Sunday, March 3, 2024

Who’s Behind the SWAT USA Reshipping Service? – Krebs on Safety


Final week, KrebsOnSecurity broke the information that one of many largest cybercrime companies for laundering stolen merchandise was hacked lately, exposing its inside operations, funds and organizational construction. In at the moment’s Half II, we’ll study clues in regards to the real-life identification of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.

Based mostly in Russia, SWAT USA recruits individuals in the US to reship packages containing dear electronics which are bought with stolen bank cards. As detailed in this Nov. 2 story, SWAT at the moment employs greater than 1,200 U.S. residents, all of whom will likely be lower unfastened with no promised payday on the finish of their first month reshipping stolen items.

The present co-owner of SWAT, a cybercriminal who makes use of the nickname “Fearlless,” operates totally on the cybercrime discussion board Verified. This Russian-language discussion board has tens of 1000’s of members, and it has suffered a number of hacks that uncovered greater than a decade’s price of person knowledge and direct messages.

January 2021 posts on Verified present that Fearlless and his companion Universalo bought the SWAT reshipping enterprise from a Verified member named SWAT, who’d been working the service for years. SWAT agreed to switch the enterprise in change for 30 % of the web revenue over the following six months.

Cyber intelligence agency Intel 471 says Fearlless first registered on Verified in February 2013. The e-mail deal with Fearlless used on Verified leads nowhere, however a evaluate of Fearlless’ direct messages on Verified signifies this person initially registered on Verified a yr earlier as a reshipping vendor, beneath the alias “Apathyp.”

There are two clues supporting the conclusion that Apathyp and Fearlless are the identical individual. First, the Verified directors warned Apathyp he had violated the discussion board’s guidelines barring using a number of accounts by the identical individual, and that Verified’s automated programs had detected that Apathyp and Fearlless have been logging in from the identical machine.  Second, in his earliest non-public messages on Verified, Fearlless informed others to contact him on an immediate messenger deal with that Apathyp had claimed as his.

Intel 471 says Apathyp registered on Verified utilizing the e-mail deal with triploo@mail.ru. A search on that e mail deal with on the breach intelligence service Constella Intelligence discovered {that a} password generally related to it was “niceone.” However the triploo@mail.ru account isn’t linked to a lot else that’s fascinating besides a now-deleted account at Vkontakte, the Russian reply to Fb.

Nonetheless, in Sept. 2020, Apathyp despatched a non-public message on Verified to the proprietor of a stolen bank card store, saying his credentials now not labored. Apathyp informed the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella reveals it was utilized by simply 4 totally different e mail addresses, two of that are notably fascinating: gezze@yandex.ru and gezze@mail.ru. Constella found that each of those addresses have been beforehand related to the identical password as triploo@mail.ru — “niceone,” or some variation thereof.

Constella discovered that years in the past gezze@mail.ru was used to create a Vkontakte account beneath the title Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial metropolis within the southern area of Russia. That very same e mail deal with is now tied to a Vkontakte account for an Ivan Sherban who lists his house as Saint Petersburg, Russia. Sherban’s profile picture reveals a closely tattooed, muscular and lately married particular person together with his lovely new bride on the point of drive off in a convertible sports activities automobile.

A pivotal clue for validating the analysis into Apathyp/Fearlless got here from the identification intelligence agency myNetWatchman, which discovered that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”

Care to put a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten factors should you answered August 18 (18081991).

Mr. Sherban didn’t reply to a number of requests for remark.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles