May 4, 2023

The U.S. government this week put a $10 million bounty on a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him at least $18 million, which he used to buy a Ferrari, Land Rover, and other luxury items.

Denis Kulkov, a.k.a. “Nordex,” in his Ferrari. Image: USDOJ.

Launched in 2005, Try2Check soon was processing more than a million card-checking transactions per month — charging 20 cents per transaction. Cybercriminals turned to services like this after purchasing stolen credit card data from an underground shop, with an eye toward minimizing the number of cards that are inactive by the time they are put to criminal use.

Try2Check was so reliable that it eventually became the official card-checking service for some of the underground’s most bustling crime bazaars, including Vault Market, Unicc, and Joker’s Stash. Customers of these carding shops who chose to use the shop’s built-in (but a-la-carte) card checking service from Try2Check could expect automatic refunds on any cards that were found to be inactive or canceled at the time of purchase.

Many established stolen card shops will allow customers to request refunds on dead cards based on official reports from trusted third-party checking services. But in general, the bigger shops have steered customers toward using their own white-labeled version of the Try2Check service — primarily to help minimize disputes over canceled cards.

On Wednesday, May 3, Try2Check’s websites were replaced with a domain seizure notice from the U.S. Secret Service and U.S. Department of Justice, as prosecutors in the Eastern District of New York unsealed an indictment and search warrant naming Denis Gennadievich Kulkov of Samara, Russia as the proprietor.

Try2Check’s login pages have been replaced with a seizure notice from U.S. law enforcement.

At the same time, the U.S. Department of State issued a $10 million reward for information leading to the arrest or conviction of Kulkov. In November 2021, the State Department began offering up to to $10 million for the name or location of any key leaders of REvil, a major Russian ransomware gang.

As noted in the Secret Service’s criminal complaint (PDF), the Try2Check service was first advertised on the closely-guarded Russian cybercrime forum Mazafaka, by someone using the handle “KreenJo.” That handle used the same ICQ instant messenger account number (555724) as a Mazafaka denizen named “Nordex.”

In February 2005, Nordex posted to Mazafaka that he was in the market for hacked bank accounts, and offered 50 percent of the take. He asked interested partners to contact him at the ICQ number 228427661 or at the email address polkas@bk.ru. As the government noted in its search warrant, Nordex exchanged messages with forum users at the time identifying himself as a then-24-year-old “Denis” from Samara, RU.

In 2017, U.S. law enforcement seized the cryptocurrency exchange BTC-e, and the Secret Service said those records show that a Denis Kulkov from Samara supplied the username “Nordexin,” email address nordexin@ya.ru, and an address in Samara.

Investigators had already found Instagram accounts where Kulkov posted pictures of his Ferrari and his family. Authorities were able to identify that Kulkov had an iCloud account tied to the address nordexin@icloud.com, and upon subpoenaing that found passport photos of Kulkov, and well as more photos of his family and pricey cars.

Like many other top cybercriminals based in Russia or in countries with favorable relations to the Kremlin, the proprietor of Try2Check was not particularly difficult to link to a real-life identity. In Kulkov’s case, it no doubt was critical to U.S. investigators that they had access to a wealth of personal information tied to a cryptocurrency exchange Kulkov had used.

However, the link between Kulkov and Try2Check can be made — ironically — based on records that have been plundered by hackers and published online over the years — including Russian email services, Russian government records, and hacked cybercrime forums.

NORDEX

Kulkov posing with his passport, in a photo authorities obtained by subpoenaing his iCloud account.

According to cybersecurity firm Constella Intelligence, the address polkas@bk.ru was used to register an account with the username “Nordex” at bankir[.]com, a now defunct news website that was almost standard reading for Russian speakers interested in news about various Russian financial markets.

Nordex appears to have been a finance nerd. In his early days on the forums, Nordex posted several long threads on his views about the Russian stock market and mutual fund investments.

That Bankir account was registered from the Internet address 193.27.237.66 in Samara, Russia, and included Nordex’s date of birth as April 8, 1980, as well as their ICQ number (228427661).

Cyber intelligence firm Intel 471 found that Internet address also was used to register the account “Nordex” on the Russian hacking forum Exploit back in 2006.

