March 26, 2020

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Selivanov (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanov also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.

A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.

A snippet from a promotional video from the carding/dumps shop MrWhite.

KNOW YOUR FRAUDSTER

Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.

Most carding sites will offer customers a form of buyer’s insurance known as a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.

These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.

But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.

With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.

An ad for the “Trust Your Client” or TYC policy observed by virtually all of the carding shops taken down in this past week’s Russian law enforcement operation.

Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.


36 thoughts on “Russians Shut Down Huge Card Fraud Ring

  1. rip

    Must have stepped into the territory controlled by putin and his oligarch friends.

    1. KFritz

      That’s amazing. As stupid as it is to be arrested in Kennedy Airport (Firsov), it’s more obviously stupid to prey on Russians or annoy Putin & Co (LLC). Only time will tell if it’s more dangerous.

      1. InterCity

        Getting arrested at JFK can only land you in jail, whereas messing with the tzar and his friends makes jail the least of your problems. Go figure.

    2. Darryl

      Lol me too. They all seem to operate from the USSR and generally with impunity. I always wondered if they actually involved the government, or at a minimum paid some sort of informal tax.

      1. SeymourB

        Bribery is the name of the game. You run a racket, the cops come knocking, you pay them off, their supervisors come knocking, you pay them off, the prosecutors come knocking, you pay them off, and on and on and on it goes with politicians and law enforcement and organized crime all getting their share. Arrest usually is a shakedown for additional funds from whatever group is arresting you. Used to be the golden rule was to never target your fellow citizens but in the past few years it sounds like if the bribes are big enough to big enough people that even that’s okay.

        Sad thing is I get the impression from some of my Russian friends that their countrymen think this is how it works everywhere. That their relatives (my friends) who left Russia are simply indoctrinated and/or lying to them.

        When all you’ve ever lived in is a fishbowl, it can make you think the entire world is that fishbowl.

        1. Peter J.

          +1 for “When all you’ve ever lived in is a fishbowl, it can make you think the entire world is that fishbowl.”
          Going to have to remember that one, thank you.

      2. Kent Brockman

        “They all seem to operate from the USSR and generally with impunity. ”

        USSR?? Only if they have access to a time machine. Oy vey!

        1. John Eight Thirty-Two

          You don’t know how lucky you are, boys!

    3. Bundy

      Or it could be that Putin and his oligarchs saw how much money these guys were making and decided that it’s time for a change in ownership, and one of Putin’s lackeys will now be in charge of this operation.

  2. The Sunshine State

    I think the scammers in India use the same type of credit card checking system .

  3. Dan

    This is an interesting topic. An website I own and manage, which accepts payments for digital goods, recently got targeted by a ‘checker’ due to our naive implementation of stripe.com’s payments API allowing payment attempts to be ‘replayed’ with different card details.

    The vast majority of the approximately 40,000 cards that got run through our merchant account were never actually tested against the issuing banks, because Stripe’s own fraud detection AI kicked in and blocked them. And, fortunately, I’m in the habit of checking all my online service dashboards daily, so I noticed the activity within 24 hours of it starting and was able to start work on mitigation immediately.

    I reached out to an email address used by the ‘checker’ transactions and started a conversation with the guy running it, who helped me test our site by re-running card check batches until we’d finished refining our logic around the Stripe API to successfully block the activity. He was in the Philippines (and he had terrible opsec – as a result of the conversation, I have his home internet connection’s IP address and his mobile number!) and I did not get the impression he actually developed the checker himself.

    The checker seemed like a sophisticated bit of software, with transaction attempts coming at our website at a rate of dozens per second from a couple hundred different IPs around the world (most of which had Russian owner info, but geolocated to the US and EU) and, for instance, immediately switching to a mode where each successive transaction would come from a new IP, rather than in blocks from one IP at a time, as soon as we introduced rate-limiting logic on IPs and payments.

