18
May 10

Following the Money, Part II

facebooktwittergoogle_plusredditpinterestlinkedinmail

A leading Russian politician has accused a prominent Moscow businessman of running an international spam and online pharmacy operation while serving as an anti-spam adviser to the Russian government. Russian investigators now say they plan to create a special task force to look into the allegations.

In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma’s Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev’s letter is here).

Vrublevsky is founder and general director of ChronoPay, an online payment processor widely accepted in Russia to handle a number of domestic transactions, including payment for Russian airline and lottery tickets. ChronoPay also specializes in handling “high risk” online merchants, such as pharmacy, adult and Internet gaming sites. Last year, The Washington Post published a story I wrote that showed Chronopay was processing payments for a large number of sites pushing rogue anti-virus products, or “scareware.”

According to Ponomarev, Vrublevsky also is known online as “Redeye,” and is the creator of Crutop.nu, a large adult Webmaster forum that the U.S. Federal Trade Commission last year said was a place “where criminals share techniques and strategies with one another,” and a Russian language Web site “that features a variety of discussion forums that focus on making money from spam.”

In his letter to A.V. Anichin, the deputy minister and chief of the Russian MVD Investigations Committee, Ponomarev said the primary analysis of Vrublevsky’s activities shows the extent of the problem which escapes attention of law-enforcement bodies.

“They include trade in pornography on the Internet that contains scenes of cruel violence, real rape, zoophilia, etc. (etu-cash.com, cash.pornocruto.es), unlawful banking business focused on laundering of money generated by a range of criminal activities in order to escape taxes using fethard.biz and acceptance of payments for illegal sale of music files mp3 which violates author’s rights of performers and illegal trade in drug-containing and controlled prescribed drastic preparations via on-line chemistry networks (rx-promotion.com, spampromo.com), and illegal mass spam distribution all over the world, as well as sale of malicious software under the guise of anti-virus software.”

Ponomarev notes that Vrublevsky is a key member of the anti-spam working group of the Ministry of Telecom and Mass Communication. Ponomarev also said that the MVD had instituted a criminal investigation into Vrublevsky in 2007, only to abandon the case when the chief investigator quit and reportedly went to work for Vrublevsky.

“We have here a merger between a criminal element and the government power which is unacceptable and inadmissible in any civilized society,” Ponomarev wrote.

In a written response to Ponomarev that the latter posted on his blog last week, Anichin said he agreed that the case should never have been closed, that the decree to close the case has been canceled, and that the preliminary investigation has been resumed. A translated copy of that letter is available here (PDF). A portion of it is translated here:

The management of the Main Investigative Directorate of the Moscow City GUVD [Main Directorate of Internal Affairs] has been charged with creating an investigative operations group composed of specialists of the Russian FSB [Federal Security Service] Information Security Center and the Directorate of Special Technical Measures of the Moscow City GUVD to perform a set of investigative actions and operational detective measures directed at determining the truth of the case. The arguments described by you will be verified in the course of additional investigation, including the existence of the other elements of crimes in the actions of P. O. Vrublevsky.

Reached at his home in Moscow, Vrublevsky scoffed at the entire matter, suggesting that one of his enemies had paid Ponomarev to write the letter to investigators.

Vrublevsky also said while he was indeed called as a witness in the 2007 criminal case Ponomarev mentioned in his letter, he was not the subject of that investigation, though he said he doesn’t know what the investigators were probing. “That criminal case has nothing to do with me, I was just a witness,” Vrublevsky told Krebsonsecurity.com. “In Russia, by law witnesses have no right to know what the case is about.”

In a phone interview, Ponomarev dismissed the claim that someone paid him to file the complaint. He also said Vrublevsky was mistaken and that the 2007 case did involve him, although Ponomarev said he was not at liberty to discuss the particulars of the case.

‘The purpose of my letter was to say that a person directly affiliated with the Ministry of Telecommunications is also involved in suspicious activity, and I am using this to try to attract the attention of prosecutors to investigate whether there is conflict of interest,” Ponomarev said.

Vrublevsky also denied having anything to do with online pharmacy Web site programs or spam, and said that contrary to Ponomarev’s claims, he was not nor did he know anyone named “Redeye” (the online nickname used by the first and founding member of Crutop.nu).

My previous investigation showed that both Crutop and ChronoPay shared a common network infrastructure and appeared to be set up and run by the same person(s). For one thing, Crutop and ChronoPay both previously occupied the same small blocks of Internet addresses assigned by European Internet authorities to ChronoPay. Also, the HTML code that made up the home pages for both Crutop and ChronopPay contained the very same Google Analytics code, meaning the same account was being used to track visitors for both sites.

Shortly after that story ran, the two sites stopped sharing the same Google Analytics code. At the time, ChronoPay’s public relations manager said a former employee in charge of online marketing at ChronoPay was probably the person responsible for setting up the common Google Analytics account.

