Last week, the world got the first glimpses of a man Russian authorities have accused of being “Paunch,” a computer crime kingpin whose “Blackhole” crimeware package has fueled an explosion of cybercrime over the past several years. So far, few details about the 27-year-old defendant have been released, save for some pictures of a portly lad and a list of his alleged transgressions. Today’s post follows a few clues from recent media coverage that all point to one very likely identity for this young man.
The first story in the Western media about Paunch’s arrest came on Oct. 8, 2013 from Reuters, which quoted an anonymous former Russian police detective. But the initial news of Paunch’s arrest appears to have broken on Russian news blogs several days earlier. On Oct. 5, Russian news outlet neslushi.info posted that a hacker by the name of Dmitry Fedotov had been arrested the night before in Togliatti, a city in Samara Oblast, Russia. The story noted that Fedotov was wanted for creating a program that was used by various organized crime groups to siphon roughly 26 billion rubles (USD $866 million) from unnamed banks. Another story from local news site Samara.ru on Oct. 8 references a Dmitry F. from Togliatti.
This is an interesting lead; last week’s story on Paunch cited information released by Russian forensics firm Group-IB, which did not include Paunch’s real name but said that he resided in Togliatti.
Fast-forward to this past week, and we see out of the Russian publication Vedomosti.ru a story stating that Paunch owned his own Web-development company. That story also cited Group-IB saying that Paunch had experience as an advertising manager. This Yandex profile includes a resume for a Dmitry Fedotov from Togliatti who specializes in Web programming and advertising, and lists “hack money” under his “professional goals” section. It also states that Fedotov attended the Volga State University of Service from 2003-2005.
That Yandex profile for Fedotov says his company is a site called “neting.ru,” a Web development firm. The current Web site registration records for that domain do not include an owner’s name, but a historic WHOIS record ordered from domaintools.com shows that neting.ru was originally registered in 2004 by a Dmitry E. Fedotov, using the email addresses email@example.com and firstname.lastname@example.org.
A cached contact page for neting.ru at archive.org shows the same email@example.com email address and includes an ICQ instant messenger address, 360022. According to ICQ.com, that address belongs to a user who picked the nickname “tolst,” which roughly translates to “fatty.”
This brings up something I want to address from last week’s story: Some readers said they thought it was insensitive of me to point out that Paunch himself called attention to his most obvious physical trait. But this seems to be a very important detail: Paunch had a habit of picking self-effacing nicknames.
The pictures of Paunch released by Group-IB show a heavyset young man, and Paunch seems to have picked nicknames that called attention to his size. One email address known to have been used by the Blackhole author was “firstname.lastname@example.org” (“paunchik” means “doughnut” in Russian). Blackhole exploit kit users who wished to place their advertisements in the crimeware kit itself so that other customers would see the ads were instructed to pay for the advertisements by sending funds to a Webmoney purse Z356971281174, which is tied to the Webmoney ID 561656619879; that Webmoney ID uses the alias “puzan,” a variant of the Russian word пузо, or “potbelly.”
Turns out, “tolst” was a common nickname picked by Paunch. We can see a user who picked that same “tolst” nickname posting in a Russian car forum in March 2013 about his new ride: a white Porsche Cayenne. According to this photo released by Group-IB, Paunch also owned a white Porsche Cayenne. Tolst posted pictures of the interior of his Porsche here.