I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Gusev: Latest news – all the materials to start a criminal case were given to prosecutors on Friday. After holidays I am going to get some information regarding “what” and “who”. Are we meeting on 24th?

Stupin: Yes we are meeting on 24th.

Stupin: Shaman’s stuff got broken, everything is declined. I cannot come to Moscow, as usual. I broke my leg in Turkey.

Gusev: Really??? Is it really broken?

Stupin: Yes.

Stupin: Here. hip-notics.com.  I was learning how to do somersault doing Aerial skiing (freestyle).

Gusev:  In reality, I think it’s for the better. There is no need for you to go to Moscow. After the holidays I am going to get the information which was received by the prosecutors’ office, however I am planning to leave from here for a couple of months. This is extremely serious, this is not just articles in newspapers.

Gusev: Write down my new number. It used to be 325667.9. 20к (5k are going to the middleman and 15k are going to a person from prosecutors’ office). 5к (for the search of materials regarding Pasha’s case); $2к (to lawyer for compromising materials and Newsweek); summed up to: 298667.9

Stupin: Okay.

TWO DAYS LATER:

Gusev: I need a piece of advice: I found a person who is willing to help me in situation with Red. He has a proven scheme, because he is a very strong lawyer. A real fixer-upper. For his service, along with very large sum of money, he is asking for something in return — he is asking to help his friend – a very famous webmaster, who faced similar problem as the one we are facing, and who was saved by that person. This “friend” is not doing anything right now.  This lawyer is asking us to help him with establishing on-line pharmacy affiliation (partnerka). I am not glad with this proposition to create our own competition, however, out of all people I talked to, only this person offered a structured solution to the problem, giving us hopes.  People from Volleyball Association can and will cover us, using their FSB connections, but they can do very little with Prosecutors’ Office, they can only prolong the legal proceedings. They will also not be able to prosecute Red. The person who we are asked to help is my old acquaintance – Pet – the owner of лолного – billing of billcards (sunbill). [For more information on the role of the Russian Volleyball association in this story, see Pharma Wars: Purchasing Protection].

Stupin: Let’s offer him to create “us” under his own brand.

Gusev: We have already tried doing this.  He is going to leave on his own. IMHO the ideal way is to offer him our clone as 50-50 partnership. I have not offered anything to anyone yet before knowing your opinion. I cannot say no, otherwise, the “fixer-upper” is not going to take our case (even if we give him as much money as he asks for) In that case I will have to do everything by myself (I know how to do it and even have several people, who can split the whole scheme step by step and execute them). However, this way, there is very high chance that they will take the money, but will do nothing. Or will milk me and Red at the same time, making double the money, and, again, do nothing.

Stupin: It’s not a problem at all,  they have tried so many times to do something with us – and have not followed through on their own. Our sites are publicly available, there is no risk to process orders from trusted sites.

Gusev: Hosting is ours, tech support is only ours. We will not give the software. Maintenance is also ours.

Stupin; Yes, we are giving them the sites, they will redo them, giving them API for the affiliation (partnerka).

Gusev: ок, I will try to bound them by these conditions. Do you want to know how much the service regarding Red cost?

Stupin: Sure. I have just arrived, with my leg, I can’t really think straight.

Gusev: 1.5 million.

Stupin: Oh, God!!! What does he promise for that?

Gusev: He promises that Red would remain in prison and would not be able to pay for his way out + he is going to lose a large portion of his business and will be left with no money to fight the war.

Gusev: I do not want to write all the details here on Jabber, that is why I wanted to meet. I am gathering the money for him, and for your for the office, and I am leaving for 2-3 months.

Stupin: ok, are you going to bring money for the office?    Let’s meet at that time? Because I am going to get stuck for approximately a month with my leg.

Gusev: Yes, I am trying to gather enough money. Pasha is helping me, but with very small sums and when he has available money, not when I need it.

Gusev: Can we borrow from your brother? At most 150-200к?

Stupin: Yes, I will do it. Some time ago I rented a house in Moscow suburbs, and the owner offered to rent with his help,   I have his e-mail and the phone number, he is mature, calm, we can try.

Gusev: Could you find out his requirements?

Stupin: Okay, I will call.

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

The following email thread from ChronoPay executives shows how they struggled to discover the identity of the original principal shareholders of their own company:

From: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

To: Rob Peters

Subject: ChronoPay BV – Info

Could you please send me the directors’ names for each shareholder of ChronoPay BV? (i.e. Red&Partners B.V., DPNet B.V., ROVE Digital Ou, Crossfront Limited)?

