In 2020, america introduced costs in opposition to 4 males accused of constructing a bulletproof internet hosting empire that when dominated the Russian cybercrime business and supported a number of organized cybercrime teams. All 4 pleaded responsible to conspiracy and racketeering costs. However there’s a fascinating and untold backstory behind the 2 Russian males concerned, who co-ran the world’s high spam discussion board and labored carefully with Russia’s most harmful cybercriminals.
From January 2005 to April 2013, there have been two main directors of the cybercrime discussion board Spamdot (a.ok.a Spamit), an invite-only group for Russian-speaking folks within the companies of sending spam and constructing botnets of contaminated computer systems to relay stated spam. The Spamdot admins glided by the nicknames Icamis (a.ok.a. Ika), and Salomon (a.ok.a. Sal).
Spamdot discussion board administrator “Ika” a.ok.a. “Icamis” responds to a message from “Tarelka,” the botmaster behind the Rustock botnet. Dmsell stated: “I’m really very glad that I switched to authorized spam mailing,” prompting Tarelka and Ika to scoff.
As detailed in my 2014 e-book, Spam Nation, Spamdot was dwelling to crooks controlling a few of the world’s nastiest botnets, international malware contagions that glided by unique names like Rustock, Cutwail, Mega-D, Festi, Waledac, and Grum.
Icamis and Sal had been in each day communications with these botmasters, through the Spamdot discussion board and personal messages. Collectively in management over tens of millions of spam-spewing zombies, these botmasters additionally constantly harvested passwords and different knowledge from contaminated machines.
As we’ll see in a second, Salomon is now behind bars, partly as a result of he helped to rob dozens of small companies in america utilizing a few of those self same harvested passwords. He’s at present housed in a federal jail in Michigan, serving the ultimate stretch of a 60-month sentence.
However the id and whereabouts of Icamis have remained a thriller to this writer till not too long ago. For years, safety consultants — and certainly, many high cybercriminals within the Spamit associates program — have expressed the assumption that Sal and Icamis had been doubtless the identical particular person utilizing two completely different identities. And there have been many good causes to assist this conclusion.
For instance, in 2010 Spamdot and its spam associates program Spamit had been hacked, and its consumer database exhibits Sal and Icamis usually accessed the discussion board from the identical Web handle — often from Cherepovets, an industrial city located roughly 230 miles north of Moscow. Additionally, it was widespread for Icamis to answer when Spamdot members communicated a request or grievance to Sal, and vice versa.
Picture: maps.google.com
Nonetheless, different clues urged Icamis and Sal had been two separate people. For starters, they ceaselessly modified the standing on their on the spot messenger shoppers at completely different instances. Additionally, they every privately mentioned with others having attended completely different universities.
KrebsOnSecurity started researching Icamis’s real-life id in 2012, however did not revisit any of that analysis till not too long ago. In December 2023, KrebsOnSecurity revealed new particulars in regards to the id of “Rescator,” a Russian cybercriminal who’s regarded as carefully linked to the 2013 knowledge breach at Goal.
That story talked about Rescator’s real-life id was uncovered by Icamis in April 2013, as a part of a prolonged farewell letter Ika wrote to Spamdot members whereby Ika stated he was closing the discussion board and quitting the cybercrime enterprise totally.
To nobody’s shock, Icamis didn’t give up the enterprise: He merely turned extra quiet and circumspect about his work, which more and more was targeted on serving to crime teams siphon funds from U.S. financial institution accounts. However the Rescator story was a reminder that 10 years price of analysis on who Ika/Icamis is in actual life had been fully put aside. This submit is an try and treatment that omission.
The farewell submit from Ika (aka Icamis), the administrator of each the BlackSEO discussion board and Pustota, the successor discussion board to Spamit/Spamdot.
GENTLEMEN SCAMMERS
Icamis and Sal supplied a complete package deal of products and providers that any aspiring or achieved spammer would want on a day-to-day foundation: Nearly limitless bulletproof area registration and internet hosting providers, in addition to providers that helped botmasters evade spam block lists generated by anti-spam teams like Spamhaus.org. Right here’s snippet of Icamis’s advert on Spamdot from Aug. 2008, whereby he addresses discussion board members with the salutation, “Howdy Gents Scammers.”
We’re glad to current you our providers!
Many are already conscious (and are our shoppers), however publicity isn’t superfluous. 🙂Domains.
