Following the Money, Part II

A leading Russian politician has accused a prominent Moscow businessman of running an international spam and online pharmacy operation while serving as an anti-spam adviser to the Russian government. Russian investigators now say they plan to create a special task force to look into the allegations.

In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma’s Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev’s letter is here).

Vrublevsky is founder and general director of ChronoPay, an online payment processor widely accepted in Russia to handle a number of domestic transactions, including payment for Russian airline and lottery tickets. ChronoPay also specializes in handling “high risk” online merchants, such as pharmacy, adult and Internet gaming sites. Last year, The Washington Post published a story I wrote that showed Chronopay was processing payments for a large number of sites pushing rogue anti-virus products, or “scareware.”

According to Ponomarev, Vrublevsky also is known online as “Redeye,” and is the creator of Crutop.nu, a large adult Webmaster forum that the U.S. Federal Trade Commission last year said was a place “where criminals share techniques and strategies with one another,” and a Russian language Web site “that features a variety of discussion forums that focus on making money from spam.”

In his letter to A.V. Anichin, the deputy minister and chief of the Russian MVD Investigations Committee, Ponomarev said the primary analysis of Vrublevsky’s activities shows the extent of the problem which escapes attention of law-enforcement bodies.

“They include trade in pornography on the Internet that contains scenes of cruel violence, real rape, zoophilia, etc. (etu-cash.com, cash.pornocruto.es), unlawful banking business focused on laundering of money generated by a range of criminal activities in order to escape taxes using fethard.biz and acceptance of payments for illegal sale of music files mp3 which violates author’s rights of performers and illegal trade in drug-containing and controlled prescribed drastic preparations via on-line chemistry networks (rx-promotion.com, spampromo.com), and illegal mass spam distribution all over the world, as well as sale of malicious software under the guise of anti-virus software.”

Ponomarev notes that Vrublevsky is a key member of the anti-spam working group of the Ministry of Telecom and Mass Communication. Ponomarev also said that the MVD had instituted a criminal investigation into Vrublevsky in 2007, only to abandon the case when the chief investigator quit and reportedly went to work for Vrublevsky.

“We have here a merger between a criminal element and the government power which is unacceptable and inadmissible in any civilized society,” Ponomarev wrote.

In a written response to Ponomarev that the latter posted on his blog last week, Anichin said he agreed that the case should never have been closed, that the decree to close the case has been canceled, and that the preliminary investigation has been resumed. A translated copy of that letter is available here (PDF). A portion of it is translated here:

The management of the Main Investigative Directorate of the Moscow City GUVD [Main Directorate of Internal Affairs] has been charged with creating an investigative operations group composed of specialists of the Russian FSB [Federal Security Service] Information Security Center and the Directorate of Special Technical Measures of the Moscow City GUVD to perform a set of investigative actions and operational detective measures directed at determining the truth of the case. The arguments described by you will be verified in the course of additional investigation, including the existence of the other elements of crimes in the actions of P. O. Vrublevsky.

Reached at his home in Moscow, Vrublevsky scoffed at the entire matter, suggesting that one of his enemies had paid Ponomarev to write the letter to investigators.

Vrublevsky also said while he was indeed called as a witness in the 2007 criminal case Ponomarev mentioned in his letter, he was not the subject of that investigation, though he said he doesn’t know what the investigators were probing. “That criminal case has nothing to do with me, I was just a witness,” Vrublevsky told Krebsonsecurity.com. “In Russia, by law witnesses have no right to know what the case is about.”

In a phone interview, Ponomarev dismissed the claim that someone paid him to file the complaint. He also said Vrublevsky was mistaken and that the 2007 case did involve him, although Ponomarev said he was not at liberty to discuss the particulars of the case.

‘The purpose of my letter was to say that a person directly affiliated with the Ministry of Telecommunications is also involved in suspicious activity, and I am using this to try to attract the attention of prosecutors to investigate whether there is conflict of interest,” Ponomarev said.

Vrublevsky also denied having anything to do with online pharmacy Web site programs or spam, and said that contrary to Ponomarev’s claims, he was not nor did he know anyone named “Redeye” (the online nickname used by the first and founding member of Crutop.nu).

My previous investigation showed that both Crutop and ChronoPay shared a common network infrastructure and appeared to be set up and run by the same person(s). For one thing, Crutop and ChronoPay both previously occupied the same small blocks of Internet addresses assigned by European Internet authorities to ChronoPay. Also, the HTML code that made up the home pages for both Crutop and ChronopPay contained the very same Google Analytics code, meaning the same account was being used to track visitors for both sites.

Shortly after that story ran, the two sites stopped sharing the same Google Analytics code. At the time, ChronoPay’s public relations manager said a former employee in charge of online marketing at ChronoPay was probably the person responsible for setting up the common Google Analytics account.

But recently I found clues that would appear to connect the ChronoPay CEO himself to Crutop. The “No Spam” image featured prominently at the top of the Crutop.nu home page lists the following contact information for the anonymous Crutop administrators:

RED & Partners Group
red@mail-eye.com
http://www.re-partners.biz/

Until recently, both ChronoPay.com and re-partners.biz shared the same domain name servers: ns1.dns-eye.com. A WHOIS Web site domain registration record lookup for “re-partners.biz” shows RED & Partners B.V.  at the following physical address:

Strawinskylaan 1443
Amsterdam
1077 XX
Phone: +31.207940110
Fax: +31.207940120

That address is the same one as listed on the Contact Us portion of ChronoPay’s Web site.

A document issued by the Netherlands Chamber of Commerce lists one Pavel Vroublevski of Moscow as the official registrant and director of RED & Partners B.V. back in 2003. The document also lists the address of RED & Partners B.V. in that same Amsterdam location as shown in the contact page for ChronoPay. A copy of that document is available (in Dutch) at this link (PDF).

When asked about the registration document from the Netherlands, Vrublevsky said he recognized it, but stopped short of acknowledging a link between RED & Partners B.V. and re-partners.biz.

“Re-partners.biz PROBABLY does not have anything to do with RED & Partners B.V.,” Vrublevsky wrote in an e-mail to Krebsonsecurity.com. “Yes I realize that the website says otherwise, however the website or WHOIS can claim whatever you want. You can put Putin or Obama there if You want.”

Most of the current and historical Web site and domain registration records referenced in the last few paragraphs above can be found here:

Hosting history for re-partners.biz

WHOIS lookup for 77.91.227.208 (former re-partners.biz IP address)

Hosting history for Crutop.com

WHOIS lookup for 77.91.227.214 (former crutop.com IP address)

Hosting history for chronopay.com