Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.
In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.
A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.
The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”
According to cyber intelligence firm Intel471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel471 says Selivanon also was charged along with Stroganov in this past week’s law enforcement action.
“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel471.
“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.
Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.
“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”
Intel471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.
Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.
A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.
A snippet from a promotional video from the carding/dumps shop MrWhite.
KNOW YOUR FRAUDSTER
Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.
Most carding sites will offer customers a form of buyer’s insurance known a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.
These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.
But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.
With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.
An ad for the “Trust Your Client” or TYC policy observed by virtually all of the carding shops taken down in this past week’s Russian law enforcement operation.
Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.