Russian authorities arrested more than two dozen people as part of a law enforcement operation against an alleged network of illicit websites where users bought and sold stolen payment cards and personal data.
The Federal Security Service (FSB) on March 20 apprehended 25 people, including Russians and foreign nationals, for their alleged roles in a digital identity theft ring, the agency announced on Tuesday.
The accused scammers were allegedly running a dark web marketplace called BuyBest, or GoldenShop, and dozens of corresponding “mirror” websites, according to an alert from the threat intelligence firm Gemini Advisory, which was obtained by CyberScoop. Alexey Stroganov, an accused hacker who went by the name “Flint24,” was among those arrested, according to a court file posted on a Moscow city website. A partial list of those those charged appears to have been published on a LiveJournal page.
Multiple discussion forums on Russian-language cybercriminal markets were focused on the arrests, said Harrison Van Riper, a senior analyst at the threat intelligence firm Digital Shadows. Shops allegedly operated by Flint24 and the larger group included sites on the open internet, such as wuzzup[.]com and dumpsmania24[.com], as well as pages only accessible on the dark web.
A video first published by Russia’s state-owned Zvezda appears to show FSB officers arresting a number of alleged conspirators.
Russian law enforcement action against accused cybercriminals inside Russian borders is exceedingly rare. The Kremlin has sought to prevent the extradition of Russian nationals accused of cybercrimes to stand trial abroad. U.S. prosecutors, meanwhile, have alleged that Russian scammers sometimes coordinate their operations with the FSB, using their access to hacked American systems to benefit Russian intelligence.
In this case, according to the FSB, the suspects operated BuyBest/GoldenShop and roughly 90 mirror pages, which were meant to keep the forums running in the event a main site was shut down. Sites with names like “BuyBestCC” and “BuyBestBiz” were used to traffic stolen data. Operators also advertised their services on another forum called CarderBazar.
Gemini Advisory confirmed that BuyBest/GoldenShop and its network of other sites have gone offline. Cached web pages still available online advertise databases of stolen payment cards, including hard-to-steal debit PIN numbers, and other personal details. One site claims it’s been accessible since 2013.
“Based on the 20% to 30% commission markets generally receive, the BuyBest administrators likely generated between $14 million and $20 million USD in revenue[,]” Gemini researchers said in their internal bulletin.
Russian police say they apprehended the defendants, including Ukrainian and Lithuanian citizens, in 11 regions of Russia. Searches yielded roughly $1 million in U.S. cash, 3 million rubles, gold bars, computers, servers, firearms and counterfeit identification, including Russian passports and government documents, according to the FSB.
Exactly why police acted against this group, and not others, remains unclear. American security researchers long have suggested that Russian law enforcement would tolerate cybercriminal activity under the conditions that hacking crews and forum members only target people outside the country.
Stroganov was active on multiple top tier Russian marketplaces, researchers said. He previously served two years of a six years sentence for a prior cybercriminal conviction, according to Gemini’s findings. Stroganov also previously operated websites dedicated to credit card fraud, with names like realplastic[.]org and carders[.]org,” according to Digital Shadows.
This arrest comes after U.S. police arrested Kirill Victorovich Firsov, another Russian man, at a New York City airport in connection with an investigation into Deer.io, a hosting service meant to keep nefarious websites online. The U.S. Department of Justice announced on Tuesday it had shut down Deer.io, which claimed to oversee 24,000 active websites with more than $17 million in sales.
The two cases do not appear to be related.