    Last but not least, Stripe themselves paid all the transaction fees for the fraudulent payments that did successfully get through (which of course I immediately refunded). GG Stripe.

  4. Gary

    Everyone should use email alerts for all credit cards. Even as low as a one dollar purchase. This way you get to dispute false charges immediately. I set up an audible alert on a separate email account for this purpose.

    1. RO

      The issuing bank for my main credit card (Bank of America) has in its app near real time notifications for credit card activity in selectable categories, including online/card not present.

      I just caught a bogus charge last week with that feature.

    2. Real Mccoy

      For the most part fraud alerting is crucial. However, if your card is a MasterCard they can perform an “AS” transaction which stands for Account Status. MasterCard made a transaction which is an auth of an auth and is invisible to customers. Criminals target this all the time.

  5. JCitizen

    Quite frankly, I’m surprised ANY Russian carder or otherwise network cracker, gets any jail time in Russia; but tw0 years, is about what the average US criminal gets on charges like that as well don’t they? I’m sure the FSB probably loves trading off jail time for government spy craft, anytime they can do it. I hope the culprits in this ring rot in jail, though – they deserve it.

  6. Steve

    Sounds to me like the FSB’s recruitment program in action. They need more people to grow that massive botnet to use against the US and others.

  7. David Union

    My bank account was hacked on the 5th May last year. I had the well-known (in the UK) TV licence fraud email so I didn’t click on their link. My bank confirmed that I didn’t do that but they still have no idea how the hacker by-passed their two stage security wall. (Or perhaps they’re just not telling me.)

    My details were obviously sold on the dark web because (1) I get one fraud phone call every week (easy to deal with, using my call blocker) and 2 or 3 fraud emails a week. Again easy to spot but the outlook.com email blocker isn’t working – Microsoft’s team is still trying to resolve that.
    What concerns me is that Microsoft told me that there was no need for me to changes my email address. Were they right?

    1. Francis Ford Crapola

      “My details were obviously sold on the dark web because (1) I get one fraud phone call every week (easy to deal with, using my call blocker) and 2 or 3 fraud emails a week.”

      This is not evidence of your actual “details” being sold, really at all.
      This is evidence that your email and phone number are spammable.
      They are probably unrelated.

      “What concerns me is that Microsoft told me that there was no need for me to changes my email address. Were they right?”

      Yes. But do what you want.

    2. twocents

      I don’t know any technical person who uses a microsoft email address (outlook.com or hotmail.com etc.).

      Though gmail has its privacy issues, you can run its Privacy Checkup after creating an account spend 15 – 20 minutes turning off or “pausing” and deleting the labyrinth of auto-opt-ins; keep looking even if it seems their are only 3 or 4 settings; there are more).

      Gmail last year claims to have notified something like 80k users about state-sponsored attempts to break into their accounts.

      Gmail’s 2-step verification allows use of a
      – Yubi USB key (about $40 but DON’T use Google’s own crap key)
      – the Google Authenticator app and
      – paper backup one-time codes (keep one in a safe and maybe a copy without your email address on it in your wallet)

      Two people I know (a client and a relative) using gmail before they listened to me and turned on 2-step once logged into their respective gmail accounts and saw a banner across the page that someone in a distant U.S. state had logged into their account and the other person saw a banner that a nation state tried to get in. Then they finally listened to me and enabled 2-step verification. One was over 70, the other under 30.

      You can remove your phone number as a backup method in order to avoid SIM card attacks (hijacking your phone number in order to get your 2-step codes), but don’t do this unless you have THREE OTHER methods to get the codes. Two isn’t enough, as I know people who lost their only two methods for extended periods.

      Proton mail is also popular for perhaps secured email. It didn’t allow 2-step at first I think because it focused on anonymity more than security, but it’s offered 2-step for awhile. It’s claim of being more secure because it’s in Switzerland, etc., though, seems hard to prove and may just be marketing. Its free mailbox is pretty small, I think a half a gig.

