June 3, 2014

It’s been a while since a new category debuted on this blog, and it occurred to me that I didn’t have a catch-all designation for random ne’er-do-well news. Alas, the inaugural entry for Ne’er-Do-Well News looks at three recent unrelated developments: The availability of remote access iPhone apps written by a programmer perhaps best known for developing crimeware; the return to prison of a young hacker who earned notoriety after simultaneously hacking Paris Hilton’s cell phone and data broker LexisNexis; and the release of Pavel Vrublevsky from a Russian prison more than a year before his sentence was to expire.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

A year ago, this blog featured a series of articles that sought to track down the developers of the Styx-Crypt exploit kit, a crimeware package being sold to help bad guys booby-trap compromised Web sites with malware. Earlier this week, I learned that a leading developer of Styx-Crypt — a Ukrainian man named Max Gavryuk — also is selling his own line of remote administration tools curiously called “Zeus Terminal,” available via the Apple iTunes store.

News of the app family came via a Twitter follower who  asked to remain anonymous, but who said two of the apps by this author were recently pulled from Apple’s iTunes store, including Zeus Terminal and Zeus Terminal Lite. It’s unclear why the apps were yanked or by whom, but the developer appears to have two other remote access apps for sale on iTunes, including ZeusTerm and ZeusTerm HD.

Incidentally, the support page listed for these apps — zeus-terminal[dot]com — no longer appears to be active (if, indeed it ever was), but the developer lists as his other home page reality7solutions[dot]com, which as this blog has reported was intricately tied to the Styx-Crypt development team.

This wouldn’t be the first time a crimeware author segued into building apps for the iPhone and iPad: In January 2012, as part of my Pharma Wars series, I wrote about clues that strongly suggested the Srizbi/Reactor spam botnet was developed and sold by a guy who left the spam business to build OOO Gameprom, a company that has developed dozens of games available in the iTunes store.


It’s hard to imagine a set of stories that I had more fun reporting and writing while working for The Washington Post than the series I wrote in 2005 and 2006 about the young men who broke into socialite Paris Hilton’s cell phone. I spent several months chatting with members of this hacker collective of misfits, nearly all of whom were practically raised on AOL’s network. They called themselves the “Defonic Team Screen Name Club,” and spent most of their time trying to social engineer information, money or food out of just about everyone they ran into — online or in the real world.

That reporting led to a Washington Post Magazine cover story about a kid in the midwestern United States (nickname: “0x80”) who was running a large botnet and getting paid thousands of dollars each month by some of the largest advertisers in the nation to install adware and spyware on victim PCs. That piece features an example of the above-mentioned social engineering that was encouraged among the group’s members:

“He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable income can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent conference call with half a dozen of 0x80’s buddies using an 800-number conferencing system they had hacked, one guy suggests ordering food for delivery. Nah, one of his friends says, ‘let’s social it.’ The hackers take turns explaining how they ‘social’ free food from pizza joints by counterfeiting coupons or impersonating customer service managers.”

“‘Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out,’ one of them enthuses. ‘Then, it’s like, yes, I am . . . the coolest man alive.'”

“‘Dude, that’s so true,’ echoes a 16-year-old hacker. “‘Free pizza tastes so much better than pay pizza any day.'”

The 16-year-old in that case (not the subject of the Post Magazine piece) was a very bright and charismatic kid named Cameron LaCroix. I would later learn that, in addition to plundering Paris Hilton’s cell phone, LaCroix and his crew had also broken into LexisNexis, making off with some 310,000 personal records, including hundreds of records on other Hollywood celebrities.

Cameron "cam0" LaCroix, with Playboy model Ashley Alexxis, in a Rhode Island nightclub.

Cameron “cam0” LaCroix, with Playboy model Ashley Alexiss, in a Rhode Island nightclub.

LaCroix and others involved in those capers later pleaded guilty to their crimes. Most of the gang either got probation, or less than a year in the pokey. LaCroix, 17 at the time, spent 11 months in a juvenile detention facility. A few months after his release (and then 18 years old), he was jailed for nine months after allegedly violating the terms of his parole.

Now 25, LaCroix is again facing prison time; According to Ars Technica, this month he agreed to plead guilty to two counts of computer intrusion and one count of access device fraud. Federal investigators say LaCroix repeatedly broke into dozens of law enforcement computer services containing sensitive information, including police and intelligence reports, arrest warrants, and sex offender information. LaCroix also admitted to hacking into his community college so that he could change his grades and those of two other students.

