$10M Is Yours If You Can Get This Man to Depart Russia – Krebs on Safety


The U.S. authorities this week put a $10 million bounty on a Russian man who for the previous 18 years operated Try2Check, one of many cybercrime underground’s most trusted companies for checking the validity of stolen bank card knowledge. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him no less than $18 million, which he used to purchase a Ferrari, Land Rover, and different luxurious gadgets.

Denis Kulkov, a.ok.a. “Nordex,” in his Ferrari. Picture: USDOJ.

Launched in 2005, Try2Check quickly was processing greater than 1,000,000 card-checking transactions per thirty days — charging 20 cents per transaction. Cybercriminals turned to companies like this after buying stolen bank card knowledge from an underground store, with a watch towards minimizing the variety of playing cards which can be inactive by the point they’re put to felony use.

Try2Check was so dependable that it will definitely turned the official card-checking service for among the underground’s most bustling crime bazaars, together with Vault Market, Unicc, and Joker’s Stash. Clients of those carding outlets who selected to make use of the store’s built-in (however a-la-carte) card checking service from Try2Check might anticipate computerized refunds on any playing cards that had been discovered to be inactive or canceled on the time of buy.

Many established stolen card outlets will permit prospects to request refunds on useless playing cards based mostly on official experiences from trusted third-party checking companies. However generally, the larger outlets have steered prospects towards utilizing their very own white-labeled model of the Try2Check service — primarily to assist reduce disputes over canceled playing cards.

On Wednesday, Could 3, Try2Check’s web sites had been changed with a website seizure discover from the U.S. Secret Service and U.S. Division of Justice, as prosecutors within the Japanese District of New York unsealed an indictment and search warrant naming Denis Gennadievich Kulkov of Samara, Russia because the proprietor.

Try2Check’s login pages have been changed with a seizure discover from U.S. legislation enforcement.

On the similar time, the U.S. Division of State issued a $10 million reward for info resulting in the arrest or conviction of Kulkov. In November 2021, the State Division started providing as much as to $10 million for the title or location of any key leaders of REvil, a serious Russian ransomware gang.

As famous within the Secret Service’s felony criticism (PDF), the Try2Check service was first marketed on the closely-guarded Russian cybercrime discussion board Mazafaka, by somebody utilizing the deal with “KreenJo.” That deal with used the identical ICQ immediate messenger account quantity (555724) as a Mazafaka denizen named “Nordex.”

In February 2005, Nordex posted to Mazafaka that he was out there for hacked financial institution accounts, and provided 50 p.c of the take. He requested companions to contact him on the ICQ quantity 228427661 or on the e-mail deal with polkas@bk.ru. As the federal government famous in its search warrant, Nordex exchanged messages with discussion board customers on the time figuring out himself as a then-24-year-old “Denis” from Samara, RU.

In 2017, U.S. legislation enforcement seized the cryptocurrency change BTC-e, and the Secret Service mentioned these information present {that a} Denis Kulkov from Samara provided the username “Nordexin,” e-mail deal with nordexin@ya.ru, and an deal with in Samara.

Investigators had already discovered Instagram accounts the place Kulkov posted photos of his Ferrari and his household. Authorities had been capable of establish that Kulkov had an iCloud account tied to the deal with nordexin@icloud.com, and upon subpoenaing that discovered passport pictures of Kulkov, and nicely as extra pictures of his household and dear automobiles.

Like many different prime cybercriminals based mostly in Russia or in nations with favorable relations to the Kremlin, the proprietor of Try2Check was not significantly tough to hyperlink to a real-life identification. In Kulkov’s case, it little doubt was crucial to U.S. investigators that that they had entry to a wealth of non-public info tied to a cryptocurrency change Kulkov had used.

Nevertheless, the hyperlink between Kulkov and Try2Check might be made — mockingly — based mostly on information which were plundered by hackers and revealed on-line through the years — together with Russian e-mail companies, Russian authorities information, and hacked cybercrime boards.