==

Reply from: Anna Boguslavchik [mailto:a.boguslavchik@chronopay.com]

To: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

The thing is that we don’t have acting director appointed now and we need to have some documents for the bank signed urgently (Sasha Panin already told you that). According to the charter we need to have shareholders appoint someone as the signatory for the company. And for this we need signatures of all directors of the shareholding companies.

Here’s the info on the shareholding companies:
DP Net B.V. – 45 class B shares, director – someone named Terekhov
RED&Partners B.V. – 135 shares (45 class B and 90 class A). Ronnie was the director (see Martins’ email below). Martins has no info on who’s the director now.
Rove Digital OU – 45 class B shares. No information on who’s the director.
Crossfront Limited – 45 class B shares. No information on who’s the director.

If the bank is OK with this, we can prepare the decision of shareholders document in the form that I told you about yesterday.

==

It makes sense that Tsastsin’s Rove Digital was an early investor in ChronoPay: The two businesses served many of the same clients. Indeed, several messages between Vrublevsky and Tsastsin show the two men routinely turned to one another for favors over the years. In one email thread, Vrublevsky asks Tsastsin to set him up with several Web servers to help host torrent trackers for an MP3 business Vrublevsky is supporting.

But somewhere along the way, the relationship soured, and Vrublevsky and his executives grew either unwilling or unable to accommodate requests from Tsastsin. The following is the final email from Tsastsin to Vrublevsky, in which the former complains about a favor he asked of Vrublevsky that was promised but never delivered:

From: Vladimir T. <vladimir@itconsluting.ee>

To: Vrublevsky, Pavel <p.vrublevsky@chronopay.com>

Subject: patience

I never asked you for anything before, and was always really patient with you. Now I’m writing you because I can’t take this anymore. I asked you for help my friends with payment processing 4 months ago. Both Jan and Misha ignored the guy for 4-5 months, no one can arrange processing for him.

I will not list every favor I did for you personally and for ChronoPay. One day you needed my consultation on something, another day you need servers for running torrent [trackers], and we aren’t even charging you for them. Then you need us to create a statistics page for Fethard and to help you detect fraudsters. In summary – we do everything you ask for. And in return I’m not getting shit.

I wrote them myself and asked Jan personally with a cc/ to Abramov. They either blame Misha or suddenly their notebook gets broken or they have a vacation…. They drag this on for 5 months, it’s insane! I don’t know what to tell my friends, my reputation with them is ruined.

I will not continue to describe all this nonsense to you. What I want from you is to kick their asses really hard so that they do it immediately once and for all. I will be away on business for two days and if I get no reply from them by the time I return I will not be asking you or them for anything anymore since this relationship is a one-way street.

Have a nice day. I’m sick and tired of this.

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

According to Russia’s Interfax news agency, Vrublevsky faces punishment under two articles of the state’s criminal code – illegal access to computer information, and the creation, use and dissemination of harmful computer programs. Both involve imprisonment for three to seven years.

Stanislav Maltsev

Russian newspaper Vedomosti writes that Vrublevsky’s guilty plea will be considered by the court as a mitigating circumstance, and that his sentence will not exceed five years. “And considering the fact that attacks on computer systems – a relatively new type of crime is not a particularly dangerous for the society, the term most likely will not exceed three years and may be conditional,” the publication notes.

The Vedomosti story also observes an interesting fact: One of the lawyers representing Vrublevsky is Stanislav Maltsev, whom Vrublevsky hired in 2007 to be his head of security. Prior to joining ChronoPay, Maltsev was a Russian MVD official in charge of leading an earlier criminal investigation against Vrublevsky, one that ultimately went nowhere.

In June 2011, Russian authorities arrested Pavel Vrublevsky, co-founder of ChronoPay, Russia’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. New evidence suggests that Vrublevsky’s arrest was the product of a bribe paid by Igor Gusev, the other co-founder of ChronoPay and a man wanted by Russian police as a spam kingpin.

Igor Gusev, in an undated photo taken at a family birthday celebration.

Two years after forming ChronoPay in 2003, Gusev and Vrublevsky parted ways. Not long after that breakup, Gusev would launch Glavmed and its sister program SpamIt, affiliate operations that paid the world’s most notorious spammers millions of dollars to promote rogue Internet pharmacies. Not to be outdone, Vrublevsky started his own rogue pharmacy program, Rx-Promotion, in 2007, contracting with some of the same spammers who were working at Gusev’s businesses.

By 2009, the former partners were actively trying to scuttle each others’ businesses. Vrublevsky allegedly paid hackers to break into and leak the contact and earnings data from GlavMed/SpamIt. He also reportedly paid a man named Igor “Engel” Artimovich to launch a volley of distributed denial-of-service (DDoS) attacks against SpamIt.

