Category: U.S. Department of Justice

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

Qakbot/Qbot was once again top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinksplipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect infected machines from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that is has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.

Further reading:

The DOJ’s application for a search warrant application tied to Qakbot uninstall file
The search warrant application connected to QakBot server infrastructure in the United States
The government’s application for a warrant to seize virtual currency from the QakBot operators.

The U.S. Federal Bureau of Investigation (FBI) this week seized 13 domain names connected to “booter” services that let paying customers launch crippling distributed denial-of-service (DDoS) attacks. Ten of the domains are reincarnations of DDoS-for-hire services the FBI seized in December 2022, when it charged six U.S. men with computer crimes for allegedly operating booters.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

The websites that saw their homepages replaced with seizure notices from the FBI this week include booter services like cyberstress[.]org and exoticbooter[.]com, which the feds say were used to launch millions of attacks against millions of victims.

“School districts, universities, financial institutions and government websites are among the victims who have been targeted in attacks launched by booter services,” federal prosecutors in Los Angeles said in a statement.

Purveyors of booters or “stressers” claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — these services can be used for good or bad purposes. Most booter sites employ wordy “terms of use” agreements that require customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks. What’s more, none of the services seized by the government required users to demonstrate that they own the Internet addresses being stress-tested, something a legitimate testing service would insist upon.

This is the third in a series of U.S. and international law enforcement actions targeting booter services. In December 2022, the feds seized four-dozen booter domains and charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services. In December 2018, the feds targeted 15 booter sites, and three booter store defendants who later pleaded guilty.

While the FBI’s repeated seizing of booter domains may seem like an endless game of virtual Whac-a-Mole, continuously taking these services offline imposes high enough costs for the operators that some of them will quit the business altogether, says Richard Clayton, director of Cambridge University’s Cybercrime Centre.

In 2020, Clayton and others published “Cybercrime is Mostly Boring,” an academic study on the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. The study found that operating a booter service effectively requires a mind-numbing amount of constant, tedious work that tends to produce high burnout rates for booter service operators — even when the service is operating efficiently and profitably.

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks, Clayton said. On top of that, building brand recognition and customer loyalty takes time.

“If you’re running a booter and someone keeps taking your domain or hosting away, you have to then go through doing the same boring work all over again,” Clayton told KrebsOnSecurity. “One of the guys the FBI arrested in December [2022] spent six months moaning that he lost his servers, and could people please lend him some money to get it started again.”

In a statement released Wednesday, prosecutors in Los Angeles said four of the six men charged last year for running booter services have since pleaded guilty. However, at least one of the defendants from the 2022 booter bust-up — John M. Dobbs, 32, of Honolulu, HI — has pleaded not guilty and is signaling he intends to take his case to trial.

The FBI seizure notice that replaced the homepages of several booter services this week.

Dobbs is a computer science graduate student who for the past decade openly ran IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania. Prosecutors say Dobbs’ service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.

That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.

A copy of the FBI’s booter seizure warrant is here (PDF). According to the DOJ, the defendants who pleaded guilty to operating booter sites include:

Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, who pleaded guilty on April 6 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named RoyalStresser[.]com (formerly known as Supremesecurityteam[.]com);

Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” 37, of Belleview, Florida, who pleaded guilty on February 13 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named SecurityTeam[.]io;

Shamar Shattock, 19, of Margate, Florida, who pleaded guilty on March 22 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Astrostress[.]com;

Cory Anthony Palmer, 23, of Lauderhill, Florida, who pleaded guilty on February 16 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Booter[.]sx.

All four defendants are scheduled to be sentenced this summer.

The booter domains seized by the FBI this week include:

cyberstress[.]org
exoticbooter[.]com
layerstress[.]net
orbitalstress[.]xyz
redstresser[.]io
silentstress[.]wtf
sunstresser[.]net
silent[.]to
mythicalstress[.]net
dreams-stresser[.]org
stresserbest[.]io
stresserus[.]io
quantum-stress[.]org

The U.S. government this week put a $10 million bounty on the head of a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him at least $18 million, which he used to buy a Ferrari, Land Rover, and other luxury items.

Denis Kulkov, a.k.a. “Nordex,” in his Ferrari. Image: USDOJ.

Launched in 2005, Try2Check soon was processing more than a million card-checking transactions per month — charging 20 cents per transaction. Cybercriminals turned to services like this after purchasing stolen credit card data from an underground shop, with an eye toward minimizing the number of cards that are inactive by the time they are put to criminal use.

