25
Feb 11

Pharma Wars

facebooktwittergoogle_plusredditpinterestlinkedinmail

How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.

On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.

Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.

Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).

As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.

Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “Despduck@gmail.com,” the very same address used to communicate with my anti-spam source.

Also in the leaked ChronoPay emails is a lengthy message thread in an inbox marked “vrublevsky” that details a negotiation with an individual named “Nooder Tovreance.” In the multi-email exchange, which begins Apr. 8, 2010 and ends at the beginning of June, Tovreance offers to sell the Glavmed database for $20,000, but says that he will need to break the file transfers up into multiple smaller chunks due to the size of the database. The two ultimately settle on a price of $15,000, with the first payment of $7,500 made to a Webmoney purse specified by Tovreance in exchange for half of the files, and the remaining amount payable upon receipt of the entire database.

SpamIt.com may be gone, but the Glavmed program is still rewarding affiliates for promoting pharmacy sites. Meanwhile, a number of online properties managed by Gusev are under nearly-constant attack. Joe Stewart, senior security researcher for SecureWorks, recently released a paper in which he profiled the makeup and activities of the world’s top spam botnets, or agglomerations of hacked PCs of the sort typically used to relay junk e-mail advertising rogue pharmacy sites.

One of the spam botnets in Stewart’s analysis, a 60,000 bot network nicknamed “Festi” was “developed as a distributed denial-of-service (DDoS) platform, and has been seen in recent weeks launching attacks against other Russian sites.” I asked Stewart for a list of the sites he’s seen Festi attacking; the list is quite short, and includes six Glavmed/Canadian Pharmacy sites, as well as gofuckbiz.com and armadaboard.com, affiliate forums that Vrublevsky has said on several occasions that he suspects are owned and operated by Gusev. The other site Stewart found Festi attacking was redeye-blog.com, a daily blog written by Gusev that is trickling out leaked ChronoPay documents and gossip about Vrublevsky.

Tags: , , , , , , ,

34 comments

  1. Mr, Krebs. Excellent and very interesting post. However I run my own small investigation on the so called “Pharma wars”.

    And I beleive I am nearly done. I also beleive my results will be quite shocking to the cyber-investigators community as they will most likely include…You . Perhaps it will be the most shoking cyber-investigation ever.

    Mr. Krebs. I appreciate Your haste to make another post after my last statements.

    However, I would still like to ask a direct question to You Mr. Krebs.

    Are You aware that Mr. Igor Gusev aka Desp is a famous child pornographer in the past?

  2. Your ‘Gues’ is as good as mine; heh..heh. ]:)

  3. May be, but I have asked a very simple direct question. And I want a direct answer.

    • It’s funny “Gues” accuses Igor of CP – I’ve heard the same rumors about PV. True or not?

      That’s simple and to the point so how about an honest answer?

      • If they were partners in Chronopay and knew it was used to process payments for child porn, whether either or both were personally involved in raping the children is splitting hairs.

        Children are molested on camera because people can make a lot of money from it. Anyone knowingly taking a commission on selling the images bears responsibility for what happened to the children.

        • You may be right, Alpha, but thus far we only have the word of a known lying scumbag saying Igor was involved in CP. It’s obviously Pasha Pooh is trying to make Igor look like a bad guy or at least worse than what Igor has already admitted to. I wouldn’t believe a word that came out of Pasha Pooh’s mouth because I think he’s a liar. A liar who evidently doesn’t feel compelled to pay what he agrees to people. Where I live we call that a deadbeat.

          Igor has done things I don’t like with spam, but we have only the word of a known liar saying Igor was involved in CP. Until I see some proof that Pasha Pooh didn’t manufacture with PhotoShop, I’m rooting for Igor to come out on top in this war.

          Go Igor!

          • Dude, what planet are You from? Mars?
            Go and check out Gusevs blog. He now admit himself he was a co-runner of Darkmasters.net

            Go and check wikileaks what Darksmasters was.
            Half of Russian webmaster knows that.

  4. Ladies and Gentlemen,
    There is no need at all to put my posts down in the rating. Its just unfair.

    I have asked a really simple question to Mr. Krebs. As I am doing my own investiation of pharma wars.

    Mr. Krebs, I want to ask You are direct question, and I would like to get a direct answer, are You aware that Igor Gusev aka Desp is a famous child pornographer in the past?
    Please answer.

    • Most likely you are being modded down because, I don’t think anyone really sees what the point of asking your question is. Sure CP is despicable and a terrible thing, and if true most disgusting, and hopefully he gets prosecuted for it. But is it relevant to the story above, not substantially or you are baiting someone to set the stage for you to reveal some dramatic point of your “research”. Or perhaps you are simply trying to use a public forum as a method to continue some personal vendetta against Gusev?

      I imagine there are better ways to contact Brian if you have questions for him. But your troubles from the mod system most likely stem from the relevancy of your question/accusation.

      • Just try to ignore him. It’s just Vrublevsky, as you say, baiting.

        • Can I simply get a direct answer?

        • Who is Vrublevsky? Sorry, Brian, I must have missed something. Has he been in here trolling? Typical loser behavior.