LaCroix declined to comment for this story, citing his sentencing hearing coming up later this year and the likelihood of other, unrelated hacking charges being levied against him. But his experience is an all-too-familiar one among young cybercrime offenders; a tendency to recidivism and re-incarceration. LaCroix’s story tracks closely that of at least two other repeat offenders that I’ve been keeping in touch with on instant message and who are facing several years in jail after their second or third strike for hacking-related offenses.


Readers of this blog — particularly fans of my Pharma Wars series on the epic battle of attrition between two men allegedly responsible for running the largest pharmacy spam affiliate programs — are no doubt familiar with the name Pavel Vrublevsky, a 35-year-old Russian man who co-founded and ran Russian payments firm ChronoPay. That is, until his arrest, trial and incarceration last year on charges of paying a botmaster to attack the Web site of a rival payments firm.

Russian Vice Premier Sergei Ivanov and ChronoPay co-founder at a Russian Basketball League game.

Russian Vice Premier Sergei Ivanov and ChronoPay co-founder at a Russian Basketball League game.

Vrublevsky and the men he allegedly hired were all sentenced to 2.5 years in a Russian penal colony. But just the other day — not even a year into his sentence — Vrublevsky was inexplicably released and allowed to return to his home in Moscow. The characteristically garrulous Vrublevsky had surprisingly little to say about the reason for his early release, merely confirming the news with a terse post on his personal blog with the statement, “Glad to be back…”

But Irek Murtazin, a reporter and blogger who covered Vrublevsky’s trial for the Russian newspaper Novaya Gazeta, cites sources saying that Vrublevsky was released as part of a deal to help build out the National Payment System (NPS), a new domestic payments network called for in a law recently signed by Russian President Vladimir Putin.

Vrublevsky could not be immediately reached for comment. But nobody should be surprised if Murtazin’s sources turn out to be correct. In 2008, Vrublevsky was appointed a key member of the anti-spam working group of the Russian Ministry of Telecom and Mass Communication, a group that was tasked with proposing new laws to fight junk email.

Vrublevsky steadfastly denies that he’s guilty of hiring botmasters to attack his rivals, or having anything to do with spammers other than trying to stop them. However, when I went to visit him in Moscow in 2011, he did acknowledge that his company ChronoPay was the principal payments processing firm for Rx-Promotion, a rogue pharmacy affiliate program that paid millions of dollars to some of the world’s most notorious spammers and botmasters.

Most of the interview with Vrublevsky in Moscow is in my upcoming book that will be published Nov. 18, 2014 by Sourcebooks, called Spam Nation: The Inside Story of Organized Cybercrime — From Global Epidemic to Your Front Door. Anyone interested in pre-ordering the book may do so at this link.

35 thoughts on “Ne’er-Do-Well News, Volume I

  1. Greg Biggio

    Nice to keep tabs on familiar names and faces.

    Autographed copies of the book should already available on Silk Road, by some ‘enterprising’ individual.

    1. Ron

      Dear Mr Brian,

      Can you please investigate Private Internet Access VPN?

      Kind Regards,


  2. Tom Bulger

    I assume we can it autographed during the national book tour?

      1. TechMojo

        I’d like to purchase a book, where shall I send the ChronoPay?

  3. rb


    Thanks for resurrecting _that_ meme… :/

  4. -stephen

    “LaCroix, 17 at the time, spent 11 months in a juvenile detection facility”.

    I believe you mean a juvenile detention facility, although a detection facility is an interesting idea.


    1. E.M.H.


      “Run scanner…”
      (pause)(beeping noises)
      “Yep. He’s a juvenile.”

  5. Keith

    Amazon is only listing a hardback version. Will the book be released in digital format?

    1. E.M.H.

      I add my voice to this. I really do most of my reading on the Kindle app nowadays, and it would be great to see this released as an e-book.

      Granted, that makes it hard for Brian to autograph if you ever see him (“Hi, wanna sign my iPad?”…), but seriously, e-books are so convenient for us bookworms.

      1. Greg

        …and a must for us packrats and hoarders. 🙁

  6. Likes2LOL

    Man, you’re good at advanced international cybersecurity — so glad you’re on *our* side! 😉

  7. TheOreganoRouter.onion.it

    You would think that a domain name like ” zeus-terminal[dot]com” or names like Zeus Terminal or Zeus Terminal Lite would be a huge red flag for a lot of people.

    1. Greg

      Gotta leverage that brand awareness to stand out in the App Store!

  8. Maureen

    Dude, cool category. 🙂 I’m sure it will be used frequently. There certainly is no shortage of ne’er-do-wells.

