An online criminal enterprise, as tightly structured as any legitimate business corporation, was exposed in 2010. Emails and documents taken from employees of ChronoPay — Russia’s largest online payments processor — were shared with a select group of law enforcement agencies and with KrebsOnSecurity.com. The communications provide the strongest evidence yet that a notorious rogue online pharmacy and other shady enterprises are controlled by ChronoPay executives and employees.

The leaked ChronoPay emails show that in August 2010 co-founder Pavel Vrublevsky authorized a payment of 37,350 Russian Rubles (about $1,200) for a multi-user license of an Intranet service called MegaPlan.  The documents indicate that Vrublevsky used the service to help manage the sprawling projects related to ChronoPay’s “black” operations, including the processing of payments for rogue anti-virus software, violent “rape” porn sites, and knockoff prescription drugs sold through hundreds of Web sites affiliated with a rogue online pharmacy program Rx-Promotion.com.

ChronoPay employees used their MegaPlan accounts to track payment processing issues, order volumes, and advertising partnerships for these black programs. In a move straight out of the Quentin Tarantino film Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these folks had their messages automatically forwarded to their real ChronoPay email accounts.

MegaPlan offers an application that makes it simple for clients to create organizational charts, and the account paid for by ChronoPay includes a chart showing the hierarchy and reporting structure of its dark divisions.

A screen shot of the organization chart from ChronoPay's MegaPlan Intranet system.

Black Ops, Dark Divisions

Media: This division oversees ChronoPay clients and services that specialize in selling steeply discounted MP3 music files. ChronoPay saw the profit potential of dodgy music resellers early on, and is probably best known for being the processor for AllofMp3.com, a controversial Russian online music sales company. The wrath of the U.S. entertainment industry in 2006 created an international trade dispute between Russian and the United States.

R&P: Short for “Red & Partners,” this division was founded by Vrublevsky early in his career, and is responsible for processing payments for adult Web sites that specialize in violent “rape” photos and videos. ChronoPay emails show company slush funds routinely are used to process payments for the infrastructure used by dozens of these extreme adult sites. ChronoPay emails reveal that the director of R&P — listed in the graphic above as “Mr. Simon” — is ChronoPay employee Alexandr Alyushin.

StandardPay: A company founded by Vrublevsky that specializes in offering payment solutions for the extreme adult sites. Processing payments for pornography can be tricky in many countries, including Russia — where it is technically illegal to produce or sell pornography. “Mr. StandardPay” is a Russian named Mikhail Mikryukov, who uses the nickname “Human.”  Along with RedEye (Vrublevsky), Human is an administrator of Crutop.nu, a 8,000 member Russian adult Webmaster forum that also is used to recruit affiliates for Rx-Promotion and rogue anti-virus sales.

Big Bosses (“биг боссы”): ChronoPay CEO Pavel “RedEye” Vrublevsky, and Yuri “Hellman” Kabayenkov. ChronoPay emails show that these two men are 50/50 partners in the pharmacy program Rx-Promotion.

Rx-Promotion: ChronoPay emails and documents show that “Mr. Heppner” is Stanislav Maltsev, a former Russian police investigator previously responsible for heading up a criminal investigation of Vrublevsky in 2007. That investigation remains open but  appears to have gone nowhere, and Maltsev now works directly for Vrublevsky.

Communications between Mr. Heppner and Ms. Nati about payment for Rx-Promotion affiliates.

An individual listed in the ChronoPay MegaPlan account under the alias “Ms. Curly” does not appear to be a ChronoPay employee. Curly is named as a customer support representative for Rx-Promotion.com, and a user “Curly” also is listed as the support lead at the Rx-Promotion forum for affiliates of the rogue pharmacy program. Curly appears to be a pseudonym for Katya Ivanova, a slender, curly-haired redhead from Moscow shown in this this profile on Vkontake, a major Russian social networking site.

ChronoPay emails show that Ms. Nati, listed in the MegaPlan chart above as the public relations manager for Rx-Promotion, is a ChronoPay employee named Natalia Miloserdnaya. Members using the names Curly, Nati and Hellman also can be seen fielding questions from Rx-Promotion affiliates in that organization’s online forum.

A reverse engineering project based on Malwarebytes.

Project for AV: In previous investigations, I’ve shown that ChronoPay has consistently been among the biggest processors of rogue anti-virus software or “scareware.” Last month, I blogged about ChronoPay paying for several domains that were used in recent Mac Defender attacks. A study released this week (PDF) by researchers at the University of California, Santa Barbara looked at three rogue anti-virus distribution services, and found they all processed payments through ChronoPay.

When I visited Vrublevsky in Moscow in February, he told me of plans to launch a ChronoPay-branded anti-virus solution, and many of the documents included in this section of ChronoPay’s MegaPlan installation are technical papers referencing the development of different anti-virus software modules. The documents suggest that the company has hired programmers to reverse-engineer the free version of the commercial anti-malware product Malwarebytes.

Banking on Indifference

Another area of ChronoPay’s MegaPlan installation shows contact information for strategic and advertising partners. Among them is a bank in Azerbaijan called Azerigazbank that until recently processed Visa and MasterCard payments for Rx-Promotion customers, among a half-dozen other rogue Internet pharmacy programs. This is not your everyday, risk-averse financial institution: AG Bank’s slogan loosely translates to “Options for the Rich,” and this bizarre commercial for their services features scantily-clad women on a yacht tossing handfuls of huge diamonds into the sea while helicopter gunships circle overhead.

According to a UC San Diego research paper (PDF) released in May that analyzed spam from more than 30 illicit online pharmacy programs, Rx-Promotion-branded pharmacy sites were the most actively promoted via spam. As I’ve noted in previous stories about Rx-Promotion, it is one of the few remaining pharmacy programs that sells prescription drugs (no prescription required) that are highly controlled in the United States, including addictive painkillers Valium, Percocet, Tramadol, and Oxycodone.

As the academic paper and my reporting make clear, the traditional methods of exposing these programs — “outing” the merchant banks and shining a spotlight on the main actors — has little effect when the organizers live in countries that willingly turn a blind eye to this activity. I’ve been eager to write more about this treatise since it was first featured in a New York Times story last month. In a future blog post, I will discuss the potential impact of the main policy alternative outlined in that paper: Convincing a handful of card-issuing banks here in the United States to stop processing payments for a handful of merchant accounts known to be tied to illicit online pharmacies.