Final week, KrebsOnSecurity broke the information that one of many largest cybercrime providers for laundering stolen merchandise was hacked not too long ago, exposing its inside operations, funds and organizational construction. In immediately’s Half II, we’ll look at clues concerning the real-life id of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.
Based mostly in Russia, SWAT USA recruits individuals in america to reship packages containing dear electronics which can be bought with stolen bank cards. As detailed in this Nov. 2 story, SWAT presently employs greater than 1,200 U.S. residents, all of whom can be lower free with out a promised payday on the finish of their first month reshipping stolen items.
The present co-owner of SWAT, a cybercriminal who makes use of the nickname “Fearlless,” operates totally on the cybercrime discussion board Verified. This Russian-language discussion board has tens of 1000’s of members, and it has suffered a number of hacks that uncovered greater than a decade’s price of person information and direct messages.
January 2021 posts on Verified present that Fearlless and his companion Universalo bought the SWAT reshipping enterprise from a Verified member named SWAT, who’d been working the service for years. SWAT agreed to switch the enterprise in trade for 30 % of the online revenue over the following six months.
Cyber intelligence agency Intel 471 says Fearlless first registered on Verified in February 2013. The e-mail tackle Fearlless used on Verified leads nowhere, however a assessment of Fearlless’ direct messages on Verified signifies this person initially registered on Verified a yr earlier as a reshipping vendor, underneath the alias “Apathyp.”
There are two clues supporting the conclusion that Apathyp and Fearlless are the identical particular person. First, the Verified directors warned Apathyp he had violated the discussion board’s guidelines barring the usage of a number of accounts by the identical particular person, and that Verified’s automated methods had detected that Apathyp and Fearlless have been logging in from the identical system. Second, in his earliest personal messages on Verified, Fearlless instructed others to contact him on an instantaneous messenger tackle that Apathyp had claimed as his.
Intel 471 says Apathyp registered on Verified utilizing the e-mail tackle triploo@mail.ru. A search on that e mail tackle on the breach intelligence service Constella Intelligence discovered {that a} password generally related to it was “niceone.” However the triploo@mail.ru account isn’t related to a lot else that’s attention-grabbing besides a now-deleted account at Vkontakte, the Russian reply to Fb.
Nonetheless, in Sept. 2020, Apathyp despatched a non-public message on Verified to the proprietor of a stolen bank card store, saying his credentials now not labored. Apathyp instructed the proprietor that his chosen password on the service was “12Apathy.”
A search on that password at Constella reveals it was utilized by simply 4 totally different e mail addresses, two of that are notably attention-grabbing: gezze@yandex.ru and gezze@mail.ru. Constella found that each of those addresses have been beforehand related to the identical password as triploo@mail.ru — “niceone,” or some variation thereof.
Constella discovered that years in the past gezze@mail.ru was used to create a Vkontakte account underneath the identify Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial metropolis within the southern area of Russia. That very same e mail tackle is now tied to a Vkontakte account for an Ivan Sherban who lists his dwelling as Saint Petersburg, Russia. Sherban’s profile picture reveals a closely tattooed, muscular and not too long ago married particular person together with his lovely new bride on the brink of drive off in a convertible sports activities automobile.
A pivotal clue for validating the analysis into Apathyp/Fearlless got here from the id intelligence agency myNetWatchman, which discovered that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”
Care to put a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten factors if you happen to answered August 18 (18081991).
Mr. Sherban didn’t reply to a number of requests for remark.