Gusev told me he long suspected Artimovich was involved in the attacks, and that he had information that Vrublevsky hired Artimovich to attack ChronoPay’s rivals while they were locked in a competition for a lucrative contract to process online payments for Aeroflot, Russia’s biggest airline.

Last month, hundreds of chat conversations apparently between Gusev and his right-hand man, Dmitry Stupin, were leaked online. They indicate that Gusev may have caused Vrublevsky’s arrest by paying Russian law enforcement investigators to go after Artimovich.

Over the past year, Gusev has insisted in numerous phone interviews that the increasingly public conflict between him and Vrublevsky was not a “war,” but more of a personal spat. But if the chat below is accurate, Gusev most certainly viewed the conflict as a war all along.

The following is from a leaked chat, allegedly between Gusev and Stupin, dated Sept. 26, 2010. The two men had already decided to close SpamIt, and were considering whether to do the same with GlavMed. “Red,” mentioned twice in the discussion below, is a reference to Vrublevsky, also known as “RedEye.”

Gusev: $2k from HzMedia to China – it’s mine. We also need to send additional money for salaries plus double bonus to Misha (Michael). I have already paid $50k for Engel’s case (20к – forensics, $30к – to speed up the starting of the criminal case)

Stupin: Why have you paid for Engel’s case ? I was even against paying for the Red’s case. Why pay for Engel’s?  What is the point?

Gusev: To my mind, you do not fully understand what’s been going on for the last year. Paul has a plan to either throw me into jail or end me. His intentions are totally clear. There are only two choices: 1 – do nothing, and pay nothing to nobody, and at the end either go to jail or keep hiding until all the resources are exhausted; 2 – do the same thing, as he is doing, with the same goal.

Gusev: Any war costs money, resources and nerve cells. You cannot go to war little-by-little, you either fight to the end, or do not start it at all. Engel is going to harm us all the time…If there is any potential opportunity to take him out of the game, spending not too much money, we have to use such an opportunity. $50к – is very little comparing to the losses we’ve had because of his DDoS attacks and comparing to future losses if he is going to DDoS us again. Now he is aware that he is being investigated by law enforcement and he keeps a low profile. He only sends nasty ICQ messages to Andrey.

Gusev: There is also a third choice, when nothing is directly linked to you, but money keeps coming. So, decide what we are going to do with all of this. You either agree with my decisions regarding the war expenses, which you do not like, or do not agree with them. In the latter case, we should re-evaluate our income distribution from the business, and I will finance [the war] from my increased share,  I cannot step aside and do nothing.

Stupin: I do understand it, however, what’s Engel’s role? There is nothing to DDoS anymore.

Gusev: I do not want to close down GlavMed completely. Absolutely do not want to It’s better to take it underground, and, additionally, open up SpamIt under a new brand name. We are waiting for some news in October to make our final decision. Engel is absolutely positive that he can do anything he wants to under Red’s protection. You should read his messages to Andrey. However, even with all this sense of being untouchable he is no longer that impudent.

Gusev: I will be in mobile Jabber until tomorrow night. Send messages there.

Stupin: So, I am against paying $50k for Engel.

Leaked online chats between the co-owners of the world’s largest pharmacy spam operation reveal the extent to which illicit organizations in Russia purchase political protection, and bribe public officials into initiating or stalling law enforcement investigations.

Last month, there was a leak of more than four years of chat logs seized by Russian police who had arrested and interrogated Dmitry Stupin, allegedly the co-owner of GlavMed and the now-defunct SpamIt, organizations that paid spammers millions of dollars each month to promote fly-by-night online pharmacies.

In the the Jan. 9, 2010 chat between Stupin and Igor Gusev, the alleged other owner of GlavMed and SpamIt, Gusev has just learned that he and his operation are under investigation by Russian authorities (Gusev would be formally charged with illegal business activities in October 2010, forcing the closure of SpamIt). Gusev says he may be able to purchase shelter from the charges by funneling money to key Russian politicians who have influence over investigators.

Specifically, Gusev suggests purchasing a sponsorship of the Volleyball Federation of Russia. The price tag for this is an official sponsorship fee of 10 million rubles (about $350,000 USD), plus $150,000 in cash. The official head of the federation, Nikolai Patrushev, is a powerful man in Russian law enforcement. Patrushev was director of the Russian FSB, the successor organization to the KGB, from 1999 to 2008; he has been secretary of the Security Council of Russia since 2008.

