September 1, 2021

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

An ad circa 2005 for A311 Death, a powerful banking trojan authored by “Corpse,” the administrator of the early Russian hacking clique Prodexteam. Image: Google Translate via Archive.org.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.”

One denizen of a Russian language crime forum who complained about the unexplained closure of VIP72 last month said they noticed a change in the site’s domain name infrastructure just prior to the service’s disappearance. But that claim could not be verified, as there simply are no signs that any of that infrastructure changed prior to VIP72’s demise.

In fact, until mid-August VIP72’s main home page and supporting infrastructure had remained at the same U.S.-based Internet address for more than a decade — a remarkable achievement for such a high-profile cybercrime service.

Cybercrime forums in multiple languages are littered with tutorials about how to use VIP72 to hide one’s location while engaging in financial fraud. From examining some of those tutorials, it is clear that VIP72 is quite popular among cybercriminals who engage in “credential stuffing” — taking lists of usernames and passwords stolen from one site and testing how many of those credentials work at other sites.

Corpse/Revive also long operated an extremely popular service called check2ip[.]com, which promised customers the ability to quickly tell whether a given Internet address is flagged by any security companies as malicious or spammy.

Hosted on the same Internet address as VIP72 for the past decade until mid-August 2021, Check2IP also advertised the ability to let customers detect “DNS leaks,” instances where configuration errors can expose the true Internet address of hidden cybercrime infrastructure and services online.

Check2IP is so popular that it has become a verbal shorthand for basic due diligence in certain cybercrime communities. Also, Check2IP has been incorporated into a variety of cybercrime services online — but especially those involved in mass-mailing malicious and phishous email messages.

Check2IP, an IP reputation service that told visitors whether their Internet address was flagged in any spam or malware block lists.

It remains unclear what happened to VIP72; users report that the anonymity network is still functioning even though the service’s website has been gone for two weeks. That makes sense since the infected systems that get resold through VIP72 are still infected and will happily continue to forward traffic so long as they remain infected. Perhaps the domain was seized in a law enforcement operation.

But it could be that the service simply decided to stop accepting new customers because it had trouble competing with an influx of newer, more sophisticated criminal proxy services, as well as with the rise of “bulletproof” residential proxy networks. For most of its existence until recently, VIP72 normally had several hundred thousand compromised systems available for rent. By the time its website vanished last month — that number had dwindled to fewer than 25,000 systems globally.


21 thoughts on “15-Year-Old Malware Proxy Network VIP72 Goes Dark

  1. The Sunshine State

    The domain name is differently D.O.A without any type of hosting . The Registry Expiry Date is on 2022-07-11, so you know it will be sold on the dark-web for a good chunk of money.

  2. Reip

    Law enforcement let it go that long why now? US-based hosting? IDGI.

  3. Quid

    Perhaps the feds had already taken it over some time ago and were using it for monitoring its users’ activity and at some point decided there was less value in doing so than just shutting it down.

    1. haha these niggaz

      that’s not farfetched, but you still sound ridiculous if i do say so….

    1. Anon

      Nope, TOR exit nodes are easy identify and detect that it’s TOR. If you need hide from different detection systems TOR is not an option.

  4. Enquiring

    Any chance it was based in Afghanistan? Or is the timing just coincidence?

  5. rapidfs

    A really good post, very thankful and hopeful that you will write many more posts like this one.

  6. Anon

    Imagine that just vanished, it’s nothing new in the computer science field of study and developers around world who are unethical hackers. People just don’t rob the bank like they use too seems pity but a cybercriminal don’t need guns or hard drugs to fill their pockets. They work like you and me probably took long time in learning computer science and computations, having the best expectations then finally life hits them. Why work for the bank when you can just hi-jack their system and use people information and make billions. Trust me it was too late before 2001 I honestly believe billionaires have at one point committed a cybercrime no way the government in control of technology have military capabilities to stop proxy, or cybercriminals at least the smart ones who always on the move. Call ghost busters if you ask me

    1. Go1234

      No, it’s a fake page.
      Vip72 moved to sellvip72.com and notifies about maintenance again and fake pages addresses.

      1. BrianKrebs Post author

        Incorrect. Sellvip only lets people use already-registered VIP72 accounts. You can’t create an account through them. They are unrelated as far as I can tell.

  7. Reply to peter

    Message to Author:

    Where did you find the domain seizure information ?!

    Thanks

  8. Go1234

    Currently socks client doesn’t work.
    VPN client works from time to time.
    Sellvip72 added link to their Facebook page but admin doesn’t reply what happened with the service

  9. BigBootyonMyBIGknuckleHEAD

    No doubt I will miss Vip72 to conduct myy biiiiiiiiiiiiiizeness. I’m indeed sad as it’s hard to find real services that provide actual non blacklisted residential IPs … at least where im from. Used to login to routers and and change dNS…. ohh the good days. oh well. atleats a few folks still keeping their old motorolla and hitron ahahahahaha.

Comments are closed.