But recently I found clues that would appear to connect the ChronoPay CEO himself to Crutop. The “No Spam” image featured prominently at the top of the Crutop.nu home page lists the following contact information for the anonymous Crutop administrators:

RED & Partners Group
red@mail-eye.com

http://www.re-partners.biz/

Until recently, both ChronoPay.com and re-partners.biz shared the same domain name servers: ns1.dns-eye.com. A WHOIS Web site domain registration record lookup for “re-partners.biz” shows RED & Partners B.V.  at the following physical address:

Strawinskylaan 1443
Amsterdam
1077 XX
Phone: +31.207940110
Fax: +31.207940120

That address is the same one as listed on the Contact Us portion of ChronoPay’s Web site.

A document issued by the Netherlands Chamber of Commerce lists one Pavel Vroublevski of Moscow as the official registrant and director of RED & Partners B.V. back in 2003. The document also lists the address of RED & Partners B.V. in that same Amsterdam location as shown in the contact page for ChronoPay. A copy of that document is available (in Dutch) at this link (PDF).

When asked about the registration document from the Netherlands, Vrublevsky said he recognized it, but stopped short of acknowledging a link between RED & Partners B.V. and re-partners.biz.

“Re-partners.biz PROBABLY does not have anything to do with RED & Partners B.V.,” Vrublevsky wrote in an e-mail to Krebsonsecurity.com. “Yes I realize that the website says otherwise, however the website or WHOIS can claim whatever you want. You can put Putin or Obama there if You want.”

Most of the current and historical Web site and domain registration records referenced in the last few paragraphs above can be found here:

Hosting history for re-partners.biz

WHOIS lookup for 77.91.227.208 (former re-partners.biz IP address)

Hosting history for Crutop.com

WHOIS lookup for 77.91.227.214 (former crutop.com IP address)

Hosting history for chronopay.com

Tags: , , , , ,

18 comments

  1. It’s about time someone investigates him. Between Pavel and Dmitry Golubov’s “it wasnt me” campaigns there is a lot of bullcrap floating around between those two. It’s clear the two of them use their dirty money to pay off the right people to get themselves out of messes.

  2. It is also common for web criminals to use names and addresses and phone numbers of legitimate enterprises and sometimes even ISPs who have investigated their nefarious activities in the past.

    This only makes sense. First, as a criminal, you will not want to be tracked to your real address; Second, you will obviously like to throw suspicion upon those who are making life miserable for you, especially in the legal sense. It only makes perfect sense they would use legitimate people to front illegal operations, and definitely without the innocent folk’s knowledge.

    I reserve judgment, on just who is the criminal in this investigation. It will be interesting if the Russians actually nab the guilty party in this case.

    Great article, as usual Brian!

  3. Nice work on the article. I doubt there are a dozen honest rich men in all of Russia. There may not even be three. It’s amazing how the defenses of Russians are always these overarching conspiracy theories. These are not men.

  4. Nice research!

    As far as the common addresses, the question is, what is located at that address? If it’s the Dutch equivalent of Malboxes Etc., it wouldn’t be a surprise for two unrelated enterprises to share the same address. Of course, it wouldn’t be a surprise for them both to be criminal operations, either.

  5. http://tinyurl.com/strawinskylan1443 – street view of Strawinskylaan 1443 in Amsterdam. It appears to be the World Trade Center Amsterdam. Google lists the following businesses registered at this address:

    Chronopay B.V.‎
    Dpnet B.V.‎
    Red & Partners B.V.‎

  6. Err, looks like my followup comment wound up being eaten by wordpress. Let’s try this again, and I do apologize if it shows up later…

    According to the list of companies in postcode 1077xx found at http://www.telefoonnr.info/nederland/noord-holland/amsterdam/amsterdam/1077xx.html there are only three companies which share the phone # 0207940110 – Chronopay, Dpnet, and Red & Partners.

  7. Kevin Anderson

    You can keep following the money to http://www.AtlasReal.com and to their Spanish office, which is where the alias “Patrick Fitzgerald” swaps his fur-lined hat for a mankini.

    When he’s not selling real estate “Patrick” is the contact person for the Chronpay netblock (77.91.227.208 – 77.91.227.223
    ) email p.fitzgerald@ncb.es.

    The Spanish phone number +34 664-17-15-11 listed in the RIPE database is the very same as the Spanish office of the Atlas Real Group.

  8. “I swear to you, Kay, in five years the Vrublevsky family will be completely legitimate.”

    • McCoy Pauley: “I swear to you, Kay, in five years the Vrublevsky family will be completely legitimate.”

      You mean like the Kennedys did it? :)

      • McCoy Pauley: “I swear to you, Kay, in five years the Vrublevsky family will be completely legitimate.”

        You mean like the Kennedys did it?

        bingo! Russia is picking up fast. The connections between Mafia, Government and Secret Service are blatantly visible each day! Over 3000 banks owned by the mob, money laundering in Western Europe and elsewhere, buying into real companies, setting up business with innocent looking Harvard graduates as straw puppets, they learned quick. Communism failed? No problem…

  9. This site is back online!

  10. Hi Brian. Nice article.

    Do you have a full version of the letter from MVD to ponamarev?


Read previous post:
Teach a Man to Phish…

Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those...

Close