June 27, 2020

A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Photo: Andrei Shirokov / Tass via Getty Images.

Aleksei Burkov of St. Petersburg, Russia admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers.

As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”

Burkov was arrested in 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.

When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned Israeli citizen Naama Issachar on trumped-up drug charges in a bid to trade prisoners. Nevertheless, Burkov was extradited to the United States in November 2019. Russian President Vladimir Putin pardoned Issachar in January 2020, just hours after Burkov pleaded guilty.

Arkady Bukh is a New York attorney who has represented a number of accused and convicted cybercriminals from Eastern Europe and Russia. Bukh said he suspects Burkov did not cooperate with Justice Department investigators apart from agreeing not to take the case to trial.

“Nine years is a huge sentence, and the government doesn’t give nine years to defendants who cooperate,” Bukh said. “Also, the time span [between Burkov’s guilty plea and sentencing] was very short.”

DirectConnection was something of a Who’s Who of major cybercriminals, and many of its most well-known members have likewise been extradited to and prosecuted by the United States. Those include Sergey “Fly” Vovnenko, who was sentenced to 41 months in prison for operating a botnet and stealing login and payment card data. Vovnenko also served as administrator of his own cybercrime forum, which he used in 2013 to carry out a plan to have Yours Truly framed for heroin possession.

As noted in last year’s profile of Burkov, an early and important member of DirectConnection was a hacker who went by the moniker “aqua” and ran the banking sub-forum on Burkov’s site. In December 2019, the FBI offered a $5 million bounty leading to the arrest and conviction of aqua, who’s been identified as Maksim Viktorovich Yakubets. The Justice Department says Yakubets/aqua ran a transnational cybercrime organization called “Evil Corp.” that stole roughly $100 million from victims.

In this 2011 screenshot of DirectConnection, we can see the nickname of “aqua,” who ran the “banking” sub-forum on DirectConecttion. Aqua, a.k.a. Maksim V. Yakubets of Russia, now has a $5 million bounty on his head from the FBI.

According to a statement of facts in Burkov’s case, the author of the infamous SpyEye banking trojan — Aleksandr “Gribodemon” Panin— was personally vouched for by Burkov. Panin was sentenced in 2016 to more than nine years in prison.

Other top DirectConnection members include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

Also on Friday, the Justice Department said it obtained a guilty plea from another top cybercrime forum boss — Sergey “Stells” Medvedev — who admitted to administering the Infraud forum. The government says Infraud, whose slogan was “In Fraud We Trust,” attracted more than 10,000 members and inflicted more than $568 million in actual losses from the sale of stolen identity information, payment card data and malware.

A copy of the 108-month judgment entered against Burkov is available here (PDF).


43 thoughts on “Russian Cybercrime Boss Burkov Gets 9 Years

  1. The Sunshine State

    Since this guy was sentenced to nine years in the federal prison system for a “white collar crime” he will more then likely do it in a level one Club Fed institution.

    Anybody disagree with me?

    1. prison expert

      I do, given that he’s a foreigner he’s automatically excluded from any nice prisons per BOP guidelines.

    2. Mahhn

      I agree, this soft hand on criminals that drain peoples life’s work is little more than a slap on the wrist. It’s amazing everyone isn’t a cyber criminal. The pay out is still good even when you get caught. There is no deterrent for these scum. Now if they started loosing digits or catching on fire, that would help steer people from crime. No wonder most governments are full of corrupt people.

      1. Joe

        I don’t see this as a “soft hand”. 9 years is pretty rough.

        I also agree that this is NOT a deterrent. But not because of the sentencing. It is because this arrest shows that there is still little to zero chance of being caught.

        Cyber criminals know what countries extradite and which do not. They see Burkov as an idiot who didn’t follow the simple rule of “don’t go to a country that extradites”. So this case is not a deterrent for crime.

    3. Shard

      No, I DO NOT agree. He is not a US citizen, therefor he is not eligible for camp. On top of that, he will be considered a, “pubic safety factor”. He will more than likely be put in a medium security prison and maybe if he’s lucky work his way to a low, definitely never to a camp. High profile inmates tend to remain in medium security and he will also most likely be banned from having access to TRULINCS, the BOP’s (Bureau of Prisons) email system due to the severity of the charges of his crime.