Try2Check was so reliable that it eventually became the official card-checking service for some of the underground’s most bustling crime bazaars, including Vault Market, Unicc, and Joker’s Stash. Customers of these carding shops who chose to use the shop’s built-in (but a-la-carte) card checking service from Try2Check could expect automatic refunds on any cards that were found to be inactive or canceled at the time of purchase.

Many established stolen card shops will allow customers to request refunds on dead cards based on official reports from trusted third-party checking services. But in general, the bigger shops have steered customers toward using their own white-labeled version of the Try2Check service — primarily to help minimize disputes over canceled cards.

On Wednesday, May 3, Try2Check’s websites were replaced with a domain seizure notice from the U.S. Secret Service and U.S. Department of Justice, as prosecutors in the Eastern District of New York unsealed an indictment and search warrant naming Denis Gennadievich Kulkov of Samara, Russia as the proprietor.

Try2Check’s login pages have been replaced with a seizure notice from U.S. law enforcement.

At the same time, the U.S. Department of State issued a $10 million reward for information leading to the arrest or conviction of Kulkov. In November 2021, the State Department began offering up to to $10 million for the name or location of any key leaders of REvil, a major Russian ransomware gang.

As noted in the Secret Service’s criminal complaint (PDF), the Try2Check service was first advertised on the closely-guarded Russian cybercrime forum Mazafaka, by someone using the handle “KreenJo.” That handle used the same ICQ instant messenger account number (555724) as a Mazafaka denizen named “Nordex.”

In February 2005, Nordex posted to Mazafaka that he was in the market for hacked bank accounts, and offered 50 percent of the take. He asked interested partners to contact him at the ICQ number 228427661 or at the email address polkas@bk.ru. As the government noted in its search warrant, Nordex exchanged messages with forum users at the time identifying himself as a then-24-year-old “Denis” from Samara, RU.

In 2017, U.S. law enforcement seized the cryptocurrency exchange BTC-e, and the Secret Service said those records show that a Denis Kulkov from Samara supplied the username “Nordexin,” email address nordexin@ya.ru, and an address in Samara.

Investigators had already found Instagram accounts where Kulkov posted pictures of his Ferrari and his family. Authorities were able to identify that Kulkov had an iCloud account tied to the address nordexin@icloud.com, and upon subpoenaing that found passport photos of Kulkov, and well as more photos of his family and pricey cars.

Like many other top cybercriminals based in Russia or in countries with favorable relations to the Kremlin, the proprietor of Try2Check was not particularly difficult to link to a real-life identity. In Kulkov’s case, it no doubt was critical to U.S. investigators that they had access to a wealth of personal information tied to a cryptocurrency exchange Kulkov had used.

However, the link between Kulkov and Try2Check can be made — ironically — based on records that have been plundered by hackers and published online over the years — including Russian email services, Russian government records, and hacked cybercrime forums.

NORDEX

Kulkov posing with his passport, in a photo authorities obtained by subpoenaing his iCloud account.

According to cybersecurity firm Constella Intelligence, the address polkas@bk.ru was used to register an account with the username “Nordex” at bankir[.]com, a now defunct news website that was almost standard reading for Russian speakers interested in news about various Russian financial markets.

Nordex appears to have been a finance nerd. In his early days on the forums, Nordex posted several long threads on his views about the Russian stock market and mutual fund investments.

That Bankir account was registered from the Internet address 193.27.237.66 in Samara, Russia, and included Nordex’s date of birth as April 8, 1980, as well as their ICQ number (228427661).

Cyber intelligence firm Intel 471 found that Internet address also was used to register the account “Nordex” on the Russian hacking forum Exploit back in 2006.

Constella tracked another Bankir[.]com account created from that same Internet address under the username “Polkas.” This account had the same date of birth as Nordex, but a different email address: nordia@yandex.ru. This and other “nordia@” emails shared a password: “anna59.”

NORDIA

Nordia@yandex.ru shares several passwords with nordia@list.ru, which Constella says was used to create an account at a religious website for an Anna Kulikova from Samara. At the Russian home furnishing store Westwing.ru, Ms. Kulikova listed her full name as Anna Vnrhoturkina Kulikova, and her address as 29 Kommunistrecheskya St., Apt. 110.