          I have some documents from a friend of mine from several years ago that tells me Pavel Vrublevsky is a scumbag. In those documents it makes some very disgusting allegations about Pavel and his proclivities. Who knows if true or not but I can believe it.

          As much as I dislike spam, and I don’t agree with much of Igor’s business, I think I will go to CafePress and print Free Igor; Jail Pavel T-shirts and bumper stickers. I have a lot more respect at this point for Igor than I do for that punk Vrublevsky.

          Hey Pavel: You’re a dirtbag – translate that into Russian.

          Brian, I will dig up those docs and check with my friend to see if I can share with you. Some of the info is very explosive.

        • If Vrublevsky has any balls he will answer the questions. If he can’t figure out what my gmail address is he’s even stupider than I thought.

  5. One other thing occurred to me about this Pavel loser.

    I worked @Spamhaus for nearly 8 years and in those years I saw Leo Kuvayev hosting “very” young porn. Well, we know where he is right now and why he’s there, don’t we?

    For years I’ve seen violent/rape porn associated with PV. Some people say it’s just his niche but I would bet you a cup of coffee, Brian, that he’s wired that way, too.

    My impression of him is he’s short so he obviously has little man syndrome. The violent sex porn is probably the only way he can get off.

    Of course, I may be wrong and that’s just my opinion but I did learn a few things in those 8 years. Actually, I’ve been doing this anti-spam thing for going on 13 years so you do get a feel for these idiots and what makes them tick.

    Maybe I should write my own book, eh?

  6. Yesterday, I emailed that Nooder Torvreance guy who the Chronopay emails suggested had sold Vrublevsky the database.

    Today, I heard back from him, and he told me something very interesting, but not very surprising: He said he did indeed have a deal to sell the Glavmed database to Vrublevsky, but that Vrublevsky stiffed him, and still owes him $15,000.

    • Pavel stiffed someone over money? If I read Igor’s translated blog correctly, didn’t he also stiff Igor? Pavel sounds like a deadbeat in addition to a scumbag.

      I’ve heard he doesn’t like people saying bad things about him. That’s too bad because there is something I believe in called Karma. When you do bad things to people it eventually comes back to bite you in the butt. I hope it makes the interwebs when it happens to you, Pasha. Basha the Pasha ;-)

      • I have exchanged a few emails with Pavel since yesterday and I have to say I’m getting a different impression of him than I initially had. He’s been very polite and kind in taking time to reply to some rather pointed questions.

        I don’t know who is right and who is wrong regarding Pavel v. Igor but I will definitely do some additional reading and see what I can figure out.

        • lol, Pavel doesn’t have a reputation for being uncommunicative. The guys at the top can be very well-spoken, not like the foul mouth troglodytes who tend to do the mailing. But that only means they should be held responsible for the crimes committed by their minions. They aren’t so stupid they can claim to have been ignorant of what they were paying their affiliates to do.

          So if Gusev is “Desp” on the Glavmed forums, is he also “Spammit” on the Spammit forums?

          • Yes, but you can tell Pavel is very charming and sophisticated. I guess I had expected a real cretin. He seems very smart and quite sensitive. I’ve enjoyed exchanging mail with him and he’s been exceptionally kind with his time. I think maybe I believed all of the bad things about him without trying to get to know the person. Of course I’m sure that will get me booed by my friends in anti-spamming but you have to know the people to form opinions about them. I have to say I really like him so far.

          • I think spammit was SaintD but I’d have to check some notes from several years ago.

  7. I’m driving MB G55 AMG 2010 and Betnley Continental GT 2009. Thanks to pharma!

    • And that’s why you’re a spammer. All you understand is money. You feel no responsibility for the other citizens of the planet.

      Spammers can’t comprehend antispammers. They think we’re fighting them because we’re envious of their money. In fact, most of the antispammers I know could own vehicles like that if showing off their money were a priority for them, and they could earn far more income than they do if money were more important to them than social responsibility.

      A spammer showing off his money is like what your grandmother used to say about a lady who plays with her jewelry — it shows they’re unaccustomed to having any.

    • You’re driving a “Betnley “. That’s impressive because you must have the only Betnley in the world. I’ve never seen a Betnley dealer and I don’t live too far from Beverly Hills where they really like their fancy cars. How much did you pay for your Betnley? I know it’s rude to ask but since you’re so proud of being a spammer you probably won’t be offended, will you?

    • Great invetsment. I hera that Betnleys’ value aprpreciates over tiem!

  8. Damn! This could become a TV series similar to “The Sopranos”. No one would be able to look at a “Make her scream” email in quite the same way again!

  9. I’m a chick, dude, but that still doesn’t prove Igor was involved in CP! Anyone can say anything about anyone and it doesn’t make it true. How about providing some proof? Documents, bank statements, emails? And why aren’t you posting as yourself instead of a silly sock puppet?

  10. Brian, gofuckbiz and armadaboard are owned by RX-Partners/Stimul-Cash aff. programs

  11. Seems like a regular gathering of /b/rothers here ;-)

  12. thanks for the info !

    smolkowicz
    GlobalHardware

  13. I really enjoyed both the article and subsequent posts by those involved. Like a soap opera for tech set!