Feb 18

U.S. Arrests 13, Charges 36 in ‘Infraud’ Cybercrime Forum Bust

The U.S. Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘Infraud,” a long-running cybercrime forum that federal prosecutors say cost consumers more than a half billion dollars. In conjunction with the forum takedown, 13 alleged Infraud members from the United States and six other countries were arrested.

A screenshot of the Infraud forum, circa Oct. 2014. Like most other crime forums, it had special sections dedicated to vendors of virtually every kind of cybercriminal goods or services imaginable. Click to enlarge.

Started in October 2010, Infraud was short for “In Fraud We Trust,” and collectively the forum referred to itself as the “Ministry of Fraudulently [sic] Affairs.” As a mostly English-language fraud forum, Infraud attracted nearly 11,000 members from around the globe who sold, traded and bought everything from stolen identities and credit card accounts to ATM skimmers, botnet hosting and malicious software.

“Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice,” said John P. Cronan, acting assistant attorney general of the Justice Department’s criminal division. “As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale.”

The complaint released by the DOJ lists 36 Infraud members — some only by their hacker nicknames, others by their alleged real names and handles, and still others just as “John Does.” Having been a fairly regular lurker on Infraud over the past seven years who has sought to independently identify many of these individuals, I can say that some of these names and nick associations sound accurate but several do not.

The government says the founder and top member of Infraud was Svyatoslav Bondarenko, a hacker from Ukraine who used the nicknames “Rector” and “Helkern.” The first nickname is well supported by copies of the forum obtained by this author several years back; indeed, Rector’s profile listed him an administrator, and Rector can be seen on countless Infraud discussion threads vouching for sellers who had paid the monthly fee to advertise their services in “sticky” threads on the forum.

However, I’m not sure the Helkern association with Bondarenko is accurate. In December 2014, just days after breaking the story about the theft of some 40 million credit and debit cards from retail giant Target, KrebsOnSecurity posted a lengthy investigation into the identity of “Rescator” — the hacker whose cybercrime shop was identified as the primary vendor of cards stolen from Target.

That story showed that Rescator changed his nickname from Helkern after Helkern’s previous cybercrime forum (Darklife) got massively hacked, and it presented clues indicating that Rescator/Helkern was a different Ukrainian man named Andrey Hodirevski. For more on that connection, see Who’s Selling Cards from Target.

Also, Rescator was a separate vendor on Infraud, and there are no indications that I could find suggesting that Rector and Rescator were the same people. Here is Rescator’s most recent sales thread for his credit card shop on Infraud — dated almost a year after the Target breach. Notice the last comment on that thread alleges that Rescator had recently been arrested and that his shop was being run by law enforcement officials: 

Another top administrator of Infraud used the nickname “Stells.” According to the Justice Department, Stells’ real name is Sergey Medvedev. The government doesn’t describe his exact role, but it appears to have been administering the forum’s escrow service (see screenshot below).

Most large cybercrime forums have an escrow service, which holds the buyer’s virtual currency until forum administrators can confirm the seller has consummated the transaction acceptably to both parties. The escrow feature is designed to cut down on members ripping one another off — but it also can add considerably to the final price of the item(s) for sale.

In April 2016, Medvedev would take over as the “admin and owner” of Infraud, after he posted a note online saying that Bondarenko had gone missing, the Justice Department said.

One defendant in the case, a well-known vendor of stolen credit and debit cards who goes by the nickname “Zo0mer,” is listed as a John Doe. But according to a New York Times story from 2006, Zo0mer’s real name is Sergey Kozerev, and he hails from St. Petersburg, Russia.

The indictments also list two other major vendors of stolen credit and debit cards: hackers who went by the nicknames “Unicc” and “TonyMontana” (the latter being a reference to the fictional gangster character played by Al Pacino in the 1983 movie Scarface). Both hackers have long operated and operate to this day their own carding shops:

Unicc shop, which sells stolen credit card data as well as Social Security numbers and other consumer information that can be used for identity theft.

The government says Unicc’s real name is Andrey Sergeevich Novak. TonyMontana is listed in the complaint as John Doe #1.

TonyMontana’s carding shop.

Perhaps the most successful vendor of skimming devices made to be affixed to ATMs and fuel pumps was a hacker known on Infraud and other crime forums as “Rafael101.” Several of my early stories about new skimming innovations came from discussions with Rafael in which this author posed as an interested buyer and asked for videos, pictures and technical descriptions of his skimming devices.

A confidential source who asked not to be named told me a few years back that Rafael had used the same password for his skimming sales accounts on multiple competing cybercrime forums. When one of those forums got hacked, it enabled this source to read Rafael’s emails (Rafael evidently used the same password for his email account as well).

The source said the emails showed Rafael was ordering the parts for his skimmers in bulk from Chinese e-commerce giant Alibaba, and that he charged a significant markup on the final product. The source said Rafael had the packages all shipped to a Jose Gamboa in Norwalk, Calif — a suburb of Los Angeles. Sure enough, the indictment unsealed this week says Rafael’s real name is Jose Gamboa and that he is from Los Angeles.

A private message from the skimmer vendor Rafael101, from on a competing cybercrime forum (carder.su) in 2012.

The Justice Department says the arrests in this case took place in Australia, France, Italy, Kosovo, Serbia, the United Kingdom and the United States. The defendants face a variety of criminal charges, including identity theft, bank fraud, wire fraud and money laundering. A copy of the indictment is available here.

