Search the Community
Showing results for tags 'arrest'.
The U.S. Department of Justice today announced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted hundreds of millions from victim organizations. The DOJ also said it had seized $6.1 million in cryptocurrency sent to another REvil affiliate, and that the U.S. Department of State is now offering up to $10 million for the name or location any key REvil leaders, and up to $5 million for information on REvil affiliates. If it sounds unlikely that a normal Internet user could make millions of dollars unmasking the identities of REvil gang members, take heart and consider that the two men indicted as part this law enforcement action do not appear to have done much to separate their cybercriminal identities from their real-life selves. Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian national accused of being REvil Affiliate #22. Vasinskyi was arrested Oct. 8 in Poland, which maintains an extradition treaty with the United States. Prosecutors say Vasinskyi was involved in a number of REvil ransomware attacks, including the July 2021 attack against Kaseya, Miami-based company whose products help system administrators manage large networks remotely. Yaroslav Vasinksyi’s Vkontakte profile reads “If they tell you nasty things about me, believe every word.” According to his indictment (PDF), Vasinskyi used a variety of hacker handles, including “Profcomserv” — the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers “Yarik45,” and “Yaroslav2468.” These last two nicknames correspond to accounts on several top cybercrime forums way back in 2013, where a user named “Yaroslav2468” registered using the email address [email protected] That email address was used to register an account at Vkontakte (the Russian version of Facebook/Meta) under the profile name of “Yaroslav ‘sell the blood of css’ Vasinskyi.” Vasinskyi’s Vkontakte profile says his current city as of Oct. 3 was Lublin, Poland. Perhaps tauntingly, Vasinskyi’s profile page also lists the FBI’s 1-800 tip line as his contact phone number. He’s now in custody in Poland, awaiting extradition to the United States. Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian national who is alleged to be REvil Affiliate #23. The DOJ said it seized $6.1 million in funds traceable to alleged ransom payments received by Polyanin, and that the defendant had been involved in REvil ransomware attacks on multiple U.S. victim organizations. The FBI’s wanted poster for Polyanin. Polyanin’s indictment (PDF) says he also favored numerous hacker handles, including LK4D4, Damnating, Damn2life, Noolleds, and Antunpitre. Some of these nicknames go back more than a decade on Russian cybercrime forums, many of which have been hacked and relieved of their user databases over the years. Among those was carder[.]su, and that forum’s database says a user by the name “Damnating” registered with the forum in 2008 using the email address [email protected] Sure enough, there is a Vkontakte profile tied to that email address under the name “Yevgeniy ‘damn’ Polyanin” from Barnaul, a city in the southern Siberian region of Russia. The apparent lack of any real operational security by either of the accused here is so common that it is hardly remarkable. As exhibited by countless investigations in my Breadcrumbs story series, I have found that if a cybercriminal is active on multiple forums over more than 10 years, it is extremely likely that person has made multiple mistakes that make it relatively easy to connect his forum persona to his real-life identity. As I explained earlier this year in The Wages of Password Re-use: Your Money or Your Life, it’s possible in many cases to make that connection thanks to two factors. The biggest is password re-use by cybercriminals (yes, crooks are lazy, too). The other is that cybercriminal forums, services, etc. get hacked just about as much as everyone else on the Internet, and when they do their user databases can reveal some very valuable secrets and connections. In conjunction with today’s REvil action, the U.S. Department of State said it was offering a reward of up to $10 million for information leading to the identification or location of any individual holding a key leadership position in the REvil ransomware group. The department said it was also offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a REvil ransomware incident. I really like this bounty offer and I hope we see more just like it for other ransomware groups. Because as we can see from the prosecutions of both Polyanin and Vasinskyi a lot of these guys simply aren’t too hard to find. Let the games begin. REvil Ransom Arrest, $6M Seizure, and $10M Reward
Karlston posted a topic in Security & Privacy NewsFlorida teen arrested, charged with being “mastermind” of Twitter hack The 17-year-old is facing 30 felony fraud charges. 52 with 46 posters participating A Florida teen has been arrested and charged with 30 felony counts related to the high-profile hijacking of more than 100 Twitter accounts earlier this month. Federal law enforcement arrested Graham Ivan Clark, 17, in Tampa earlier today, the Office of Hillsborough State Attorney Andrew Warren said. The arrest followed an investigation spearheaded by the Federal Bureau of Investigation and the Justice Department. "These crimes were perpetrated using the names of famous people and celebrities, but they're not the primary victims here," said Warren. "This 'Bit-Con' was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that." A security researcher who has been actively working with the FBI on the investigation into this month's breach told Ars that the hack was the result of painstaking research into Twitter employees, the social engineering of them by phone, and carefully timed phishing. Allison Nixon, chief research officer at security firm Unit 221B, said evidence collected to date shows that Clark and hackers he worked with started by scraping LinkedIn in search of Twitter employees who were likely to have access to the account tools. Using tools that LinkedIn makes available to recruiters, the attackers then obtained those employees’ cell phone numbers and other private contact information. The attackers then called the employees, and directed them to a