18
Nov 19

Why Were the Russians So Set Against This Hacker Being Extradited?

The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.

However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.

Burkov calls himself a specialist in information security and denies having committed the crimes for which he’s been charged. But according to denizens of several Russian-language cybercrime forums that have been following his case in the Israeli news media, Burkov was by all accounts an elite cybercrook who primarily operated under the hacker alias “K0pa.”

This is the same nickname used by an individual who served as co-administrator of perhaps the most exclusive Russian-language hacking forums ever created, including Mazafaka and DirectConnection.

A screen shot from the Mazafaka cybercrime forum, circa 2011.

Since their inception in the mid-aughts, both of these forums have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members. Also, neither forum was accessible or even visible to anyone without a special encryption certificate supplied by forum administrators that allowed the sites to load properly in a Web browser.

DirectConnection, circa 2011. The identity shown at the bottom of this screenshot — Severa — belonged to Peter Levashov, a prolific spammer who pleaded guilty in the United States last year to operating the Kelihos spam botnet.

Notably, some of the world’s most-wanted cybercriminals were members of these two highly exclusive forums, and many of those individuals have already been arrested, extradited and tried for various cybercrime charges in the United States over the years. Those include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

A user database obtained by KrebsOnSecurity several years back indicates K0pa relied on the same email address he used to register at Mazafaka and DirectConnection to register the user account “Botnet” on Spamdot, which for years was the closely-guarded stomping ground of the world’s most prolific spammers and virus writers, as well as hackers who created services catering to both professions.

As a reporter for The Washington Post in 2008, I wrote about the core offering that K0pa/Botnet advertised on Spamdot and other exclusive forums: A botnet-based anonymity service called FraudCrew. This service sold access to hacked computers, which FraudCrew customers used for the purposes of hiding their real location online while conducting cybercriminal activities.

FraudCrew, a botnet-based anonymity service offered by K0pa.

K0pa also was a top staff member at Verified, among the oldest and most venerated of Russian language cybercrime forums. Specifically, K0pa’s role at Verified was in maintaining its blacklist, a dispute resolution process designed to weed out “dishonest” cybercriminals who seek only to rip off less experienced crooks. From this vantage point, K0pa would have held considerable sway on the forum, and almost certainly played a key role in vetting new applicants to the site.

Prior to his ascendance at these forums, K0pa was perhaps best known for being a founding member of a hacker group calling themselves the CyberLords. Over nearly a decade, the CyberLords team would release dozens of hacking tools and exploits targeting previously unknown security vulnerabilities in Web-based services and computer software.

A cached copy of cyberlords[.]ru, circa 2005.

A DIRECT CONNECTION?

According to security firm Cybereason, Russia has a history of using contractors — even cybercriminals — to run intelligence operations. These crooks-turned-spies “offer a resource to the state while enjoying a cloak of semi-protected ‘status’ for their extracurricular activities, provided they are directed against foreign targets.”

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

A banner that ran on top of the Verified cybercrime forum for many years.

It’s probably worth noting that also present on both DirectConnection and Mazafaka were the core members of a prolific gang of online bank robbers called the JabberZeus Crew, who used custom versions of the ZeuS Trojan to steal tens — if not hundreds — of millions of dollars from hacked small businesses across the United States. In 2011, most of that crew was rounded up in an international cybercrime crackdown, although virtually all of them escaped prosecution in their home countries (mainly Russia and Ukraine).

I mention this because K0pa also was in regular communications with — if not a core member of –the JabberZeus crew. This gang worked directly with the author of the ZeuS trojan — Evgeniy “Slavik” Bogachev — a Russian man with a $3 million bounty on his head from the FBI. The cybercriminal organization Bogchev allegedly ran was responsible for the theft of more than $100 million from banks and businesses worldwide that were infected with his ZeuS malware. That organization, dubbed the “Business Club,” had members spanning most of Russia’s 11 time zones.

In this 2011 screenshot of DirectConnection, we can see the nickname “aqua,” one of the JabberZeus crime gang actors. K0pa also was affiliated with the JabberZeus crew.

Fox-IT, a Dutch security firm that infiltrated the Business Club’s back-end operations, found that beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled his cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

Likewise, the keyword searches that Slavik used to scour bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs – a specialized police unit. Fox-IT said it was clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government. On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.

Further reading, including the fascinating story on the diplomatic back and forth between Russia and Israel mentioned in the first paragraph: The Russian Hacker Who Just Became One of Israel’s Most Famous Prisoners.

How Russia Recruited Elite Hackers for Its Cyberwar

Tags: , , , , , , , , ,

47 comments

  1. The Sunshine State

    It’s all starts with Vladimir Putin himself, the head of the Russian cyber-crime syndicate.

    • It’s ironic that the man who promoted himself as the only one who could clean up corruption in Russia ended up cutting off the heads of all the corrupt organizations and installed himself in their place.