Sources say it is typical for Russian sport leagues and charities to be used as vehicles for funneling money into the pockets of policymakers. One example comes from a book by Lennart Dahlgren, former head of the Russian division of Swedish furniture maker IKEA. In Despite Absurdity: How I Conquered Russia While It Conquered Me, Dahlgren writes of having to pay bribes of 30 million Rubles ($1 million USD) to Russian charities that helped funnel money to bureaucrats and top officials.

In this chat, translated from Russian into English, Gusev mentions that a close friend of his family is a director general of the Volleyball Federation;

Gusev: We have big problems. Register fake mailbox somewhere. I will send you something very important.

Gusev: Let’s move Jabber to a new server and encrypt it. We’ll have a trusted communication channel. Everything is very bad

Gusev: asdas12334@mail.ru / mgadjadtwa2009. check the e-mail.

Gusev: Are you reading?

Stupin: Yes. Do not know what to say.

Gusev: There is nothing to say. We have only two ways: find someone from law enforcement, pay up and be under protection [or] be placed in jail for 7-9 years and do self-analysis. I have one more way out, but I could not decide regarding it in December, because it was very expensive. It is about 10 million rubles officially and 150K under the table.

Gusev: Red [ChronoPay CEO and former business partner Pavel Vrublevsky] is such an asshole. Leaked information about the whole scheme in hopes to get me arrested. Now, everyone is under investigation. Does your brother have any connection “high above”?

Stupin: No.

Gusev: I asked “just in case”. I will try to get sponsorship of Volleyball Federation (Patrushev is its president). Maybe it’s a good idea for you to go somewhere, to Turkey, for example, until we know if we are going to be either squashed or milked. One good thing: nobody has asked about you yet.

Stupin: No, thank you. Who told you about volleyball? It is a public organization, its financial books are open.

Gusev: Close family friend – general director of that association. He helped Russian Standard [popular brand of Russian Vodka] when they were getting squashed.

Stupin: Maybe we’ll give him this money? Federation has open books, if someone wants to take money from it — it is going to be noticed.

Gusev: What am I going to tell Andrei about prosecutors’ office? I do not want to scare him, but he has to be in the loop. Maybe we’ll suggest him to go to Turkey again?

Stupin: Do you think we need to notify him now? Let’s wait, if they summon you – then we’ll tell him, but not now.

Gusev: What if they do not summon me, but will come directly and interrogate me and confiscate the servers?

Stupin: Yes he is waiting for it for several months already.

Gusev: Ok, let’s not do it now. Let’s move Jabber to another domain.

Stupin: Yes, get rid of “despmedia”,  close domains, liquidate the firm, and finally make the founder (of the company) from somewhere abroad. Changing location will not give us anything.

Gusev: I removed everyone from the firm, I am alone there. Liquidation is in progress. The office is leased by a company, which I have no relationship with.

Stupin: Very well. I will tell Andrei to get new IPs and domains.

Gusev: Okay.

Stupin: (to andy@im.despmedia.com): Despmedia.com, where is it physically?

Andy: Server is in Russia, but there are several proxies there.

Stupin: Can you let me know what’s going on there?  Let me read the message trail. I need to know where the leak of information is. Red, when he wanted to fight with everyone, told our Law Enforcement about the whole idea of on-line pharmacy.  Now they are looking who to milk.

Andy: We do not keep Jabber logs. Chat is encrypted, it’s impossible to connect to server without chat client configured with SSL.

Stupin (to Gusev): I had to tell him something… Came out OK, I think.

Gusev: OK.  I will use the same story.

Stupin: But it’s the truth.

Gusev: Yes, but omitting the details.

Gusev: Let’s talk less regarding work and money over the phone. Only if it is urgent. I ordered two payments from Despmedia [the legal entity that owns GlavMed and other businesses tied to Gusev]. This is to Volleyball association/FSB. In the morning, please, make sure that money got transferred.

Russian Vice Premier Sergei Ivanov (left) and ChronoPay co-founder Pavel Vrublevsky at a Russian Basketball League game, April 2011.

In May 2011, Gusev told me that he was a paid sponsor of the Russian Volleyball League, hoping to persuade someone to stop the criminal case against him. Gusev is convinced, and other leaked documents confirm his suspicions, that law enforcement interest in his activities was paid for by his former business partner turned competitor Pavel Vrublevsky.

In late 2010, Vrublevsky secured a sponsorship of the Russian Basketball League for his employer, ChronoPay, until recently Russia’s largest processor of online payments. The basketball league is headed by Sergei Ivanov, a former KGB officer who was tapped by Russian President Vladimir Putin as deputy prime minister of Russia.