phishing page that mimicked an internal Twitter VPN. Detailed work histories and other employee data the attackers obtained from public sources allowed the attackers to pose as people who were authorized Twitter personnel. Work at home arrangements cause by the COVID-19 pandemic also prevented the employees from using using normal procedures such as face-to-face contact, to verify the identities of co-workers. With the confidence of the targeted employees, the attackers directed them to a phishing page that mimicked an internal Twitter VPN. The attackers then obtained credentials as the targeted employees entered them. To bypass two-factor authentication protections Twitter has in place, the attackers entered the credentials into the real Twitter VPN portal within seconds of the employees entering them into the fake one. Once the employee entered the one-time password, the attackers were in. According to the charging document (PDF), Clark faces one count of organized fraud, 11 total counts of fraudulent use of personal information, one count of accessing a computer or electronic device without authority, and 17 counts of communications fraud. Clark's prosecution is taking place in Tampa, where he lives, "because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate," Warren's office said. Two other young adults are also facing charges in relation to the hack, the DOJ announced. Mason Sheppard, a 19-year-old UK resident, and Nima Fazeli of Orlando, Florida, have both been charged in the Northern District of California. Sheppard faces counts of conspiracy to commit wire fraud, conspiracy to commit money laundering, and intentionally accessing a protected computer. Fazeli is charged with aiding and abetting the intentional access of a protected computer. This is a developing story and will be updated. Florida teen arrested, charged with being “mastermind” of Twitter hack
zanderthunder posted a topic in Security & Privacy NewsPolice in the Mongolian capital of Ulaanbaatar have apprehended 800 Chinese citizens and confiscated hundreds of computers and mobile phone SIM cards as part of an investigation into a cybercrime ring, local security authorities said. The arrests took place after police raided four locations, and followed two months of investigations, Gerel Dorjpalam, the head of the General Intelligence Agency of Mongolia, said at a media briefing. He did not go into specific details of the offences but said they involved illegal gambling, fraud, computer hacking, identity theft and money laundering. "As of this moment we suspect they are linked to money laundering," he said. "We are looking into the matter." All of the 800 Chinese citizens in detention came to Mongolia using 30-day tourist visas. The Chinese Embassy in Ulaanbaatar said in a statement that it would cooperate with the Mongolian police. "The police department of Mongolia has taken the necessary measures in this case and is currently in the process of investigating," it said. "China and Mongolia will have open law enforcement and security cooperation, and the two parties will be working closely together on this matter." A month ago, 324 undocumented Chinese citizens were arrested in the Philippines on charges of running illegal online gaming activities and engaging in cyberfraud, according to a notice by the country's immigration bureau. Mongolia saw about 480,000 foreign tourists enter in the first three quarters of this year, up 10.7%, with Chinese citizens accounting for nearly a third of the total. The landlocked north Asian nation is trying to diversify its economy and ease its dependence on raw materials, but it has traditionally been wary of opening up its economy to China, its giant southern neighbour. Source: Mongolia arrests 800 Chinese citizens in cybercrime probe (via The Star Online)
mood posted a topic in Security & Privacy NewsGandCrab ransomware distributor arrested in South Korea South Korean national police have announced today the arrest of a 20-year-old suspect on charges of distributing and infecting victims with the GandCrab ransomware. The suspect, whose name was not released, operated as a customer of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime operation. Known as an affiliate —or a distributor— police say the suspect operated by taking copies of the GandCrab ransomware and distributing them via email to victims across South Korea. Between February and June 2019, the suspect sent nearly 6,500 emails to South Koreans. The emails mimicked official communications from local police stations, the Constitutional Court, and the Bank of Korea. Phishing email sent in South Korea by a GandCrab affiliate However, when victims opened documents attached to emails they received, they infected themselves with the GandCrab ransomware, which then proceeded to encrypt their files and ask for a $1,300 payment in Bitcoin. South Korean national police say they tracked at least 120 users who fell victim to the suspect’s phishing campaigns. Despite the large number of victims, authorities said the suspect only made 12 million won, which stands to around $10,500, as he only received a 7% cut from the sum victims were paying on the GandCrab ransom portal. Suspect tracked via cryptocurrency transactions The suspect’s attacks stopped in June 2019 after the GandCrab group announced their retirement and moved on to create and run the REvil (Sodinokibi) RaaS instead, which focused on infecting companies rather than regular users. The South Korean individual marks the second GandCrab distributor arrested since the GandCrab shutdown. A 31-year-old suspect was previously arrested in Belarus in August 2020. South Korean national police said the recent arrest, which took place last month on February 25, was the result of an international investigation led by Interpol focused on tracking down the GandCrab gang and its network of distributors. Law enforcement agencies from ten countries are involved in the investigation. Authorities also said they tracked the suspect based on cryptocurrency transactions associated with the GandCrab operation, which led them to the suspect’s bank account, despite him using a cloak of servers and IP addresses to hide his real location. Source: GandCrab ransomware distributor arrested in South Korea