August 19, 2011

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.


Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now 🙁

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Stupin: In reality if everything is going to proceed, the publicity is going to happen in a year, if we are not functioning for a year, there is no reason for publicity. And in 3 years everyone will forget about us. If we continue operations, it’s going to be undeniably worse, and if we stop — hopefully, it’s going to be better. There is no ultimate decision here, there is probability, and we can either increase or decrease it.

Stupin: I believe, you now understand that the money is not the main thing in life.

Gusev: You do not know how justice in USA works. They have no “statute of limitation”. They absolutely love big cases about hackers, carders, and spammer. Young prosecutors make careers out of such cases and do everything possible to find prooves for such processes. Here is the latest example: arrest of Badb (carder) in airport in Nice: He was investigated since Cardplanet collapse. He got sentenced in 2009 and they received OK to extradict him, and that’s it, after that it was only a matter of time till his arrest.

Gusev: I also think we need to shut the operations down, because it’s an absolute disaster 🙁

Stupin: I am not talking about “statue of limitation”, I am talking about publicity; the more noise, the more motivation they have and the larger sentence. Just imagine, if we have not functioned for 1/2 year or 1 year, would your life be easier?

Gusev: There was another case, where FBI broke into DDoS (denial of service) server to collect evidence and judge admitted that evidence in court — it’s an absolute precedent in their law proceedings. Our FSB [former KGB] made a case out of it later :)) One moment… I will find info about it.

Gusev: My life is much easier already for the past year. I have only one desire – run to Taiga [remote forests in Siberia] and do not have access to the Internet for a year.

Stupin: Do not bother to look for the info (regarding the DOS case). You are correct in your desire [about running to woods]. Buy a lake in Altaj Republic and build a resort there.

Gusev: I tend to think about Irkutsk and Baikal. I have very good friends in local government there 🙂

Stupin: Very well. I can do a project on wakeboarding, which will almost positively be profitable.

Gusev: Great! Did it get started for you?

Stupin: No, but I know how NOT do do it.

Gusev: Regarding closing down — I think we need to shut down SpamIt first.  In a month or 1/2 month — GlavMed. I am planning to fly back now and fabricate a case against us to get sentenced in Russia with publicity. We need to accurately give top positions of our [search engine optimization] to Lesha (Aleksey); at least it will bring some money.

Stupin: Let’s not do it, let Lesha go up on his own.

Gusev: Has Andrey told you about it? I have a gravely important question. Theoretically, I can add several hours to “work day”, plus increase productivity.  Is there hope for me in 2-3-4 years to make enough money for Dima’s  house in Turkey? I cannot save money. This is gravely important question. You are right. Dima and I will think about it.

Stupin: He told me that same thing 1/2 a year ago.

Gusev: Maybe offer him an affiliate program? Give him 1/3 and let him transfer our SEO onto himself, but only based on new companies and accounts. I already have one new company; I found an acceptable nominal price. It is painful to just give our SEO to Drugrevenue and Rx-partners. Look it’s been holding its position for a year. Such a margin of stability.

Stupin: Well, it has dropped 2-3 times for the last 1/2 a year, and it is very unstable. If Shaman closes down tomorrow, we’ll have a lot of money sunk there and a lot of debts to advertisers. And we will have to pay them out of our own money, if we accurately close down, we might avoid the risks.

Gusev: Am I looking at wrong data? 🙂 It’s for this August and August of 2009. The difference is 400k of monthly turn-around. Taking in consideration absence of “master” — IMHO it is great. Why Shaman has to close down tomorrow?

Stupin: Yes, but I am considering the profits we are taking, and stability of revenue.

Gusev: I talked to him: the political decision of “Raif” [?] is to keep the pharmacy as long as possible.

Stupin: And amount of money on the account and our debts to advertisers and suppliers.

Gusev: Yes, the stability got decreased after our departure from Latvia. They worked [like a] Swiss watch.

Stupin: The same “political” decision can be turned 180 degrees tomorrow.

Gusev: Maybe, maybe, what a pity. I also talked to Max and Mark – they will take new pharmacy of Lesha.

Stupin: Looks like money is still your priority.

Gusev: Is it really okay for you to lose such an income? It’s extremely hard for me to take, since I have no idea how to earn even 1/5 of it offline.

Stupin: It is really okay for me. There is enough money, do you need more to pay lawyers against the competition? You will not be happier. It is such a moment now that we can close down the project earning a little more, however, in the future there is a risk that the project will collapse on it’s own with even more financial losses.

Gusev: You’re right, but it is hard for me to make such a decision. It’s not the matter of money, but in business, which makes money. Write me your ideas on how we should shut down. I do not know how much time is required to resolve all the issues. USA have complicated everything to resolve the issue with Pasha [Pavel Vrublevsky). If he somehow finds a lot of money, it might require up to 1 million. However, so far, whatever we already paid is enough.