Tags: , , , , , , , , , , , , , , ,


  1. This is good news! They finally sprung one of the rat traps!

  2. I didn’t know counterfeit Disney dollars was such a hot item

  3. Good news. I certainly hope these “miscreants” get their just due. Thanks, Brian!

  4. Any idea why the handles for John Doe #2 are redacted in the indictment?

  5. Are those Roman coin images of Caligula? It would figure they’d pick one of the most despicable humans in history for one of their main pages. Octavian I’d assume would be a reference to his great grandfather Augustus, unless of course they are referencing an old and wealthy equestrian branch of the plebeian gens Octavia.

  6. the carder sites unicc.at and rescator.cc still online they dont give a fuck hahhaa

  7. Sergey Medvedev was arrested on FBI request/info last week in Bangkok, but his arrest was kept secret for a week.

  8. These are hollow and self aggrandizing announcements. They only actually arrested less than half of their targets and then told the others they were wanted.

    Not the first time followers of this stuff have seen Mickey Mouse (pun intended) nonsense coming out of Las Vegas and homeland security investigations…whatever the heck that is. Sounds like a made up outfit filled with wannabes and never was.

    Lock up some real big time players and then do your silly little press conferences. Until then you are embarrassing yourself.

  9. A note to DoJ, Kosovo is in Serbia so they’re both just 1 country.

    • You’ve got that wrong Kroki. Under international law Kosovo is a sovereign country. Maybe you confuse this with Crimea, that was annexed by the russian regime and is Ukraine by international law.

  10. I see a bunch of Muslim names in the indictment and the website has Arabic and a mention of Allah. Although it wasn’t charged in the indictment, I’d like to know if this group of people has been funding Islamic and Arab terrorism or providing them with technical services, like the IS/daesh website and the syrian/palestinian hacker groups.

    On an unrelated note, the crimes charged are for laws that shouldn’t exist in a free society. Possession of devices shouldn’t be a crime. And racketeering is a bogus infringement on the right to freely assemble and speak freely. They should have been charged only with stealing, if they stole, and that’s it.

  11. Set them free, drop them from a plane over the Atlantic. International waters, no laws no crime. They don’t like laws anyways.

  12. oeh.. those fraud guys got a lot a lot money.
    as always they can hire good lawers and thats it.
    for those guys money is not problem..but only problem is where they can invest their money? offcourse those guys want to do some legal business but unfortunetly only thing what they know is fraud.
    thats sad thing. im sure this guys are tired about hiding their money,they want to use money like other people.

    • @ bolck
      You’d honestly be surprised. Most of these carders and fraudsters are probably making less than or no more than you, if that. A lot more than you think are barely scraping by, and the numbers you see from government reports are extremely skewed, not actual exact dollar amounts of carded things’ value, ie they say “carder caused an estimated $100,000 thousand in damages and stolen goods” most likely equals out to less than 20 grand, on the high high end. Most of these fools are broke, and usually over their entire carding career lucky to break even lol. The big guys up top, the small small number of them, are the only ones really making any money, and they most likely are not going to ever be caught. Even resellers, vendors, etc aren’t raking in as much as you’d expect. Essentially the feds wasted a whole lot of resources, time, and money, to lock up a dozen people who weren’t living any more lavishly than you or I, and probably only did what they do because they had to, and while possessing the skills, did not have the formal education or experience to get a job, so the next obvious choice is….

  13. It’s interesting that there is no mention of the alias inFraud themselves in the indictment. From conversations I saw, I’d always assumed that he(or she) was the founder of the forum. He certainly seemed to push it a lot, at least in the early years.

  14. What they don’t tell you is that the forum has been half dead since a couple of years
    No activity just take a look at the screenshot
    Last ddos post is from 2014.

    And big players are still free and doing their job

    For me only big story will be bust of maza or lcp

  15. I’m no way in contact with infraud team I was just a vendor like other vendor I paid for vendor so i can make some sales

    And I don’t use this forum since 4 years my account compromised

    please remove my name. I was just small vendor of PayPal
    I used to resell for other guy plesse catch big guy there is far more big seller than mine I stopped this please leave me alone and remove my name

    Also chan and mae tony not same guy

    Catch big guy like paysell and pp24 and sellip

    I have closed my forum and service 4 years ago
    Now someone using my old domain after expire and scamming by selling fake generated account

    Look in hackkforum and other cracked forum so many seller of cracked account. I’m not hacker or spammer I was just reseller

    Brian please help me remove my name. I’m ready to help you if you need any help.


  16. We had a member with this exact Alibaba fraud earlier this month. Processed as a VISA VBV transaction. Credit Union is out the money. Hopefully, VISA will hold the merchant responsible for shipping these products to one address.

  17. there is no more real carding ! carding is dead !
    now criminals ripping of other criminals,no honor amogs thieves.
    so no more carding even joker staash is not real cc and dumps provider. its finished now ! and all carding forums are scams.

  18. Here is a weird one. My 93yo mother in Florida just received a statement from Capitol One GM. A credit card which had been dormant for a few years. Suddenly reactivated in late December.

    Now she has a sole charge for $14.90 USD which figures to be $19.00 AUD charged to:”OriginEnergyHoldinAdelaide”. Best I can figure is this company is a utility in Australia.

    My mother has not left Florida for at least 5 years, never been to Australia. Nobody in family or friends from Australia.

    I am still trying to work this out with Capital One having submitted a POA because Mom can’t handle this.

    Apparently Mom’s SSN no longer matches what Capitol One has on record.

    What possible reason would a hacker reactivate a card just to pay a small utility bill?

  19. Indictment unsealed as of 2/15

  20. YOur PResident

    So sad. But no sorrow, hopefully criminals have more means how to fuck US, UK and other terrorist retarded countries. Thumbs up for dead US and its retatrds.