NORDEX

Kulkov posing along with his passport, in a photograph authorities obtained by subpoenaing his iCloud account.

In keeping with cybersecurity agency Constella Intelligence, the deal with polkas@bk.ru was used to register an account with the username “Nordex” at bankir[.]com, a now defunct information web site that was nearly commonplace studying for Russian audio system taken with information about varied Russian monetary markets.

Nordex seems to have been a finance nerd. In his early days on the boards, Nordex posted a number of lengthy threads on his views in regards to the Russian inventory market and mutual fund investments.

That Bankir account was registered from the Web deal with 193.27.237.66 in Samara, Russia, and included Nordex’s date of start as April 8, 1980, in addition to their ICQ quantity (228427661).

Cyber intelligence agency Intel 471 discovered that Web deal with additionally was used to register the account “Nordex” on the Russian hacking discussion board Exploit again in 2006.

Constella tracked one other Bankir[.]com account created from that very same Web deal with below the username “Polkas.” This account had the identical date of start as Nordex, however a distinct e-mail deal with: nordia@yandex.ru. This and different “nordia@” emails shared a password: “anna59.”

NORDIA

Nordia@yandex.ru shares a number of passwords with nordia@listing.ru, which Constella says was used to create an account at a spiritual web site for an Anna Kulikova from Samara. On the Russian dwelling furnishing retailer Westwing.ru, Ms. Kulikova listed her full title as Anna Vnrhoturkina Kulikova, and her deal with as 29 Kommunistrecheskya St., Apt. 110.

A search on that deal with in Constella brings up a report for an Anna Denis Vnrhoturkina Kulkov, and the cellphone quantity 879608229389.

Russian car registration information have additionally been hacked and leaked on-line through the years. These information present that Anna’s Apt 110 deal with is tied to a Denis Gennadyvich Kulkov, born April 8, 1980.

The car Kolkov registered in 2015 at that deal with was a 2010 Ferrari Italia, with the license plate quantity K022YB190. The cellphone quantity related to this report — 79608229389 — is strictly like Anna’s, solely minus the (mis?)main “8”. That quantity is also tied to a now-defunct Fb account, and to the e-mail addresses nordexin@ya.ru and nordexin@icloud.com.

Kulkov’s Ferrari has been photographed quite a few occasions through the years by Russian automobile aficionados, together with this one with the motive force’s face redacted by the photographer:

The Ferrari owned by Denis Kulkov, noticed in Moscow in 2016. Picture: Migalki.internet.

Because the title of this story suggests, the laborious half for Western legislation enforcement isn’t figuring out the Russian cybercriminals who’re main gamers within the scene. Reasonably, it’s discovering artistic methods to seize high-value suspects if and after they do go away the safety that Russia usually extends to home cybercriminals inside its borders who don’t additionally hurt Russian corporations or customers, or intervene with state pursuits.

However Russia’s battle towards Ukraine has induced main fault traces to seem within the cybercrime underground: Cybercriminal syndicates that beforehand straddled Russia and Ukraine with ease had been compelled to reevaluate many comrades who had been out of the blue working for The Different Facet.

Many cybercriminals who operated with impunity from Russia and Ukraine previous to the battle selected to flee these nations following the invasion, presenting worldwide legislation enforcement businesses with uncommon alternatives to catch most-wanted cybercrooks. A kind of was Mark Sokolovsky, a 26-year-old Ukrainian man who operated the favored “Raccoon” malware-as-a-service providing; Sokolovsky was apprehended in March 2022 after fleeing Ukraine’s necessary navy service orders.

Additionally nabbed on the lam final 12 months was Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of thousands and thousands of {dollars} over almost a decade from numerous hacked companies. Penchukov was arrested after leaving Ukraine to fulfill up along with his spouse in Switzerland.

Leave a Reply

Your email address will not be published. Required fields are marked *