– all main gtlds (com, internet, org, information, biz)
– many attention-grabbing and uninteresting cctlds
– choices for any matter
– processing of any portions
– ensures
– exceptionally low costs for domains for white and grey schemes (together with any website positioning and affiliate spam )
– management panel with balances and auto-registration
– all providers beneath the Ikamis model, confirmed through the years;)Servers.
– long-term partnerships with a number of [data centers] in a number of elements of the world for any matter
– your individual knowledge heart (now not in Russia ;)) for grey and white subjects
– any configuration and any {hardware}
– your individual IP networks (PI, not PA) and full authorized assist
– realtime backups to impartial websites
– ensures and full duty for the providers offered
– non-standard gear on request
– our personal admins to resolve any technical points (providers are free for shoppers)
– internet hosting (shared and vps) can be attainableNon-standard and associated providers.
– ssl certificates signed by geotrust and thawte
– previous domains (any yr, any amount)
– stunning domains (key phrase, quick, and so on.)
– domains with indicators (any, for website positioning, and so on.)
– making unstable gtld domains steady
– interception and hijacking of customized domains (costly)
– full area posting through internet.archive.org with restoration of native content material (preliminary purposes)
– any updates to our panels to fit your wants upon request (our personal coders)All orders for the “Domains” sections and “Servers” are carried out throughout the day (relying on our workload).
For non-standard and associated providers, a preliminary software is required 30 days upfront (aside from ssl certificates – inside 24 hours).
Icamis and Sal ceaselessly claimed that their service saved Spamhaus and different anti-spam teams a number of steps behind their operations. Nevertheless it’s clear that these anti-spam operations had an actual and painful impression on spam revenues, and Salomon was obsessive about hanging again at anti-spam teams, notably Spamhaus.
In 2007, Salomon collected greater than $3,000 from botmasters affiliated with competing spam affiliate packages that needed to see Spamhaus undergo, and the cash was used to fund a week-long distributed denial-of-service (DDoS) assault in opposition to Spamhaus and its on-line infrastructure. However quite than divert their spam botnets from their regular exercise and thereby lower gross sales, the botmasters voted to create a brand new DDoS botnet by buying installations of DDoS malware on hundreds of already-hacked PCs (at a fee of $25 per 1,000 installs).
SALOMON
As an affiliate of Spamdot, Salomon used the e-mail handle ad1@safe-mail.internet, and the password 19871987gr. The breach monitoring service Constella Intelligence discovered the password 19871987gr was utilized by the e-mail handle grichishkin@gmail.com. A number of accounts are registered to that e-mail handle beneath the title Alexander Valerievich Grichishkin, from Cherepovets.
In 2020, Grichishkin was arrested outdoors of Russia on a warrant for offering bulletproof internet hosting providers to cybercriminal gangs. The U.S. authorities stated Grichishkin and three others arrange the infrastructure utilized by cybercriminals between 2009 to 2015 to distribute malware and assault monetary establishments and victims all through america.
These shoppers included crooks utilizing malware like Zeus, SpyEye, Citadel and the Blackhole exploit equipment to construct botnets and steal banking credentials.
“The Group and its members helped their shoppers to entry computer systems with out authorization, steal monetary info (together with banking credentials), and provoke unauthorized wire transfers from victims’ monetary accounts,” the federal government’s grievance said.
Grichishkin pleaded responsible to conspiracy costs and was sentenced to 4 years in jail. He’s 36 years previous, has a spouse and youngsters in Thailand, and is slated for launch on February 8, 2024.
ICAMIS, THE PHANTOM GRADUATE
The id of Icamis got here into view when KrebsOnSecurity started specializing in clues which may join Icamis to Cherepovets (Ika’s obvious hometown primarily based on the Web addresses he frequently used to entry Spamdot).
Historic area possession information from DomainTools.com reveal that most of the e-mail addresses and domains linked to Icamis invoke the title “Andrew Artz,” together with icamis[.]ws, icamis[.]ru, and icamis[.]biz. Icamis promoted his providers in 2003 — reminiscent of bulk-domains[.]information — utilizing the e-mail handle icamis@4host.information. From considered one of his advertisements in 2005:
Domains For Initiatives Marketed By Spam
I can register bulletproof domains for websites and initiatives marketed by spam(after all they should be authorized). I cannot present DNS for u, solely domains. The worth will probably be:
65$ for area[if u will buy less than 5 domains]
50$ for area[more than 5 domains]
45$ for area[more than 10 domains]
These costs are for domains within the .internet & .com zones.