    • I respect Vlad, america just pretends they are saving the world while they invade other countries and the citizens are so brain washed by there phones and media that they believe they are heroes lol russians are so much smarter.

      • Alexander Hardie

        Really? Stirring the pot or are you just an idiot?

      • You just think he’s sexy. But he’s an old creep that leaches off of everyone around him. Just another ego tripping sociopath that cut their way into positions of power.

      • Putin killed his own people to rise to power
        https://en.wikipedia.org/wiki/Russian_apartment_bombings#Likely_Russian_government_involvement

        Russian people and culture are great but the gov’t is as corrupt as they come. They are robbing the Russian people blind all the while the masses drink up state propaganda.

        Russia put the first object in orbit and the first man in space. They invented Tetris and jet packs. Make Russia great again, get rid of the dictator.

      • In last 100 years USA never annexed foreign country o territory. Russia did it 10 times.
        And about smartness you write on computer, invented in US, on american OS, and on internet, created, again, by US

        • Are you really making this argument? Is this willfull ignorance?

          No need to annex a country if you can control it by other means.

          How many military bases does the U.S. have across the world? How many regimes were violently replaced by the U.S. in the past 100 years? Why does the U.S. have such a problem with Iran?

  2. And Trump is behind the Walmart shooting in OK?

  3. Without getting into the politics… Given the fact that Russia (Putin) normally terminates people it doesn’t like and those they perceive as traitors. If this guy sings it would be very bad for his health. I’m sure they’ll give this guy a nice lengthy sentence for each count and then be traded out later and then go home too Russia with the heroes welcome.

  4. I should give it to these dirtbags, Mazafaka is a good name for a website.

  5. The girl’s arrest was on the news for a few days straight and I couldn’t understand why (nor why they would detain her on while connecting which I heard is also problematic as she didn’t leave the air port). Now you’ve shed some light on this.

  6. Brian:

    As always, incredible work. It it so impressive how persistent, and detailed you’ve been over a very long period.

    As mentioned above, it’s also impressive how Russia has invested in the “long game”, and realized the fruits of their labors.

    Keep it up – and stay safe.

  7. Always a great read, thanks for the look inside the story.

  8. Robert Scroggins

    Very interesting. Thanks for the look inside Russian cybercrime, Brian. As the guy above said, stay safe.

    Regards,

  9. Maybe he can finally reveal who actually killed Seth Rich and shared his laptop’s data with [RHYMES WITH ORANGE] in 2016.

    Or he could tell who accessed [FORMER CANDIDATE]’S private email server and where the backup data is stored.

    Or maybe he’s just a crook and this article is wrong about his influence.

    In any case, it was a fun read.

  10. Interesting read. Glad he’s in a foreign jail. And not a new York facility. A lot of articles on the intertubes about redirections, and hidden servers bypassing the local, but, all ” unrelated” as to ease of finding. Keep up the good work of finding these articles for us to peruse.

  11. Mikey Doesn't Like It

    Brian, another excellent story. More insight into just how tangled a web these bad actors weave.

    BTW, you wrote: “…the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners.”

    Whatever happened to that woman? (“Collateral damage” in a war we’re losing?)

  12. So this Burkov guy is the Epstein of cybercrime. Sorry to hear about his family’s loss, and to bad he didn’t get to testify.

  13. I respect Vladimir Putin.
    Russia is so much better than the US. The US is probably the worst, sickest, ugliest country in the world.
    Any country is better.

  14. USA Will be new soviet union
    But Russia there ise life only If You are Rich!
    The natural resources are stolen.. All the Russia wealth ise in switzerland.
    Putin ise swizz anyways so does trump and so

  15. Brian, a scarily signifigant portion of the comments on this post are either trolling/propaganda.

    “Bart Johnson said Putin did nothing wrong, and Americans are brainwashed”

  16. US tracks, arrests, convicts and imprisons cyber experts, the rest of the world puts them to work for their country.

  17. How can you find so many details? I like how
    you arrange everything, since it’s really easy to read.
    All in all, I can recommend this article to everybody who’s interested in that topic.

  18. Boy, did it get Internet Research Agency in here quick.

  19. I’ve been searching for a place such as this for a
    long time.

  20. Chris Vickery thinks he might be involved in the theft of 191 million voter registration records stolen prior to 2016 election. I just read about it on his Twitter page today.

  21. The U.S has a growing trend of arresting individuals it needs across the globe and extradite them in for questions/intelligence. People fail to understand the meaning of these arrests and how it affects the growing hate for America worldwide. If you are an intelligence asset or a person with genius brain U.S can use ridiculous charges to extradite you and force you under threat of decades of prison. These cases will have exactly the opposite effect on long term. As with Nazi regime, the propaganda used in cyber cases is beneficial for U.S public in short term but will have bad long term consequences.

Leave a comment