“All that I wanted was to speak with someone from FSB [who] was making this [case] for Pavel, and to persuade them to stop all this conflict before it’s too late,” Gusev said. “Unfortunately, this didn’t help me very much.”

It apparently didn’t help Vrublevsky much either: the former ChronoPay executive and reputed co-owner of the illicit Rx-Promotion rogue Internet pharmacy program now sits in a Moscow prison, awaiting trial on charges of hiring a hacker to launch Internet attacks against his company’s competitors.

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.

Gusev: http://krebsonsecurity.com/2010/08/white-house-calls-meeting-on-rogue-online-pharmacies

Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Stupin: In reality if everything is going to proceed, the publicity is going to happen in a year, if we are not functioning for a year, there is no reason for publicity. And in 3 years everyone will forget about us. If we continue operations, it’s going to be undeniably worse, and if we stop — hopefully, it’s going to be better. There is no ultimate decision here, there is probability, and we can either increase or decrease it.

Stupin: I believe, you now understand that the money is not the main thing in life.

Gusev: You do not know how justice in USA works. They have no “statute of limitation”. They absolutely love big cases about hackers, carders, and spammer. Young prosecutors make careers out of such cases and do everything possible to find prooves for such processes. Here is the latest example: arrest of Badb (carder) in airport in Nice: http://www.nytimes.com/2010/08/24/business/global/24cyber.html He was investigated since Cardplanet collapse. He got sentenced in 2009 and they received OK to extradict him, and that’s it, after that it was only a matter of time till his arrest.

Gusev: I also think we need to shut the operations down, because it’s an absolute disaster

Stupin: I am not talking about “statue of limitation”, I am talking about publicity; the more noise, the more motivation they have and the larger sentence. Just imagine, if we have not functioned for 1/2 year or 1 year, would your life be easier?

Gusev: There was another case, where FBI broke into DDoS (denial of service) server to collect evidence and judge admitted that evidence in court — it’s an absolute precedent in their law proceedings. Our FSB [former KGB] made a case out of it later ) One moment… I will find info about it.

Gusev: My life is much easier already for the past year. I have only one desire – run to Taiga [remote forests in Siberia] and do not have access to the Internet for a year.

Stupin: Do not bother to look for the info (regarding the DOS case). You are correct in your desire [about running to woods]. Buy a lake in Altaj Republic and build a resort there.

Gusev: I tend to think about Irkutsk and Baikal. I have very good friends in local government there

Stupin: Very well. I can do a project on wakeboarding, which will almost positively be profitable.

Gusev: Great! Did it get started for you?

Stupin: No, but I know how NOT do do it.

Gusev: Regarding closing down — I think we need to shut down SpamIt first.  In a month or 1/2 month — GlavMed. I am planning to fly back now and fabricate a case against us to get sentenced in Russia with publicity. We need to accurately give top positions of our [search engine optimization] to Lesha (Aleksey); at least it will bring some money.

Stupin: Let’s not do it, let Lesha go up on his own.

Gusev: Has Andrey told you about it? andy@imjabber.com. I have a gravely important question. Theoretically, I can add several hours to “work day”, plus increase productivity.  Is there hope for me in 2-3-4 years to make enough money for Dima’s  house in Turkey? I cannot save money. This is gravely important question. You are right. Dima and I will think about it.

Stupin: He told me that same thing 1/2 a year ago.

Gusev: Maybe offer him an affiliate program? Give him 1/3 and let him transfer our SEO onto himself, but only based on new companies and accounts. I already have one new company; I found an acceptable nominal price. It is painful to just give our SEO to Drugrevenue and Rx-partners. Look it’s been holding its position for a year. Such a margin of stability.

Stupin: Well, it has dropped 2-3 times for the last 1/2 a year, and it is very unstable. If Shaman closes down tomorrow, we’ll have a lot of money sunk there and a lot of debts to advertisers. And we will have to pay them out of our own money, if we accurately close down, we might avoid the risks.

Gusev: Am I looking at wrong data? https://mtw8.srvz.net/shop/statistics/stat_orders.jsp. It’s for this August and August of 2009. The difference is 400k of monthly turn-around. Taking in consideration absence of “master” — IMHO it is great. Why Shaman has to close down tomorrow?

Stupin: Yes, but I am considering the profits we are taking, and stability of revenue.

Gusev: I talked to him: the political decision of “Raif” [?] is to keep the pharmacy as long as possible.

Stupin: And amount of money on the account and our debts to advertisers and suppliers.

Gusev: Yes, the stability got decreased after our departure from Latvia. They worked [like a] Swiss watch.