If u wish to order domains write me to: icamis@4host.information
In 2009, an “Andrew Artz” registered on the internet hosting service FirstVDS.com utilizing the e-mail handle icamis@4host.information, with a notation saying the corporate title hooked up to the account was “WMPay.” Likewise, the bulletproof area service icamis[.]ws was registered to an Andrew Artz.
The area wmpay.ru is registered to the phonetically comparable title “Andrew Hertz,” at andrew@wmpay.ru. A search on “icamis.ru” in Google brings up a 2003 submit by him on a dialogue discussion board designed by and for college kids of Amtek, a secondary faculty in Cherepovets (Icamis was commenting from an Web handle in Cherepovets).
The web site amtek-foreva-narod.ru continues to be on-line, and it hyperlinks to a number of yearbooks for Amtek graduates. It states that the yearbook for the Amtek class of 2004 is hosted at 41.wmpay[.]com.
The yearbook pictures for the Amtek class of 2004 aren’t listed within the Wayback Machine at archive.org, however the names and nicknames of 16 college students stay. Nevertheless, it seems that the entry for one scholar — the Wmpay[.]com website administrator — was eliminated sooner or later.
In 2004, the administrator of the Amtek dialogue discussion board — a 2003 graduate who used the deal with “Grand” — noticed that there have been three folks named Andrey who graduated from Amtek in 2004, however considered one of them was conspicuously absent from the yearbook at wmpay[.]ru: Andrey Skvortsov.
To deliver this full circle, Icamis was Andrey Skvortsov, the opposite Russian man charged alongside Grichiskin (the 2 others who pleaded responsible to conspiracy costs had been from Estonia and Lithuania). The entire defendants in that case pleaded responsible to conspiracy to interact in a Racketeer Influenced Corrupt Group (RICO).
[Author’s note: No doubt government prosecutors had their own reasons for omitting the nicknames of the defendants in their press releases, but that information sure would have saved me a lot of time and effort].
SKVORTSOV AND THE JABBERZEUS CREW
Skvortsov was sentenced to time served, and presumably deported. His present whereabouts are unknown and he was not reachable for remark through his recognized contact addresses.
The federal government says Ika and Sal’s bulletproof internet hosting empire offered intensive assist for a extremely damaging cybercrime group often called the JabberZeus Crew, which labored carefully with the writer of the Zeus Trojan — Evgeniy Mikhailovich Bogachev — to develop a then-advanced pressure of the Zeus malware that was designed to defeat one-time codes for authentication. Bogachev is a high Russian cybercriminal with a standing $3 million bounty on his head from the FBI.
The JabberZeus Crew stole cash by consistently recruiting cash mules, folks in america and in Europe who could possibly be enticed or tricked into forwarding cash stolen from cybercrime victims. Curiously, Icamis’s numerous e-mail addresses are linked to web sites for an enormous community of phony know-how corporations that claimed they wanted folks with financial institution accounts to assist pay their abroad staff.
Icamis used the e-mail handle tech@safe-mail.internet on Spamdot, and this e-mail handle is tied to the registration information for a number of phony know-how corporations that had been set as much as recruit cash mules.
One such website — sun-technology[.]internet — marketed itself as a Hong Kong-based electronics agency that was on the lookout for “trustworthy, accountable and motivated folks in UK, USA, AU and NZ to be Gross sales Representatives in your specific area and obtain funds from our shoppers. Agent fee is 5 % of complete quantity acquired to the private checking account. Chances are you’ll use your present checking account or open a brand new one for these functions.”
In January 2010, KrebsOnSecurity broke the information that the JabberZeus crew had simply used cash mules to steal $500,000 from tiny Duanesburg Central Faculty District in upstate New York. As a part of his sentence, Skvortsov was ordered to pay $497,200 in restitution to the Duanesburg Central Faculty District.
The JabberZeus Crew operated primarily out of the japanese Ukraine metropolis of Donetsk, which was all the time pro-Russia and is now occupied by Russian forces. However when Russia invaded Ukraine in February 2022, the alleged chief of the infamous cybercrime gang — Vyacheslav Igoravich Andreev (a.ka. Penchukov) — fled his obligatory army service orders and was arrested in Geneva, Switzerland. He’s at present in federal custody awaiting trial, and is slated to be arraigned in U.S. federal courtroom tomorrow (Jan. 9, 2024). A duplicate of the indictment in opposition to Andreev is right here (PDF).
Andreev, aka “Tank,” seen right here performing as a DJ in Ukraine in an undated photograph from social media.