A search on that address in Constella brings up a record for an Anna Denis Vnrhoturkina Kulkov, and the phone number 879608229389.

Russian vehicle registration records have also been hacked and leaked online over the years. Those records show that Anna’s Apt 110 address is tied to a Denis Gennadyvich Kulkov, born April 8, 1980.

The vehicle Kolkov registered in 2015 at that address was a 2010 Ferrari Italia, with the license plate number K022YB190. The phone number associated with this record — 79608229389 — is exactly like Anna’s, only minus the (mis?)leading “8”. That number also is tied to a now-defunct Facebook account, and to the email addresses nordexin@ya.ru and nordexin@icloud.com.

Kulkov’s Ferrari has been photographed numerous times over the years by Russian car aficionados, including this one with the driver’s face redacted by the photographer:

The Ferrari owned by Denis Kulkov, spotted in Moscow in 2016. Image: Migalki.net.

As the title of this story suggests, the hard part for Western law enforcement isn’t identifying the Russian cybercriminals who are major players in the scene. Rather, it’s finding creative ways to capture high-value suspects if and when they do leave the protection that Russia generally extends to domestic cybercriminals within its borders who do not also harm Russian companies or consumers, or interfere with state interests.

But Russia’s war against Ukraine has caused major fault lines to appear in the cybercrime underground: Cybercriminal syndicates that previously straddled Russia and Ukraine with ease were forced to reevaluate many comrades who were suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those was Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was apprehended in March 2022 after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam last year was Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

The United Kingdom’s National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

The warning displayed to users on one of the NCA’s fake booter sites. Image: NCA.

The NCA says all of its fake so-called “booter” or “stresser” sites — which have so far been accessed by several thousand people — have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

“However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators,” reads an NCA advisory on the program. “Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement.”

The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990.

“Going forward, people who wish to use these services can’t be sure who is actually behind them, so why take the risk?” the NCA announcement continues.

The NCA campaign comes closely on the heels of an international law enforcement takedown involving four-dozen websites that made powerful DDoS attacks a point-and-click operation.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen booter business domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services. In connection with that operation, the NCA also arrested an 18-year-old man suspected of running one of the sites.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The United Kingdom, which has been battling its fair share of domestic booter bosses, started running online ads in 2020 aimed at young people who search the Web for booter services.

As part of last year’s mass booter site takedown, the FBI and the Netherlands Police joined the NCA in announcing they are running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top Russian spamming forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444.

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, all of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. But the malware-based proxy services have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features.

The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForum’s takedown was the result of “Operation Tourniquet,” which was carried out by the NCA in cooperation with the United Staes, Europol and four other countries, and resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

The U.S. Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the U.S. and Germany moved to decapitate “Hydra,” a billion-dollar Russian darknet drug bazaar that also helped to launder the profits of multiple Russian ransomware groups.

FBI officials said Wednesday they disrupted “Cyclops Blink,” a collection of compromised networking devices managed by hackers working with the Russian Federation’s Main Intelligence Directorate (GRU).

A statement from the U.S. Department of Justice (DOJ) says the GRU’s hackers built Cyclops Blink by exploiting previously undocumented security weaknesses in firewalls and routers made by both ASUS and WatchGuard Technologies. The DOJ said it did not seek to disinfect compromised devices; instead, it obtained court orders to remove the Cyclops Blink malware from its “command and control” servers — the hidden machines that allowed the attackers to orchestrate the activities of the botnet.

The FBI and other agencies warned in March that the Cyclops Blink malware was built to replace a threat called “VPNFilter,” an earlier malware platform that targeted vulnerabilities in a number of consumer-grade wireless and wired routers. In May 2018, the FBI executed a similar strategy to dismantle VPNFilter, which had spread to more than a half-million consumer devices.

On April 1, ASUS released updates to fix the security vulnerability in a range of its Wi-Fi routers. Meanwhile, WatchGuard appears to have silently fixed its vulnerability in an update shipped almost a year ago, according to Dan Goodin at Ars Technica.

SANDWORM AND TRITON

Security experts say both VPNFilter and Cyclops Blink are the work of a hacking group known as Sandworm or Voodoo Bear, the same Russian team blamed for disrupting Ukraine’s electricity in 2015.

Sandworm also has been implicated in the “Industroyer” malware attacks on Ukraine’s power grid in December 2016, as well as the 2016 global malware contagion “NotPetya,” which crippled companies worldwide using an exploit believed to have been developed by and then stolen from the U.S. National Security Agency (NSA).

