopol.
An embeddable image (same video) from Kuban.kp.ru shows image after image of those being arrested in the raids ..
More than $1 million USD and 3 million Rubles were seized, as well as computer equipment, firearms, drugs, gold bullion and precious coins. Many fake identity documents were also seized, including Russian Federation passports and counterfeit law enforcement officer IDs. Several of those arrested had been previously prosecuted for similar crimes. Russia Today's coverage of the story cites a December 2019 report by Sberbank saying that criminals frequently convince victims to give up their card details through social engineering by telephone. They also mention that in October at least 60 million Sberbank credit cards were being traded on the black market. The FSB arrested a criminal who used the name "Anton 2131" and lived in Volgograd with regards to some of that data.
Other coverage by Scandaly.ru indicated that at least 15 men and 1 woman among the arrested were held without bail in a Moscow court, being accused of serious crimes that would have sentences of at least 7 years. That article also mentioned that most of the 90 criminal marketplaces run by these criminals were taken offline on March 18th and March 19th. FSB investigators are now going through these servers to identify "wholesalers." They say they are interested in any customers who purchased more than 500 credit cards from the shops.
A CyberCrime Crackdown in Russia? What Happened?
When I asked my Russian Cybercrime Expert friend what was behind the large volume of raids, his reply was direct: President Putin. He shared with me this article from duma.gov.ru:Вячеслав Володин принял участие в расширенном заседании коллегии Генеральной прокуратуры РФ (Vyacheslav Volodin took part in an expanded meeting of the board of the Prosecutor General of the Russian Federation)
As President Putin addressed the board of the Ministry of Internal Affairs, he charged them strictly that they needed to pay "constant attention to the Internet" and "work to identify the organizers and instigators who should be deservedly punished" for their crimes. The Duma article said it like this:
"[President Putin] demanded that law enforcement agencies develop a system to combat cybercrime. Speaking at an enlarged meeting of the board of the Prosecutor General’s Office of the Russian Federation, he noted that in recent years “extremely negative dynamics have been recorded in crimes related to the use of information technology”.
“I’m asking the Prosecutor General’s Office, together with the Ministry of Internal Affairs and other relevant structures, to analyze how efficiently the work in this area has been built, how the available procedural capabilities are being used, and in general I’m asking for a system, a set of measures to reduce the number of such crimes,” the head of state said.
Guess what happens when President Putin orders the Prosecutor General to do something to reduce the number of cybercrimes in Russia? The FSB gets to work arresting people!
Russian Credit Card Criminals Detained
While the names of those arrested were not listed in any article, it was fairly simple to pull them together, once my Russian colleague showed me the ropes of the "mos-gorsud" site where federal charges are tracked. By searching for "Article 187 Section 2" and limiting my scope to people arrested in March 2020, I came up with this list of likely players:- Шувалов А.В - Shuvalov A.V. - in court 20MAR2020 - 77RS0027-01-2020-004928-65
- Светличный Л.И. - Svetlichny L.I. - in court 21MAR2020 - 77RS0027-01-2020-004942-23
- Малинин М.А. - Malinin M.A. - 20MAR2020 - 77RS0027-01-2020-004935-44
- Строганов А.Т. - Stroganov A.T. - 20MAR2020 - 77RS0027-01-2020-004934-47
- Ахметов В.А. - Akhmetov V.A. - 21MAR2020 - 77RS0027-01-2020-004946-11
- Селиванов Г.В. - Selivanov G.V. - 20MAR2020 - 77RS0027-01-2020-004924-77
- Карпунин С.В. - Karpunin S.V. - 20MAR2020 - 77RS0027-01-2020-004936-41
- Федотов И.О. - Fedotov I.O. - 20MAR2020 - 77RS0027-01-2020-004933-50
- Галкин А.В. - Galkin A.V. - 20MAR2020 - 77RS0027-01-2020-004929-62
- Синицын А.В. - Sinitsyn A.V. - 21MAR2020 - 77RS0027-01-2020-004944-17
- Смирнов А.М. - Smirnov A.M. - 21MAR2020 - 77RS0027-01-2020-004937-38
- Бобин А.С. - Bobin A.S. - 20MAR2020 - 77RS0027-01-2020-004926-71
- Мерлин Э.А. - Merlin E.A. - 21MAR2020 - 77RS0027-01-2020-004925-74
- Белай В.В. - Belay V.V. - 21MAR2020 - 77RS0027-01-2020-004945-14
- Васильев Р.Р. - Vasiliev R.R. - 21MAR2020 - 77RS0027-01-2020-004943-20
- Юшковский А.А. - Yushkovsky A.A. - 20MAR2020 - 77RS0027-01-2020-004897-61
Now my challenge, gentle reader, what were the hacker names of these individuals, and what shops did they run? Please comment below or message me if you have more details!
Updates As We Find Them
Строганов is Alexey Stroganov aka Flint24 according to this post by Brian Krebs - Russians Shut Down Huge Card Fraud Ring
Селиванов is Gerasim Silivanon aka Gabrik according to the same post.
Some of the sites known to be offline now are MrWhite[.]biz, BingoDumps, DumpsKingdom, GoldenDumps, HoneyMoney, and HustleBank.
CyberScoop.com's piece, Rare cybercrime enforcement in Russia yields 25 arrests, shutters 'BuyBest' marketplace, mentions Flint24 as well and suggests that wuzzup[.]com, dumpsmania24[.]com were also part of the takedown. BuyBestCC and BuyBestBiz were two of the many mirror sites.
GeminiAdvisory's story "FSB Takes Down Top-Tier Marketplace, Arrests Admins" mentions that Flint24 was a character in Sergey Pavlovich's book, "How to Steal a Milion." They also list a couple additional BuyBest mirrors, BinGo and Yohoho.