Stupin: Debts to suppliers : $150,000. To advertisers $1,100,000. What we have on our account: $800,000. Therefore, the balance is: -$450,000. This is the real numbers of our business, whatever we have invested does not reflect the actual truth. As you remember, we have been withdrawing very little from the account recently.  Therefore, we can say that the project is going down on its own. I will write you the strategy on what we need to do.

Gusev: Do not write it as additional points why we need to close down. I’ve already accepted that it cannot be avoided 🙂 We have enough points already. I am interested in your ideas. For example, I want to make an official statement about us closing down, a little noise to calm down the Americans.

Stupin: Okay.

Gusev: To give a spot of “spammer number 1” to Pasha [Pavel Vrublevsky] and Yura [Yuriy Kabayenkov].

Stupin: Here is what we have now: Account balance is $800,000. We have to pay $1,100k to advertisers. We have to pay 150к to suppliers. Here is what we pay at liquidation in any case: Andrey’s compensation: $60к; Sasha’s (Alexander’s) compensation: ~$50к; Compensation to the staff ~$100. Resume: $660к of money, which we need to pay in any case, but cannot pay now. Shaman marked by 30.08 $450k in payments, therefore, we can balance everything to $0. Pessimistic outlook is if Shaman is going to be shut down.  We will end up with debt of 500-1000k, which we will have to pay. The business perspective is not rainbow-like, especially, taking in consideration the risk we take all the time and the expenses linked to it.

Plan of action: In any case, whether we liquidate or not: set commissions to 40% maximum, lower it down for those whose commission is 45%. With participation of Latvia we could afford a lot of transactions with low profitability.  However, we cannot afford the same with “shaman’s” unstable payments and with other small processing parties, which we cannot control and whether we are getting money from them or not. However, such a decision will deter “to pav”; the number of transactions will go down, we will not have a lot of losses, since we are on the brink of profitability. Turning off the affiliate (partnerka) is going to be easy.

Within two month: 20% of increase prices in shops, this will add profitability, but will decrease the number of advertisers. In case if revenue is going to rise sharply together with  profits, we will have time to change our decision within 1.5 months inventory of personnel, servers to increase profitability and moral preparation of everyone to potential end two weeks before the liquidation. Tell the staff about shutting down the operation, promise them compensation in amount of their normal salary if they finish the job well. Andrey and Sasha will be notified separately. Notify advertisers about shutting down off operations, increase whatever is left on e-Passporte and WebMoney, begin to hold payments to suppliers not to overpay, since usually we do overpay.

Gusev: Let’s start with raising prices, minimum 30-40%.  We need excessive profitability at this point. Do not lower commissions to GlavMed and SpamIt. Let’s kill conversions.  The people will leave on their own.  It is not a momentary process.  It is going to be easier to pay everyone. Shut down all outside billing operations, although there is nothing left already. In 10-14 days after raising of the prices — let all SpamIt know that we are closing down.  That will give us 2 weeks to transfer traffic. GlavMed should be kept 1.5 – 2 months from now to use its revenue to cover payments for SpamIt.

Stupin: OK, I will think of the exact course of actions.

Stupin: We did it on Saturday.

Gusev: Did you build this “wake” park?

Stupin: Yep.

Stupin: I have a suggestion, let’s tell Andrey about liquidation right away, tell him that at the end of the project we’ll pay him 3 times as much as his usual salary.  If I ask him to raise the prices too much, he will not understand why we are doing such an inhumane thing. We have great database.  Let’s ask Andrey and programmer/sysadmin to use it for spam with Eva Pharmacy. Let’s agree with Eva about larger commissions and pay Andrey the salary of $5,000, because we cannot pay more, and some percentage from the revenue generated by spam.

Gusev: Our database is already public.  Other affiliates already used it, called and spammed people.  There is a proof that at least 3 affiliates have the database.

Stupin: It’s tough. So what if they have it? [the SpamIt/GlavMed database]

Gusev: I need to go now, let’s discuss it later.

Stupin: Okay.

25 thoughts on “Pharma Wars, Part II

  1. Manoa Kahuna

    You inhabit a strange and dangerous world.

    I suggest you start a series of novels.

    Something like “Snow Crash” lite.

  2. Wladimir Palant

    Brian, is there some place where we can read the original of this chat log? No offense but I would like to see it before your translation.

    1. Igor Krein

      I could say that I’ve checked some part of Brian’s translation and found it pretty close to the original conversation. If it really is *original*.

      1. Wladimir Palant

        Igor, I know – I’ve seen Brian’s translations on a number of occasions before and they are pretty good. Still, I am rather interested in the language they used. Meaning: not only *what* they said but also *how* they said it.

  3. Neej

    Brian: “day-to-day operations one of the world’s largest organization cyber criminal organizations.” doesn’t make sense to me. Great article BTW.

  4. oper207

    GREAT WORK BRIAN 🙂 . Keep the bad guys running scared.

  5. Igor Krein

    It is interesting that Gusev, it seems, had organized the case in Russia against himself. I wonder if this part of logs was not “edited” by whomever have leaked them.