Stupin: The same “political” decision can be turned 180 degrees tomorrow.

Gusev: Maybe, maybe, what a pity. I also talked to Max and Mark – they will take new pharmacy of Lesha.

Stupin: Looks like money is still your priority.

Gusev: Is it really okay for you to lose such an income? It’s extremely hard for me to take, since I have no idea how to earn even 1/5 of it offline.

Stupin: It is really okay for me. There is enough money, do you need more to pay lawyers against the competition? You will not be happier. It is such a moment now that we can close down the project earning a little more, however, in the future there is a risk that the project will collapse on it’s own with even more financial losses.

Gusev: You’re right, but it is hard for me to make such a decision. It’s not the matter of money, but in business, which makes money. Write me your ideas on how we should shut down. I do not know how much time is required to resolve all the issues. USA have complicated everything to resolve the issue with Pasha [Pavel Vrublevsky). If he somehow finds a lot of money, it might require up to 1 million. However, so far, whatever we already paid is enough.

Stupin: Debts to suppliers : $150,000. To advertisers $1,100,000. What we have on our account: $800,000. Therefore, the balance is: -$450,000. This is the real numbers of our business, whatever we have invested does not reflect the actual truth. As you remember, we have been withdrawing very little from the account recently.  Therefore, we can say that the project is going down on its own. I will write you the strategy on what we need to do.

Gusev: Do not write it as additional points why we need to close down. I've already accepted that it cannot be avoided We have enough points already. I am interested in your ideas. For example, I want to make an official statement about us closing down, a little noise to calm down the Americans.

Stupin: Okay.

Gusev: To give a spot of "spammer number 1" to Pasha [Pavel Vrublevsky] and Yura [Yuriy Kabayenkov].

Stupin: Here is what we have now: Account balance is $800,000. We have to pay $1,100k to advertisers. We have to pay 150к to suppliers. Here is what we pay at liquidation in any case: Andrey’s compensation: $60к; Sasha’s (Alexander’s) compensation: ~$50к; Compensation to the staff ~$100. Resume: $660к of money, which we need to pay in any case, but cannot pay now. Shaman marked by 30.08 $450k in payments, therefore, we can balance everything to $0. Pessimistic outlook is if Shaman is going to be shut down.  We will end up with debt of 500-1000k, which we will have to pay. The business perspective is not rainbow-like, especially, taking in consideration the risk we take all the time and the expenses linked to it.

Plan of action: In any case, whether we liquidate or not: set commissions to 40% maximum, lower it down for those whose commission is 45%. With participation of Latvia we could afford a lot of transactions with low profitability.  However, we cannot afford the same with “shaman’s” unstable payments and with other small processing parties, which we cannot control and whether we are getting money from them or not. However, such a decision will deter “to pav”; the number of transactions will go down, we will not have a lot of losses, since we are on the brink of profitability. Turning off the affiliate (partnerka) is going to be easy.

Within two month: 20% of increase prices in shops, this will add profitability, but will decrease the number of advertisers. In case if revenue is going to rise sharply together with  profits, we will have time to change our decision within 1.5 months inventory of personnel, servers to increase profitability and moral preparation of everyone to potential end two weeks before the liquidation. Tell the staff about shutting down the operation, promise them compensation in amount of their normal salary if they finish the job well. Andrey and Sasha will be notified separately. Notify advertisers about shutting down off operations, increase whatever is left on e-Passporte and WebMoney, begin to hold payments to suppliers not to overpay, since usually we do overpay.

Gusev: Let’s start with raising prices, minimum 30-40%.  We need excessive profitability at this point. Do not lower commissions to GlavMed and SpamIt. Let’s kill conversions.  The people will leave on their own.  It is not a momentary process.  It is going to be easier to pay everyone. Shut down all outside billing operations, although there is nothing left already. In 10-14 days after raising of the prices — let all SpamIt know that we are closing down.  That will give us 2 weeks to transfer traffic. GlavMed should be kept 1.5 – 2 months from now to use its revenue to cover payments for SpamIt.

Stupin: OK, I will think of the exact course of actions.

Stupin: http://www.wake.ru/photo/album/show?id=2031469:Album:30595&amp;xg_source=activity&amp;xg_pw=&amp;commentPage=&amp;page=1. We did it on Saturday.

Gusev: Did you build this “wake” park?

Stupin: Yep.

Stupin: I have a suggestion, let’s tell Andrey about liquidation right away, tell him that at the end of the project we’ll pay him 3 times as much as his usual salary.  If I ask him to raise the prices too much, he will not understand why we are doing such an inhumane thing. We have great database.  Let’s ask Andrey and programmer/sysadmin to use it for spam with Eva Pharmacy. Let’s agree with Eva about larger commissions and pay Andrey the salary of $5,000, because we cannot pay more, and some percentage from the revenue generated by spam.