      Anyway, I wouldn’t trust any Microsoft product or service. A few Office365 accounts under my purview switched to G-Suite, but I still have a few people using Office365 (ugh). Some big G-Suite accounts not under my purview switched to Office365, and I suspect MS paid them because they’re so high profile.

      Yahoo is almost certainly still a disaster, even with its 2-step verification. For several years right up to and maybe continuing after Verizon bought them, hackers just roamed around in the system, taking something like 2.5 Billion user credentials. The new owner,Verizon, isn’t exactly known as a security powerhouse.

      For all gmail accounts, try not to authorize any outside service, e.g., Zoom, to use your Google sign-in (a la FaceBook’s sign-in service).

      Also, if you’re a journalist or politician, gmail offers 3-step verification. I wanted to try it for some clients but couldn’t because it required proof of my profession.

      None of my clients using 2-step verification with gmail or any other email service for that matter have been hacked. But, oh my, without 2-step, all year long for years it was hacking galore, often from simple reuse attacks. Nowadays 99.9% of my clients use 2-step verification.

      SUMMARY
      Turn on 2-step verification!

      Never yahoo, avoid microsoft.

      Gmail’s fine but scour the Privacy Check settings; never use your gmail to authorize logins at 3rd-party sites.

    3. JCitizen

      I simply set my filter to the highest setting(exclusive) on Outlook, and all that goes to the junk folder.

  8. Issak Newton

    So many years writing about Russian hackers and still… Silivanon in 2 places.

  9. AJ De Vido

    I am so tired of governments reacting 10 years late to every incident and problem. Even Russia needs to have some tougher enforcement methods. What happened to a good action scene with Carmina Burana playing soundtrack? Putin’s Chef could serve pork chops and livestream the activity.

  10. Jeff Strubberg

    Brian;

    I’ve been working recently with a vendor to produce some synthetic data for us to use in testing and training environments. It got me to thinking…

    Like any other business, these fraudsters rely on a certain percentage of good transactions to make their operations work. What if we seed synthetic card and cardholder data into their operation, either directly or with honeypots set up with deliberately weak security?

    Watering down their profits ought to drive them out of business, no?

    1. BrianKrebs Post author

      It’s a nice idea in theory, but in practice it would be hard. These guys are either stealing the cards themselves or they get them from trusted vendors who steal them. They’re not going to allow just anyone to feed them cards.

      1. Larry the tech wannabe

        The bad guys always seem fairly smart!

        1. Rube Goldberg's Razor

          “We have guided missiles and misguided men.” ~ MLK

  11. Old school

    Back in days when I was Young…
    The real carding forums like omerta…
    The Good cvv shops like… Ccstore. Ru cvv with DOB

    And best payment processor like Liberty reserv.
    Ouu… What the Nice days Good memories

  12. Ruru

    Interesting detail, this anonymous comment in the blog post:
    https://sporaw.livejournal.com/678535.html?thread=16457095#t16457095
    Seems to imply that this happened because of the recent government shake up in Russia. Presumably this group of crooks had somebody who was protecting them in the old (Medvedev) government. But now that the old government has been replaced, they are no longer untouchable and thus arrests began.
    Disclaimer: I have no inside info on this whatsoever, I just find this topic interesting and my native language is Russian, so I went and read the sources and comments. Personally I find that anonymous comment somewhat plausible.

  13. John S. McDonald

    I thought that the Russian government encouraged that sort of thing, as long as the victims were from other countries.

  14. Jeff G

    It will be interesting to see whether with the near stand-still state of the world-wide economy whether scam related transactions will be more easily detected. I can’t see how scamming would be slowed by having everyone on lock-down — if anything, one could guess that their activity would pick up due to having more at-home targets.

    A target rich environment if you will…

  15. Ajay Khanna

    Hlo sir , 1dollardumps.com & antigreedy.bazar site how open this site is not open plz help and I can do work

Comments are closed.