  6. Wojtek

    Thanks for the article.
    I find the format of the chat quite unusual, though. In online chats the sentences tend to be shorter and much more casual.
    This looks more like a “literature view” on how typical chats look like.

    1. BrianKrebs Post author

      The chats are all in XML format, and were sometimes challenging to piece together. For the sake of clarity and flow, in many cases I put what would have been 5 or 6 consecutive line breaks generated by one speaker hitting enter/send so that they appear as one response.

      1. Nick

        It would be nice if you can share and post all chat logs for downloads. I hope you will stand for opennes and democracy and will understand making those logs public will help to make a significant damage to illegal pharmacy.

  7. Anri Businko

    Thank you Brian – it is really great and very dangerous – but who is Andrey, Lesha(Alexey), Mark and Max?

  8. Alex

    Raif = Raiffeisenbank
    “master” means master card (glavmed hadn’t its processing from some time)

  9. Anonymous

    Very interesting article, Brian. Out of curiosity, how fluent are you in Russian?

    1. BrianKrebs Post author

      I had a source who graciously offered to provide this translation. But to give you an idea, when I look at the untranslated version, I can grasp usually about 70 percent or more of the conversation just by reading it. The hardest part is understanding when a word should be literally translated and when it means something else.

      Thankfully, this weird world of cyber crime has its own lexicon, and is full of cognates, which are easy to understand if you know the substitutions and can sound out the words. But sometimes to arrive at the correct meaning, there is no substitution for a native speaker who knows when a series of words should be a phrase or expression that holds a broader cultural meaning.

  10. KFritz

    Is the Russian govt cracking down on other sectors of cybercrime, or is it concentrating on this crowd?

    1. Aleksey

      Do not mistake criminal cases against Gusev and Vrublevsky for Russian government’s crackdown on cybercrime. Both cases are initiated and “sponsored” by the opposite parties, the cybercrime bosses themselves. If it wasn’t for the intentions of crimelords to start these cases there would be no criminal prosecution.

      We and our inboxes are very lucky that Pavel Vrublevsky in his arrogance decided that his invincibility is limitless and moved this long-running confrontation into public arena by creating criminal case against Gusev and buying PR and media in Russia to brand Gusev as world’s no 1 spammer. This prompted a very strong response from Gusev who seems to be winning the war now (at least he’s not in jail like Vrublevsky), but in the process both cybercrime operations suffered serious harm.

      Fighting cybercrime (or any crime for that matter) is a very low priority for the corrupt to the core russian law enforcement. They don’t care much about fighting crime, all they care about is putting money in their pockets.

  11. SpamIsLame

    @Anri Businko

    > but who is Andrey

    I would have to assume that was Andrey Smirnov (Andrey / Andrej / Andy), long known to be the operator of Glavmed, who keeps swearing up and down that there is no connection between Spamit and Glavmed. Very clearly based on this transcript, they are extremely closely related.


  12. AlphaCentauri

    Not to diminish the great work a lot of people have done taking down botnets, but if they stiffed their affiliates, that would explain why this time the spam rates went down and stayed down.

  13. JCitizen

    About now, I bet they are thinking the stock market is safer! 🙂

    These guys need a primer in investing. Real estate is one of the worst things you can get into. I guess it makes a good place to go hide from the police – or when ever you get out of jail. ]:)

  14. AlphaCentauri

    When he refers to each transaction carrying a potential five year sentence, which law in which country is he referring to?

    1. TJ

      @AlphaCentauri – He’s talking about the U.S.

      Gusev: It looks like I am in deep shit. Red gave our database to Americans.


      Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

  15. GoodGuy

    Brian, When will you write how much Gusev pays for police and how he works with police?

  16. BadGuy

    I am heared that beetween Gusev and Stupin now is not everything good.
    Stupin consider that Gusev is a big problem for his Glavmed and want to speed up Gusev’s Criminal Case.
    This logs can go from Gusev to blacken Stupin.
    I think FBI really interested in who is behind ‘Canadian Pharmacy’ in Top #1 of Spamhaus.

    1. Aleksey

      Where did you hear about problems between Gusev and Stupin? GlavMed is co-owned by Stupin and Gusev, but it looks like Gusev still plays a leading role. The logs definitely weren’t leaked by Gusev, the public access to these logs is a very big problem for Desp.
      I think FBI knows very well (and knew before all these leaks) who is behind Canadian Pharmacy. If I was Gusev or Stupin, I would be very cautious with international travel now. It is obvious for everyone that both of them facilitated significant share of worldwide SPAM volume for years violating controlled substance laws in the process. This does not play well with many actors in law enforcement space…

  17. eizj0

    I would have liked to read 2000 more lines.

    If history had happened in another country, criminals have been arrested more easily?

    Finally, what is actually blocking the arrest when the criminals are known? laws and issues of extradition?

    What prevents to block bank accounts? shutting down servers ? the laws ?

    anyway thanks you, great read, good work.

Comments are closed.