Gusev: Our database is already public.  Other affiliates already used it, called and spammed people.  There is a proof that at least 3 affiliates have the database.

Stupin: It’s tough. So what if they have it? [the SpamIt/GlavMed database]

Gusev: I need to go now, let’s discuss it later.

Stupin: Okay.

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

A notice to BestAV affiliates

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”

The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.

There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.

Black Market Breakdown

ChronoPay employees wait outside as Moscow police search the premises.

Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.

In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.

But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.

Russian investigators also found that ChronoPay computers support the infrastructure of Rx-Promotion, a rogue online pharmacy program that paid spammers millions of dollars to promote Web sites that were pushing knockoff prescription drugs, including addictive painkillers like Vicodin and oxycodone (Rx-Promotion also appears to have closed up shop following Vrublevsky’s arrest).

Support info for MacDefenderand other fake AV products - found by Russian police on a ChronoPay PC.

Group-IB, a Russian computer-forensics firm that has been assisting the police in their investigation of Vrublevsky, said that his arrest and subsequent searches of ChronoPay’s office symbolize the possible interest of Russian law enforcement agencies in stopping the laundering of money earned in selling counterfeit medicines and fake AV.

“If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future,” said Maxim Suhanov,  a computer-forensics specialist at Group-IB.

Ridiculously Profitable

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

More importantly, fake AV affiliates can outsource the majority of their work. Damon McCoy, a researcher at the University of California, Santa Diego, has been studying the fake AV industry. He found that fake AV can be massively profitable when installed via pay-per-install (PPI) programs. PPI networks contract out the deployment of the malware to affiliates who get paid per one thousand installs (the payment rate varies with the geographic locations of the victim PCs).

McCoy said fake AV affiliates can purchase 10,000 installs of their scareware programs very cheaply. “For 10,000 installs, [the PPI networks] will charge you normally about $900, but if you squeeze them a bit they will go down to $750,” McCoy said.

In an analysis of the fake AV industry released last month, McCoy and other UCSD researchers discovered that fake AV affiliates can expect that one out of every 50 people who have fake AV installed on their systems will pay for the software.

“If you do the math, it’s almost like you’re printing money,” McCoy said. “You could pay the PPI networks $75 to get 1,000 fake AV  installs. And if you had an average conversion rate of one in 50, making between $25-$35 on each install, that works out to about 20 sales — or conservatively $500 per one thousand installs. So, you pay someone $75 and you can expect to make four or five times your investment. The  economics of this market are ridiculously profitable, and it’s easy to see why fake AV is the go-to method today for monetizing botnets.

Russian authorities on Thursday arrested Pavel Vrublevsky, co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals.

An undated photo of Vrublevsky

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

Russian state-run news organizations are reporting that Vrublevsky was arrested on June 23. Financial Times reporter Joe Menn writes that Vrublevsky was ordered held without bail and a hearing was set for a month’s time.

As I reported earlier this week, Vrublevsky fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. According to Russian news organizations, the ChronoPay executive wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Sources close to the investigation said Vrublevsky was arrested at the Sheremetievo airport outside of Moscow as he returned from a trip to the Maldives.

The arrest comes just 24 hours after authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million via scareware scams

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.

In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.

According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

"Topol Mailer" botnet interface allegedly used by Artimovich.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).

This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003.

Gusev has been in exile from his native Moscow since last fall, when Russian authorities named him the world’s biggest spammer and lodged criminal charges against him for operating an illegal business. Spamit was forced to close shortly thereafter, and Gusev blames Vrublevsky for using his political connections to sabotage Spamit. Late last year, Gusev launched redeye-blog.com, a blog dedicated to highlighting alleged wrongdoing by Vrublevsky. In one post, Gusev charged that Artimovich agreed to DDoS Spamit.com because he believed forum members fleeing the program would join his own budding spammer forum: the still-active but largely dormant program Spamplanet.

Both ChronoPay and Glavmed/Spamit suffered hacking attacks last year that exposed internal documents, financial dealings and organizational emails. The data leaked from Glavmed/Spamit includes a list of contact information, earnings and bank account data for hundreds of spammers and hackers who were paid to promote the program’s online pharmacies. Those records suggest that for most of 2007, Artimovich was earning thousands of dollars a month sending spam to promote Spamit pharmacy sites.

