10
Mar 20

FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts

FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Kirill V. Firsov was arrested Mar. 7 after arriving at New York’s John F. Kennedy Airport, according to court documents unsealed Monday. Prosecutors with the U.S. District Court for the Southern District of California allege Firsov was the administrator of deer.io, an online platform that hosted more than 24,000 shops for selling stolen and/or hacked usernames and passwords for a variety of top online destinations.

An example seller’s panel at deer.io. Click image to enlarge.

The indictment against Firsov says deer.io was responsible for $17 million worth of stolen credential sales since its inception in 2013.

“The FBI’s review of approximately 250 DEER.IO storefronts reveals thousands of compromised accounts posted for sale via this platform and its customers’ storefronts, including videogame accounts (gamer accounts) and PII files containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses,” the indictment states.

In addition to facilitating the sale of hacked accounts at video streaming services like Netflix and Hulu and social media platforms like Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook), deer.io also is a favored marketplace for people involved in selling phony social media accounts.

For example, one early adopter of deer.io was a now-defunct shop called “Dedushka” (“grandpa” in transliterated Russian), a service offering aged, fake Vkontakte accounts that was quite popular among crooks involved in various online dating scams.

The indictment doesn’t specify how prosecutors pegged Firsov as the mastermind behind deer.io, but there are certainly plenty of clues that suggest such a connection. 

Firsov’s identity on Twitter says he is a security researcher and developer who currently lives in Moscow. Previous tweets from that account indicate Firsov made a name for himself after discovering a number of serious security flaws in Telegram, a popular cross-platform messaging application.

Firsov also tweeted about competing in and winning several “capture the flag” hacking competitions, including the 2016 and 2017 CTF challenges at Positive Hack Days (PHDays), an annual security conference in Moscow.

Isis’ profile on antichat.

Deer.io was originally advertised on the public Russian-language hacking forum Antichat by a venerated user in that community who goes by the alias “Isis.” A Google Translate version of that advertisement is here (PDF).

In 2016, Isis would post to Antichat a detailed writeup on how he was able to win a PHDays hacking competition (translated thread here). In one section of the writeup Isis claims authorship of a specific file-dumping tool, and links to a Github directory under the username “Firsov.”

In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. The user asks why Isis’s site — a video and music search site called vpleer[.]ru — wasn’t working at the time. Isis responds that he hasn’t owned the site for 10 years.

According to historic WHOIS records maintained by DomainTools.com (an advertiser on this site), vpleer was originally registered in 2008 to someone using the email address hm@mail.ru.

That same email address was used to register the account “Isis” at several other top Russian-language cybercrime forums, including Damagelab, Zloy, Evilzone and Priv-8. It also was used in 2007 to register xeka[.]ru, a cybercrime forum in its own right that called itself “The Antichat Mafia.”

A cached copy of the entry page for xeka[.]ru. Image courtesy archive.org.

More importantly, that same hm@mail.ru email address was used to register accounts at Facebook, Foursquare, Skype and Twitter in the name of Kirill Firsov.

Russian hacking forums have taken note of Firsov’s arrest, as they do whenever an alleged cybercriminal in their midst gets apprehended by authorities; typically such a user’s accounts are then removed from the forum as a security precaution. An administrator of one popular crime forum posted today that Firsov is a 28-year-old from Krasnodar, Russia who studied at the Moscow Border Institute, a division of the Russian Federal Security Service (FSB).

Firsov is slated to be arraigned later this week, when he will face two felony counts, specifically aiding and abetting the unauthorized solicitation of access devices, and aiding and abetting trafficking in “false authentication features.” A copy of the indictment is available here (PDF).

Tags: , , , , , ,

28 comments

  1. If they prove this case, I hope they bury this guy in the SuperMax in Colorado, not slap him on the wrist and send him to Mother Goose’s reform school.

    It’s time to make a stand against these crooks.

  2. It’s really interesting to compare this small snapshot of Firsov’s digital trail with Paul Le Roux.

    The articles from the Atavist Magazine were really interesting.

    Compartmentalization and other trade-craft is hard to do. We could all benefit from reading some John Le Carre books.

    Unique usernames/emails/passwords for everything, never our real name.

    At times we need robust verification of our true identity, but all other times rigorous anonymity.

    • Why should we all do this? There’s a significant cost in inconvenience. (It makes accessing sites considerably more difficult.) I can see why some people (and not just cyber crooks) would need to pay that cost. Why should I? What is the advantage to me of rigorous anonymity, Wu Jin Han?