  2. admin user

    He will share his elite skills with fellow inmates, but by the time he’s released his knowledge will be obsolete.

    1. S&N

      His technical skills might become obsolete but his management skills will remain intact.

    2. Joe

      What elite skills?
      Running an e-commerce website? He isn’t some notorious hacker. He’s a fence.

      He’s not so much Elliot Alderson, but rather the Prison guy, Ray.

  3. Dennis

    Haha. This one cracked me up. I guess if you register on the site which moto is “In Fraud We Trust” – you might have a problem with your moral compass.

  4. Sam

    9 years is not enough of a sentence. Many of the businesses these people harm, spend as many years recovering from the damage, if they recover at all. Many people mistakenly believe only the Credit Card companies are harmed. This is true when card is in hand, but when a business makes a sale over the phone or internet, they do not enjoy the same protections and the fraud ultimately costs them even when they obtain an authorization and verify shipping address is same as CC billing address.

    1. Andar

      9 years is plenty , sexual assault cases are getting 6-7 years and released on probation after 5… system is broken

      1. Mahhn

        Both should get much more punishment. There are to many people in the world for such dredges on society to consume air.
        To many crap solutions when .50 bullet would solve them permanently.

        1. Joe

          Go easy with the fascism there. We don’t need everyone to face a firing squad. We need a reasonable solution, not a draconian measure.

          1. Doubtist

            Fascism isn’t what he’s advocating, nor a firing squad.
            He’s saying 9 years isn’t enough for this level of crime.
            (By this measure Trump would only serve about 400-600 years.)

            Hardly enough for all the damages, too infrequent to deter.
            (Try to not over-exaggerate others’ positions, it’s weak.)

            I personally find this to be a slightly inadequate sentance.
            I’d say it’s around half of what I’d have expected for this.
            Then again, they’re just letting traitors like Flynn go now.
            I guess 9 is a lot considering.

            1. Mahhn

              Exactly. If anyone of us lost 20-50 years of savings, hard work, sacrifices, just to have some slob take it all and only do 9 years to make up for your 20-50 of work. and to know the slob did that to thousands of people, without a scratch on him. You’d be disappointed in the lack of justice. It’s not like he accidently killed someone, or robbed one person and made compensation. There is no compensation for the victims here.

              1. Joe

                That seems like a logical fallacy.

                This guy is a criminal, but he’s only the fence for stolen goods, when you are assuming he’s the alpha and omega of this crime syndicate.
                For each fraudulent transaction, there are other parties that are far more responsible.

                Just because you cannot reach the real criminals, doesn’t mean the one you caught gets sentenced for everyone else.

            2. Joe

              No, his words speak loudly.
              “There are too many people in the world for such dredges on society to consume air.
              To many crap solutions when .50 bullet would solve them permanently.”

              It isn’t an over-exaggeration, because he mentioned “too many people… consuming air” and solving it with a very specific caliber of bullet.
              We can no longer just assume sarcasm or even exaggeration. It is a cop out to suggest someone “doesn’t mean what they say”.

              Do not minimize what someone says. There are a lot of people who think, feel and even act this way.
              The message is clear, and yes, it is fascist.

            3. Joe

              “Hardly enough for all the damages, too infrequent to deter.”

              I agree that this one conviction isn’t enough for all the damages. But we should remember that there are MANY other carders to blame. This guy runs the store… he’s a fence for stolen goods. Not saying he isn’t a criminal, but that presents a dilemma of justice. Do we punish a person more, for the crimes of others, just because we cannot bring those others to justice?

              And I’ve mentioned the deterrence factor before. There is pretty much ZERO Deterrence in this case, regardless of the sentence. Because for deterrence to work, there has to be a reasonable chance of getting caught. The other cyber criminals see this guy as an idiot who broke the very simple rule of staying away from countries who extradite.
              Deterrence has no affect on Russian cyber criminals who don’t travel to countries with extradition treaties. So even the death penalty won’t deter one bit.

            4. treFunny

              “Then again, they’re just letting traitors like Flynn go now.”

              Please tell me you are not that dumb… Flynn is far from a traitor… and they did not just let him go. FBI got caught trying to frame an innocent man and then pushed him to a guilty plea by threatening his son. If what they tried to do to Flynn doesnt scare the poo out of you… well good luck. I’m sure Lisa and Peter were the best of the best and fired for no reason at all…

              Please research topics vs just spitting washington post level garbage with nothing to back it besides hate for anyone not on the right.

              1. Frank

                You’re just spitting Breitbart level garbage now.
                “Innocent man”?? Who is that supposed to be?

                Flynn is just another part of the new swamp that Trump brought in. If it was a single indictment, then maybe you’ll have a point. But there was a LOT of corruption revealed. Anyone who was cringing at Bill and Hillary should be vomiting at Trump’s level of corruption. And many good conservative Republicans are.

            5. Joe

              “Fascism isn’t what he’s advocating, nor a firing squad.”

              He did bring it up specifically.
              “To many crap solutions when .50 bullet would solve them permanently.”

              We cannot really assume he’s exaggerating. He said,
              “There are too many people in the world for such dredges on society to consume air.”

              We can no longer ignore people’s words as “jokes”. Fascism is alive and well. People truly believe this stuff. The anonymity of the internet allows them to express it everywhere. And only after they are challenged, do some of them deny and claim they were “joking”.

              1. Doubtist

                I didn’t take that part seriously, I took that as frustrated bluster.
                Nobody is going to the firing squad here. It’s not realistic.
                Advocating for unrealistic outcomes I see as just frustration.
                Of course if people did go to the firing squad for minor crimes,
                that kind of attitude in support would be less understandable.
                But they don’t. They get slaps on the wrist more than not.

                The part I took seriously is that 9 years for this isn’t a lot, the OP.
                Running the ‘fraud store’ entails many instances of fraud.
                He facilitated and was a party to many more crimes than otherwise. He had nation-state backing for it too. That adds.
                Or it should anyhow if we’re going to be serious in deterring.

                Finally, Flynn is a traitor and there’s no question he violated the Hatch act at the very least, plead guilty to lying and is in fact guilty of a lot more than that regardless of how much time he actually ends up serving – he will never be anything more than a self-serving traitor to the US military and nation. The point of mentioning him was the extraordinary length this AG will go to in defending criminals connected to Trump’s Russian cabalist allies.

                1. Joe

                  I can understand if it’s bluster, but can also understand that an anonymous forum does have a lot of people who truly believe this stuff, and some who would be so “frustrated” that the government isn’t punishing crime hard enough, they are willing to take their perception of justice into their own hands.

                  I agree that multiple counts are at play, since being a fence (running the fraud store) does place some of the responsibility for each crime, in his lap. But most of the time, multiple counts don’t run concurrently. Especially in cases where it’s not practical for the accused to differentiate each individual crime.
                  You set up the store for automation, go to sleep, and by morning X number of transactions took place. How many counts should that be?

                  Nation state backing isn’t really something our justice system is set up to prosecute individuals for. Could you imagine if people were convicted for the crimes of their state?

                  Again, as I wrote before, deterrence doesn’t work here. It doesn’t have any affect on people unless there is a tangible fear/chance of getting caught. With no extradition, the only deterrence against traveling to places that extradite. There is no deterrence against the actual crime.

  5. Slim Jim

    I wonder where “his” money is stashed.

    1. G2134

      Crypto would be my guess. In 9 yrs he may be 10x+ times reacher without doing anything.

  6. Richard Stein

    The Internet enables grifters, parasites of the surveillance economy’s ecosystem.

    Commercial and public service organizations remain extremely vulnerable to cybercrime, inadequately prepared to confront and counter this persistent white collar crime wave. A wave sourced by ethically specious organizational governance that under-invests in hardening digital hygiene and strengthened privacy management practices. This is the surveillance economy at work.

    The apps that feed profiles with each keystroke and click feed digital repositories, the honeypots stoking criminal trade.

    A handful of prosecuted and imprisoned thieves will not quench a deviant thirst thriving on breached payload, ransom/malware assault, phishing, id theft, and marks – surveillance economy customers.

    Justice was served in the cases Mr. Keebs documents, but do the lessons taught by these convictions resonate among legitimate business interests? Where’s the outrage from persistent Internet theft enabled by businesses that license public data capture exploited for profit at privacy’s expense? A crime wave unsurpassed in scope.

    1. richard stein

      Brian — I mistyped your last name in the last paragraph. Sorry.

  7. Yuri

    Just one question Brian – when your website is going to be mobile-readable ? Seriously, it is 21st century already 🙂

    1. Iruy

      Able to browse with my phone… what you mean?

    2. Dean

      Haha, I always wonder why a techie like him never cared for a modern design of this great security website.

      Am just curious to know why Brian.

  8. Clyde Tolson

    In another fbi case, you reported that hieu ngo got a 13 year sentence and cooperated so drawing a link to 9 years and cooperation seems like faulty logic…the fbi guys are doing a greed job getting these guys though.

    1. Clyde tolson

      Great not greed job by fbi. Lol though

    2. BrianKrebs Post author

      Ngo’s case was not the FBI but the Secret Service. But the one thing that lends credence to Mr. Bukh’s suspicions here about the supposed lack of cooperation is the temporal element of the case.

      Ngo gave considerable help to the Secret Service over many years, and his period of confinement before sentencing was significant as well. If a defendant is going to cooperate with the government in a cybercrime case like this, that generally means they are not only going to point fingers, but also get their hands dirty once again — possibly by going back on the forums, helping to set up new ones, or just lure other important players into the grasp of investigators. This takes time. It certainly doesn’t happen in the span of a few months.

      1. Jonathan Marcus

        Would “getting his hands dirty” have been possible for Burkov, given the very public nature of his arrest and extradition?

        Also, I wonder might be the motivation for pleading guilty but then not cooperating? Maybe he changed mind? Under pressure from Russian intelligence/security services?

        1. BrianKrebs Post author

          Yes of course it would have been possible. But again, these things tend to take much more time than the few months between his extradition, guilty plea and sentencing.

          A plea deal doesn’t mean cooperation. Pleading guilty saves the government a lot of time, money and hassle. Defendants are typically offered a few points or time reductions in their sentence just by conceding that they are guilty as charged.

  9. Kbarb

    Brian,

    What generally happens to the money these criminals have made ?
    Is it confiscated or forfeited somehow ?
    Something else ?

    1. Mahhn

      I “hope” someone has a better answer, but I’ll wager it goes to lawyers, court cost, some general fund politicians dip into, and a tiny bit into funding the dept that made the bust. But the victims are unlikely to get a penny back.

      1. Joe

        It’s hard to trace the money that was lost, to exactly who inevitably paid. Most of the time with credit card fraud, the customer does NOT pay the fraudulent charges. And neither does the bank. The insurance pays out, and it may or may not result in increased premiums.
        Does FDIC come into play for the US fraud transactions?

        It is $568 million in losses that may ultimately get distributed globally. We don’t really know how the losses are spread out.

        I am sure if there were direct losses that those companies or individual would have to file a claim and could get that as part of a settlement.

  10. Mike

    He’ll be traded for Paul H. Whelan in the next 3 months. That’s the only reason he plead guilty, he knew it was short term.

  11. Jobani

    Nine years is too lenient a sentence. The current US justice system makes me wish there were a real life Dexter doing his handywork. Wishful thinking.

    1. Joe

      US Justice is indeed flawed. But vigilantism is no better.
      Advocating for murder is like lynchings, assuming the “people/mob” have a better sense of justice than judges.

      1. Annie Amous

        Joe,
        Thank you for addressing the dehumanizing language at this site. Human rights are for all humans, including the horrible ones. And the right not to be killed is the most basic.

        Thank you.

Comments are closed.