Advertisement

IRS used vape store receipts to gather evidence against alleged Ukrainian scammer

A number of innocuous messages proved valuable for U.S. investigators trying to slow an accused identity thief.
Vaping and e-cigarette products are displayed in a store on December 19, 2019 in New York City. (Photo by Stephanie Keith/Getty Images)

U.S. law enforcement officials gathered details about a suspected cybercriminal by collecting intelligence from his apparent messages to vape shops in Ukraine.

The accused scammer, Glib Oleksandr Ivanov-Tolpintsev, was arraigned Tuesday during an 11-minute hearing in which he appeared virtually from the Pinellas County Jail near Tampa, Fla.

Ivanov-Tolpintsev is accused of accessing victims’ username and password credentials between 2016 and 2020, then acting as a seller on a cybercriminal forum where he sold the sensitive data and leased access to a botnet, an army of hacked computers capable of sending spam or infecting more computers.

Using the aliases “sergios” and “mars,” Ivanov-Tolpintsev allegedly claimed that his botnet was capable of accessing 2,000 usernames and passwords a day, enabling other perpetrators to carry out identity theft or other kinds of fraud. U.S. officials accused the defendant of earning more than $80,000 as part of the scheme over four years.

Advertisement

The Justice Department announced Wednesday he had been extradited from Poland, where he was arrested in October 2020 in a village called Korczowa, which has a population that numbers in the hundreds.

Ivanov-Tolpintsev’s attorney, Sylvia Irwin, declined to comment on the case.

As part of a probe, police used email addresses that appeared to belong to Ivanov-Tolpinstev to accelerate their investigation, according to an affidavit filed by the Internal Revenue Service. One email address helped the Internal Revenue Service understand the suspect’s activity because of a series of messages from internet retailers.

A single message from eliq.net, a Russian-language smokeshop, contained a receipt that listed “Gleb Ivanov” as a customer who lived at an address in Chernivtsi, Ukraine, which Ivanov-Tolpintsev had listed as his hometown on his passport. The same message included his apparent phone number.

Another email, dated Feb. 1, 2016, included an attachment that confirmed a successful wire transfer to Local Vape LLC, another business. That same message included a reference to another email address, which led investigators to a record of the purchase of online gaming equipment.

Advertisement

The apparently poor operational security also yielded other leads for investigators. According to the affidavit, Ivanov-Tolpintsev used the same Gmail address listed in the affidavit to trade messages with a dark web associate based in China, instructing his correspondent to refer to him as “sergios” and directing the Chinese user to send further messages to a Jabber account.

The complaint was signed by a special agent in the IRS’ criminal investigation division.

The specific botnet that prosecutors accuse Ivanov-Tolpintsev of using remains unclear.

 

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts