10
Nov 11

Rove Digital Was Core ChronoPay Shareholder

facebooktwittergoogle_plusredditpinterestlinkedinmail

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

The following email thread from ChronoPay executives shows how they struggled to discover the identity of the original principal shareholders of their own company:

From: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

To: Rob Peters

Subject: ChronoPay BV – Info

Could you please send me the directors’ names for each shareholder of ChronoPay BV? (i.e. Red&Partners B.V., DPNet B.V., ROVE Digital Ou, Crossfront Limited)?

==

Reply from: Anna Boguslavchik [mailto:a.boguslavchik@chronopay.com]

To: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

The thing is that we don’t have acting director appointed now and we need to have some documents for the bank signed urgently (Sasha Panin already told you that). According to the charter we need to have shareholders appoint someone as the signatory for the company. And for this we need signatures of all directors of the shareholding companies.

Here’s the info on the shareholding companies:
DP Net B.V. – 45 class B shares, director – someone named Terekhov
RED&Partners B.V. – 135 shares (45 class B and 90 class A). Ronnie was the director (see Martins’ email below). Martins has no info on who’s the director now.
Rove Digital OU – 45 class B shares. No information on who’s the director.
Crossfront Limited – 45 class B shares. No information on who’s the director.

If the bank is OK with this, we can prepare the decision of shareholders document in the form that I told you about yesterday.

==

It makes sense that Tsastsin’s Rove Digital was an early investor in ChronoPay: The two businesses served many of the same clients. Indeed, several messages between Vrublevsky and Tsastsin show the two men routinely turned to one another for favors over the years. In one email thread, Vrublevsky asks Tsastsin to set him up with several Web servers to help host torrent trackers for an MP3 business Vrublevsky is supporting.

But somewhere along the way, the relationship soured, and Vrublevsky and his executives grew either unwilling or unable to accommodate requests from Tsastsin. The following is the final email from Tsastsin to Vrublevsky, in which the former complains about a favor he asked of Vrublevsky that was promised but never delivered:

From: Vladimir T. <vladimir@itconsluting.ee>

To: Vrublevsky, Pavel <p.vrublevsky@chronopay.com>

Subject: patience

I never asked you for anything before, and was always really patient with you. Now I’m writing you because I can’t take this anymore. I asked you for help my friends with payment processing 4 months ago. Both Jan and Misha ignored the guy for 4-5 months, no one can arrange processing for him.

I will not list every favor I did for you personally and for ChronoPay. One day you needed my consultation on something, another day you need servers for running torrent [trackers], and we aren’t even charging you for them. Then you need us to create a statistics page for Fethard and to help you detect fraudsters. In summary – we do everything you ask for. And in return I’m not getting shit.

I wrote them myself and asked Jan personally with a cc/ to Abramov. They either blame Misha or suddenly their notebook gets broken or they have a vacation…. They drag this on for 5 months, it’s insane! I don’t know what to tell my friends, my reputation with them is ruined.

I will not continue to describe all this nonsense to you. What I want from you is to kick their asses really hard so that they do it immediately once and for all. I will be away on business for two days and if I get no reply from them by the time I return I will not be asking you or them for anything anymore since this relationship is a one-way street.

Have a nice day. I’m sick and tired of this.

Tags: , , , , ,

17 comments

  1. Hi Brian,

    I get a 404 error on the HTML spreadsheet link.

    • Yeah, me too. Sorry about that. I’ve removed that html file link. It wasn’t formatted correctly. I tried to save the data in .csv file, but it also had formatting issues.

      FWIW, there is a link to the data in Excel format. Also, the screen shot in this post has all of the data that the spreadsheet does, albeit obviously not in a format that allows importing the information into other spreadsheets.

  2. You are one brave security researcher.

  3. Again, an excellent piece of reporting.
    I was wondering what Fethard is:

    “Then you need us to create a statistics page for Fethard..”

    • Fethard refers to Fethard Finance, which is a virtual payment mechanism created by Vrublevsy/ChronoPay. The majority of its clients are in the Russian adult Webmaster industry. I don’t believe it is widely used today. There was a minor scandal in that industry back in 2007, when millions of dollars in Fethard accounts just evaporated. Vrublevsky claims the money was stolen by corporate raiders and corrupt cops, but who knows; many people think he absconded with the funds to pay debtors and that the raid story was just a convenient cover.

  4. The page:

    http://krebsonsecurity.com/wp-content/uploads/2011/11/DNBthread.txt

    looks like this on my computer:

    �F�r�o�m�:� �R�o�b� �P�e�t�e�r�s� �[�m�a�i�l�t�o�:�r�.�p�e�t�e�r�s�@�c�h�r�o�n�o�p�a�y�.�c�o�m�]�

    �S�e�n�t�:� �p�i�e�k�t�d�i�e�n�a�,� �2�0�1�0�.� �g�a�d�a� �2�8�.� �m�a�i�j� �1�3�:�2�1�(

    �T�o�:� �’�R�o�n�n�i�e� �B�e�e�r�n�a�e�r�t�’�(

    �C�c�:� �M�a�r�t�i�n�s� �B�e�r�k�i�s�-�B�e�r�g�s�;� �

  5. Dear Brian.

    You can publish mail from Vladimir Tsatsin in original language without translate?

    • I also vote for that – although my Russian language knowledge is somehow limited ;)

      Brian,
      thanks for providing interesting topics,
      just typo error in that translation I think:
      itconsluting.ee -> itconsulting.ee

  6. Don’t you have anything else to do with your time rather than be Mr. Cyber Detective?


Read previous post:
‘Biggest Cybercriminal Takedown in History’

The proprietors of shadowy online businesses that have become synonymous with cybercrime in recent years were arrested in their native...

Close