      • I think the implication is that we are all criminals that are just reading krebs for lolz. Not true of course. Just us clowns.

  3. Yeah, Team!!

  4. The Sunshine State

    Another great article !

  5. Any competent Russian criminal knows they should stay behind the Federal borders, or be cast into prison. Maybe this clown will be traded for a foreigner who is arrested in Russia on trumped up charges. That is the dirty way to go, but hostage taking is still paying off, despite what the US State Department says.

  6. Yeah, this guy is clearly an idiot. Any self respecting Russian knows that you don’t show up in US thinking that you can get away with things like you do in mother Russia.

  7. Has anyone red Schnieir’s book, “Click Here…”? It’s very informative on issues of security. The problem seems to be much beyond prosecuting crooks – it’s short-term capitalism and the need for laws that make a secure internet something a pure capitalistic organization would respect.

  8. …it would be interesting to know the back story that led him to JFK…

  9. Wow, what incredibly bad opsec, using that same old email for several things that reveal his actual name.

    And for the love of God, it takes a special type of stupid to run scams like this then travel to the US or any country with a good intelligence service that’s actively looking for you.

    • In my experience, very few criminals have good opsec. The ones who do invariably are true sociopaths.

      • Why is this the case though? Being “deeply” in the “computer field” they should clearly know the importance of opsec and privacy, especially when they’re wanted criminals doing things that they would prefer to keep hidden.

        Just seems strange everytime I read about on this blog/other blogs about how some re-use passwords, have critical security flaws in their malware, not keeping their websites up to date, stuff like that.

        Is it just because the ones who care about opsec we never hear about as they never get into legal trouble or their activity can’t be well mapped out with any obvious clues to who they are?

        • I think your last paragraph provides a good answer. Those that do get caught have often become complacent with the assumption that they are skilled enough to notice if they are being investigated, which is often not the case.

  10. Interesting article, Brian! I remember stumbling upon Deer.io during my Joker Stash recon a few years back. I had found out about the site via Telegram chats with some of the moderators of crdclub. I wonder who Markenstein is? Maybe that was Firsov?

  11. Brian,
    You failed to understand that the DEER.IO is a legitimate platform where everyone can create own shop. 24,000 is total number of ever created shops on this platform, it’s not a number of shops with stolen stuff.
    Not every shop was selling illegal stuff.
    Actually it was forbidden to sell stolen stuff there by agreement:
    https://deer.io/en/agreement/

    Please correct your article.

    • Thanks, Vovan. I understand that certain services which are illegal in Russia to sell (such as pornography) and the sale of hard drugs, credit cards and bank accounts were prohibited. Also, it appears the policy says the platform may remove or censure shops that are selling things that upset the Kremlin. I also noted this platform was popular for selling aged social media accounts, which may not be illegal per se, as you noted but which nevertheless enable a ton of abuse. Anyway, I will take your comment under advisement.

  12. Turns out that such platforms are very common in Russian web. A few examples from Google first page:
    leasestore.ru
    accfind.ru
    shopsn.su
    box-pay.ru
    twopay.ru
    lequestore.ru
    so on and so forth

  13. So next stop for law enforcement must be selly.gg – it sure sounds a lot like this website with hundreds and hundreds of shops selling hacked accounts for almost everything

  14. I was curious why the US government was knowledgeable about this individual and the various accounts he had created but did not take the time to monitor and prosecute possibly years ago say 2017 for example. This raises a major amount of questions regarding global surveillance of communications that the US has complete observational abilities yet they use it for military and financial purposes instead of protecting their tax paying citizens. The games people play..

  15. And how we know Deer. Io was legit not the scam?
    Now Days many rippers Can’t trust!

  16. So, he was running platform similar to Shopify? Some of his users were selling illegal stuff on their shops?

    Why FBI does not arrest Cloudflare’s CEO, service used by large number of illegal sites. Or for example CoinPayments?

    A year ago I sent email report to both Cloudflare and CoinPayments to report a booter. It’s still online, using both services.

  17. Their egos usually give them away.
    The real question is why he would travel to the USA?

    • This guy is not an idiot, if he travelled to US, means he didn’t feel guilty at all.
      I can’t say he is a bad person or I know any criminal activities after him.
      Obviously, he didn’t knew that he where doing something wrong for sure.
      I do understand the angle FBI coming from, but we should look at the case from both sides. If his platform been used to sell smth illegal, he should collaborate, release information about the suspects to law enforcement by their request. You can see his childish behavior from his Instagram, the guy travelled around the world, been excited US a lot … offering an entry visa to US after rejection and arresting in JFK looks a bit unfair.