The action against Cyclops Blink came just weeks after the Justice Department unsealed indictments against four Russian men accused of launching cyberattacks on power utilities in the United States and abroad.

One of the indictments named three officers of Russia’s Federal Security Service (FSB) suspected of being members of Berserk Bear, a.k.a. Dragonfly 2.0, a.k.a. Havex, which has been blamed for targeting electrical utilities and other critical infrastructure worldwide and is widely believed to be working at the behest of the Russian government.

The other indictment named Russians affiliated with a skilled hacking group known as “Triton” or “Trisis,” which infected a Saudi oil refinery with destructive malware in 2017, and then attempted to do the same to U.S. energy facilities.

The Justice Department said that in Dragonfly’s first stage between 2012 and 2014, the defendants hacked into computer networks of industrial control systems (ICS) companies and software providers, and then hid malware inside legitimate software updates for such systems.

“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices,” the DOJ said. “Through these and other efforts, including spearphishing and “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.”

In Dragonfly’s second iteration between 2014 and 2017, the hacking group spear-phished more than 3,300 people at more than 500 U.S. and international companies and entities, including U.S. federal agencies like the Nuclear Regulatory Commission.

“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant,” the DOJ’s account continues. “Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.”

HYDRA

Federation Tower, Moscow. Image: Evgeniy Vasilev.

Also this week, German authorities seized the server infrastructure for the Hydra Market, a bustling underground market for illegal narcotics, stolen data and money laundering that’s been operating since 2015. The German Federal Criminal Police Office (BKA) said Hydra had roughly 17 million customers, and over 19,000 vendors, with sales amounting to at least 1.23 billion euros in 2020 alone.

In a statement on the Hydra takedown, the U.S. Department of Treasury said blockchain researchers had determined that approximately 86 percent of the illicit Bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra.

Treasury sanctioned a number of cryptocurrency wallets associated with Hydra and with a virtual currency exchange called “Garantex,” which the agency says processed more than $100 million in transactions associated with illicit actors and darknet markets. That amount included roughly $8 million in ransomware proceeds laundered through Hydra on behalf of multiple ransomware groups, including Ryuk and Conti.

“Today’s action against Hydra and Garantex builds upon recent sanctions against virtual currency exchanges SUEX and CHATEX, both of which, like Garantex, operated out of Federation Tower in Moscow, Russia,” the Treasury Department said.

An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.

Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.

Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.

Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.

After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”

“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.

Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud.

The DirectConnection cybercrime forum, circa 2011.

For many years on DirectConnection and other crime forums, Berezan went by the hacker alias “Albanec.” Investigators close to the case told KrebsOnSecurity that Albanec was involved in multiple so-called “unlimited” cashouts, a highly choreographed, global fraud scheme in which crooks hack a bank or payment card processor and used cloned payment cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

Berezan joins a growing list of top cybercriminals from DirectConnection who’ve been arrested and convicted of cybercrimes since the forum disappeared years ago. One of Albanec’s business partners on the forum was Sergey “Flycracker” Vovnenko, a Ukrainian man who once ran his own cybercrime forum and who in 2013 executed a plot to have heroin delivered to our home in a bid to get Yours Truly arrested for drug possession. Vovnenko was later arrested, extradited to the United States, pleaded guilty and spent more than three years in prison on botnet-related charges (Vovnenko is now back in Ukraine, trying to fight the Russian invasion with his hacking abilities).

Perhaps the most famous DirectConnection member was its administrator Aleksei Burkov, a Russian hacker thought to be so connected to the Russian cybercriminal scene that he was described as an “asset of extreme importance to Moscow.” Burkov was arrested in Israel in 2015, and the Kremlin arrested an Israeli woman on trumped-up drug charges to force a prisoner swap.

That effort failed. Burkov was extradited to the U.S. in 2019, soon pleaded guilty, and was sentenced to nine years. However, he was recently deported back to Russia prior to serving his full sentence, which has prompted Republican leaders in the House to question why.

Other notable cybercrooks from DirectConnection who’ve been arrested, extradited to the U.S. and sentenced to prison include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

At his sentencing today, Berezan was sentenced to 66 months in prison and ordered to pay $36 million in restitution to his victims. A source close to the investigation said Berezan’s sentence likely would have been far more severe had he not entered into a cooperation agreement to share useful information with U.S. authorities.