U.S. law enforcement officials gathered details about a suspected cybercriminal by collecting intelligence from his apparent messages to vape shops in Ukraine.
The accused scammer, Glib Oleksandr Ivanov-Tolpintsev, was arraigned Tuesday during an 11-minute hearing in which he appeared virtually from the Pinellas County Jail near Tampa, Fla.
Ivanov-Tolpintsev is accused of accessing victims’ username and password credentials between 2016 and 2020, then acting as a seller on a cybercriminal forum where he sold the sensitive data and leased access to a botnet, an army of hacked computers capable of sending spam or infecting more computers.
Using the aliases “sergios” and “mars,” Ivanov-Tolpintsev allegedly claimed that his botnet was capable of accessing 2,000 usernames and passwords a day, enabling other perpetrators to carry out identity theft or other kinds of fraud. U.S. officials accused the defendant of earning more than $80,000 as part of the scheme over four years.
The Justice Department announced Wednesday he had been extradited from Poland, where he was arrested in October 2020 in a village called Korczowa, which has a population that numbers in the hundreds.
Ivanov-Tolpintsev’s attorney, Sylvia Irwin, declined to comment on the case.
As part of a probe, police used email addresses that appeared to belong to Ivanov-Tolpinstev to accelerate their investigation, according to an affidavit filed by the Internal Revenue Service. One email address helped the Internal Revenue Service understand the suspect’s activity because of a series of messages from internet retailers.
A single message from eliq.net, a Russian-language smokeshop, contained a receipt that listed “Gleb Ivanov” as a customer who lived at an address in Chernivtsi, Ukraine, which Ivanov-Tolpintsev had listed as his hometown on his passport. The same message included his apparent phone number.
Another email, dated Feb. 1, 2016, included an attachment that confirmed a successful wire transfer to Local Vape LLC, another business. That same message included a reference to another email address, which led investigators to a record of the purchase of online gaming equipment.
The apparently poor operational security also yielded other leads for investigators. According to the affidavit, Ivanov-Tolpintsev used the same Gmail address listed in the affidavit to trade messages with a dark web associate based in China, instructing his correspondent to refer to him as “sergios” and directing the Chinese user to send further messages to a Jabber account.
The complaint was signed by a special agent in the IRS’ criminal investigation division.
The specific botnet that prosecutors accuse Ivanov-Tolpintsev of using remains unclear.