  9. Hayton

    Since Pavel is possibly the only person you’ve annoyed who hasn’t sent a SWAT team around to your house or mailed you illegal substances, are you going to be nice and invite him along on the book signing tours?

    At least now he’s out you know you’ll soon be able to start taking notes for the best-selling follow-up 🙂

  10. FARO

    Cameron Lacroix, interesting. From New Bedford an old whaling town and formerly incarcerated at MCI Concord. Philadelphia Inquirer’s new owner Lewis Katz just died in a plane crash in Bedford, the town next to Concord.

    1. Chikken Lyttle

      Aha. Right. Connect the dots. Concord. Paul Revere. Benghazi!

      1. Marma Lade

        Not Benghazi; Kevin Bacon!

        Kevin Bacon, who was born in Philadelphia (location of the Philadelphia Inquirer and not all that far from Concord and Bedford), acted in “Planes, Trains & Automobiles,” “He Said, She Said,” and “Robot Chicken.”

        Everyone is within six degrees of Kevin Bacon, even you, Chikken Lyttle!

  11. Tim McCracken

    I’m very disappointed in you Mr. Krebs. The binary at the top of your book cover does not say anything in ASCII.

    1. Steve

      Well, DUH… it’s encrypted, of course!

  12. E.M.H.

    It’s somewhat disturbing to note that while the US has had a large share of “gray area” internet “entrepreneurs” (Alan Ralsky, anyone?), Russia’s government seems to have taken things a step further and protected them. And given the info above, possibly even made partnerships with them. Even during the most hands-off period of Internet history – back before the US government even had a clue, much less a loose handle on what the ‘net was all about – they never actively worked for the release of one of these “gray area” net businessmen. At worst, the US government didn’t understand what was going on, but they never went out of their way to actually court, say, spammers to spam. If they have had any influence with people who control botnets, they’ve at least not been shamelessly public about it.

    But Russia…

    Well, maybe Vrublevsky didn’t get out of jail “free”, and it’s entirely possible that there’s no subterfuge about his role in that antispam group. But given the actions of the Russian government – most especially their willing blind eye towards most cybercrime being committed within their borders – it really makes you wonder.

  13. Greg

    Brian, you traveled to Moscow?! I don’t expect you to tell us about the security precautions you took, but they must’ve been quite impressive, including an armed bodyguard, I imagine.

    And those bunny ears on Ashley Alexxis look kinda sad. Either Playboy is in really dire straits or they’re not the genuine product. I googled her name, in quotes, (just for research, I swear!) and no Playboy sites showed up in the results.

    1. FARO

      I left off the quotes, got her Facebook page and she is from the Boston area. She is pictured in Playboy’s Miss Social’s. I see here pictures time to time from Playboy since I have the account “Liked” on my Facebook account.

      Wonder how he got to know her?

      1. Greg

        Since the photo was taken in a nightclub and she’s wearing bunny ears, I suspect she was making a paid appearance and she posed with a number of club patrons.

      1. Greg

        Thanks. It seems you misspelled “Alexiss” in the caption of the photo.

        1. BrianKrebs Post author

          Indeed. What a naughty boy I am. Can’t imagine what would have possessed me to add an extra “x” to that photo! 🙂

      2. Phil Cooper

        “non-nude Playboy model”?

        That’s about as useful as decaffeinated coffee… “adult” movies edited for broadcast TV, or fat-free chocolate…

  14. gordon

    I see that the WayBackMachine:

    has a snapshot on June 11, 2013 of:

    Google translate shows:
    “Domain name : zeus-terminal[dot]com served at the
    official registrar “Center of Ukrainian Internet Names “

  15. dan

    Brian, I assume your book be coming out in a kindle version available for purchase too?

    if not, i’ll pre-order the hard copy..

  16. JCitizen

    HA!HA! Good ol’ Pavel Vrublevsky! How many times have his conversations with Brian, and exploits graced the pages of KOS! HA!

    As much as I hate web criminals, it is difficult to hate this caricature! 😀

    1. Hayton

      Pavel is not a caricature, whatever else he is (or isn’t). He’s quite an interesting character, in a very Russian sort of way, very intelligent and with a quirky sense of humour (I don’t know any other alleged criminal who would drop a reference to Monty Python or Terry Pratchett into a LinkedIn discussion). Someone I know described him as a ‘lovable rogue’, a description which almost (but not quite) fits. I hope Brian’s book does him justice and doesn’t just portray him as some thuggish cybermoron.

Comments are closed.