Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.
According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.
Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.
The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.
I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.
While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.
The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.
“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”
The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”
Gusev: It looks like I am in deep shit. Red gave our database to Americans.
Stupin: To which Americans?
Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?
Stupin: Maybe you return back to Russia?
Gusev: I am planning to do that. I am really worried now
Stupin: What about Red? For that money. May be let’s close down everything?
Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.
Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.
Stupin: I think yes, we will receive lower priority.
Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.