The document that the FSB used to lay out the case for criminal proceedings against Artimovich, a.k.a. “Engel,” states that he was paid for the DDoS services with funds deposited into a WebMoney account “Z578908302415″. According to the leaked Spamit affiliate records, that same WebMoney account belonged to a Spamit affiliate who registered with the program using the email address “support@id-search.org.” Web site registration records for id-search.org show that the name of the registrant is hidden behind paid privacy protection services. But historic WHOIS records maintained by DomainTools.com reveal that for a two-month period in 2008 those registration records were exposed; during that brief window, records listed the registrant as Igor Artimovich from Kingisepp, Russia, a town 68 miles west of St. Petersburg.

The emails and documents leaked from the hacking intrusion into ChronoPay last year show that Artimovich and Vrublevsky exchanged numerous emails about payment for unspecified services. Among them is an email receipt from WebMoney showing a transfer of more than $9,000 from an account Vrublevsky controlled to Artimovich’s Z578908302415 purse on July 6, 2010, just days before the DDoS attacks began. The notation listed next to the payment receipt? “Engel.”

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

As I documented in a March. 2009 story for The Washington Post, Trafficconverter.biz paid its promoters or “affiliates” hundreds of thousands of  dollars a month to pimp rogue anti-virus software. The domain Trafficconverter.biz was shut down briefly at the end of November when it was discovered that it was being sought out by millions of Microsoft Windows systems infected with the first variant of the Conficker worm, which instructed infected systems to visit that domain and download a specific file that suggested it would attempt to install rogue anti-virus software.

“That was a case where ChronoPay had a merchant account registered as an Internet payment service provider with Visa Iceland, where the same merchant account was being used by hundreds of small merchants, and one of them turned out to be the infamous TrafficConverter,” Vrublevsky explained.

But what of the leaked documents that show what appear to be ChronoPay employees setting up entire businesses that would later sell rogue anti-virus — including incorporation records, associated bank accounts, Web hosting, domain registration, telephone support and merchant accounts tied to these entities? Wasn’t ChronoPay concerned that this activity could make it appear that the company was simply building rogue anti-virus merchants from the ground up?

No, this is what high-risk payment service providers do, Vrublevsky explained.

“This is part of the service you provide,” he said. “Basically you own the companies that have those merchant IDs, plus you do customer support and everything which is related to that. And that’s how any other payment service provider does it, and you can find the same thing if you dig into companies like Wirecard, and Visa Iceland. So most payment service providers basically register the companies  themselves and monitor the whole [operation] from the inside.”

SCAREWARE RESEARCH & DEVELOPMENT

The leaked records also show ChronoPay’s high-risk division worked diligently to stay on the cutting edge of the scareware industry. In March 2010, the company began processing payments for icpp-online.com, a scam site that stole victims’ money by bullying them into paying a “pre-trial settlement” to cover a “Copyright holder fine.” As security firm F-Secure noted at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines.

Internal ChronoPay documents show that hundreds of people fell for the scam, paying more than $400 each (the message at the top of the image indicates that the internal ChronoPay formula for counting the number of downloads and sales was generating errors, so take these numbers with a grain of salt).

ChronoPay also was the processor for a fake anti-virus product known as Shield-EC, which was processed through a merchant account tied to a company called Martindale Enterprises Ltd. Again, internal documents show that ChronoPay not only created Martindale Enterprises Ltd., and attached bank accounts to the company, but that it also paid for the domain registration, hosting and telephone support lines for shield-ec.com.

The shield-ec scareware scam was unique because the purveyors pitched it as “the result of a two-year research collaboration of programmers and analysts from Martindale Enterprises and ZeusTracker, the main center for ZeuS epidemic prevention.”

ZeusTracker is a free service run by an established security researcher, Roman Hüssy, who monitors Web addresses that are known to be associated with the distribution and management of the infamous ZeuS trojan. As Hüssy noted in a blog post at the time, the Shield-EC scareware campaign came with an interesting twist: The Web site shieldec.com was in fact hosted on a fast-flux botnet that was also being used to host at least two different servers used to control large numbers of PCs infected with ZeuS.

These days, Vrublevsky said, he’s hoping his company can have a go at the market for legitimate anti-virus products. When I met with him in Moscow, Vrublevsky told me about company plans to create and sell its own anti-virus product: ChronoPay Antivirus. At first I didn’t know whether to take him seriously. But then I found a document in the cache that confirmed that claim. A Russian-language document called ChronoPay AntiVirus Vision (PDF), dated June 15, 2010, details the company’s ambitions in this market.

Curious about what other domains ChronoPay currently owns? Check out this list (PDF), taken from a recent internal email that leaked from the company.