Final week, KrebsOnSecurity broke the information that one of many largest cybercrime companies for laundering stolen merchandise was hacked just lately, exposing its inside operations, funds and organizational construction. In right now’s Half II, we’ll look at clues in regards to the real-life id of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.
Primarily based in Russia, SWAT USA recruits folks in the US to reship packages containing expensive electronics which might be bought with stolen bank cards. As detailed in this Nov. 2 story, SWAT at present employs greater than 1,200 U.S. residents, all of whom will likely be minimize free and not using a promised payday on the finish of their first month reshipping stolen items.
The present co-owner of SWAT, a cybercriminal who makes use of the nickname “Fearlless,” operates totally on the cybercrime discussion board Verified. This Russian-language discussion board has tens of 1000’s of members, and it has suffered a number of hacks that uncovered greater than a decade’s price of consumer information and direct messages.
January 2021 posts on Verified present that Fearlless and his associate Universalo bought the SWAT reshipping enterprise from a Verified member named SWAT, who’d been working the service for years. SWAT agreed to switch the enterprise in alternate for 30 p.c of the web revenue over the following six months.
Cyber intelligence agency Intel 471 says Fearlless first registered on Verified in February 2013. The e-mail deal with Fearlless used on Verified leads nowhere, however a assessment of Fearlless’ direct messages on Verified signifies this consumer initially registered on Verified a 12 months earlier as a reshipping vendor, underneath the alias “Apathyp.”
There are two clues supporting the conclusion that Apathyp and Fearlless are the identical particular person. First, the Verified directors warned Apathyp he had violated the discussion board’s guidelines barring the usage of a number of accounts by the identical particular person, and that Verified’s automated methods had detected that Apathyp and Fearlless have been logging in from the identical gadget. Second, in his earliest personal messages on Verified, Fearlless advised others to contact him on an prompt messenger deal with that Apathyp had claimed as his.
Intel 471 says Apathyp registered on Verified utilizing the e-mail deal with triploo@mail.ru. A search on that electronic mail deal with on the breach intelligence service Constella Intelligence discovered {that a} password generally related to it was “niceone.” However the triploo@mail.ru account isn’t linked to a lot else that’s attention-grabbing besides a now-deleted account at Vkontakte, the Russian reply to Fb.
Nevertheless, in Sept. 2020, Apathyp despatched a non-public message on Verified to the proprietor of a stolen bank card store, saying his credentials not labored. Apathyp advised the proprietor that his chosen password on the service was “12Apathy.”
A search on that password at Constella reveals it was utilized by simply 4 completely different electronic mail addresses, two of that are notably attention-grabbing: gezze@yandex.ru and gezze@mail.ru. Constella found that each of those addresses have been beforehand related to the identical password as triploo@mail.ru — “niceone,” or some variation thereof.
Constella discovered that years in the past gezze@mail.ru was used to create a Vkontakte account underneath the title Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial metropolis within the southern area of Russia. That very same electronic mail deal with is now tied to a Vkontakte account for an Ivan Sherban who lists his house as Saint Petersburg, Russia. Sherban’s profile picture exhibits a closely tattooed, muscular and just lately married particular person together with his lovely new bride on the brink of drive off in a convertible sports activities automotive.
A pivotal clue for validating the analysis into Apathyp/Fearlless got here from the id intelligence agency myNetWatchman, which discovered that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”
Care to put a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten factors when you answered August 18 (18081991).
Mr. Sherban didn’t reply to a number of requests for remark.