Constella tracked another Bankir[.]com account created from that same Internet address under the username “Polkas.” This account had the same date of birth as Nordex, but a different email address: nordia@yandex.ru. This and other “nordia@” emails shared a password: “anna59.”

NORDIA

Nordia@yandex.ru shares several passwords with nordia@list.ru, which Constella says was used to create an account at a religious website for an Anna Kulikova from Samara. At the Russian home furnishing store Westwing.ru, Ms. Kulikova listed her full name as Anna Vnrhoturkina Kulikova, and her address as 29 Kommunistrecheskya St., Apt. 110.

A search on that address in Constella brings up a record for an Anna Denis Vnrhoturkina Kulkov, and the phone number 879608229389.

Russian vehicle registration records have also been hacked and leaked online over the years. Those records show that Anna’s Apt 110 address is tied to a Denis Gennadyvich Kulkov, born April 8, 1980.

The vehicle Kolkov registered in 2015 at that address was a 2010 Ferrari Italia, with the license plate number K022YB190. The phone number associated with this record — 79608229389 — is exactly like Anna’s, only minus the (mis?)leading “8”. That number also is tied to a now-defunct Facebook account, and to the email addresses nordexin@ya.ru and nordexin@icloud.com.

Kulkov’s Ferrari has been photographed numerous times over the years by Russian car aficionados, including this one with the driver’s face redacted by the photographer:

The Ferrari owned by Denis Kulkov, spotted in Moscow in 2016. Image: Migalki.net.

As the title of this story suggests, the hard part for Western law enforcement isn’t identifying the Russian cybercriminals who are major players in the scene. Rather, it’s finding creative ways to capture high-value suspects if and when they do leave the protection that Russia generally extends to domestic cybercriminals within its borders who do not also harm Russian companies or consumers, or interfere with state interests.

But Russia’s war against Ukraine has caused major fault lines to appear in the cybercrime underground: Cybercriminal syndicates that previously straddled Russia and Ukraine with ease were forced to reevaluate many comrades who were suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those was Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was apprehended in March 2022 after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam last year was Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.


33 thoughts on “$10M Is Yours If You Can Get This Guy to Leave Russia

  1. Clyde Tolson

    I have all the confidence in the world the FBI will arrest him. Sleep easy Edgar.

    1. Clausewitz4.0

      Also have all the confidence in the world the FBI will arrest him. Then in the next week Mexico will invade USA, Taiwan captures Beijing, Ukraine defeats Russia, CIA will not kill people anymore.

  2. barack osama

    Who’s going to punish people that ruined Libya, countless countries in South America with coups and razed Middle East to the ground?
    Actually no worry, karma exists and it has struck in the form of lg.btq so their bloodlines will be erased, just like those people in middle East

  3. J Nevard

    What an absolute hero. How typical that the criminal American empire is trying to have this man illegally kidnapped.

  4. MZT

    Another hero who has done tremendous damage to the satanic american financial system may he live past 100!

  5. Dennis

    What’s with all these ruzzian trolls posting here?

    1. mealy

      Krebs reports on their activities and prosecutions so some try to counter his reporting with jibberish spams.
      I would point out though that many to most of them are likely not actual Russian nationals.

  6. Anna

    If the car u mentioned registered in samara , the Ferrari u posted registered in Moscow

  7. notRussian_55

    Isn’t it strange that so many people who complain about imperialism are happy to wear designer gear (and fake designer gear) made by ten year old children in Bangladesh?

    1. mao_please_come_back

      No, why would it be strange? According to you only people who dont wear clothes are allowed to criticize imperialism? “You wear designer clothers, therefore imperialism is good” sounds like an awful justification for imperialism. Yes, almost all clothes are made by people working under horrible conditions. Insightful. But the reason for that situation is imperialism, not people wearing nice clothes.

      1. Mahhn

        ” almost all clothes are made by people working under horrible conditions” Nope, only fools, meth heads (including Adderall), and evil people don’t care who suffers for their personal gain. Once you know, you can’t claim fool.

  8. Vlad

    Does he have to be alive to collect the bounty?

    1. ILoveBigStrongMen

      Rip bozo, much like your country, your life is over. Americans just can’t stop being the best!

  9. Thorvold

    Brian,
    In terms of the phone number cited in your article, 879608229389 and the (mis?)leading “8”: 8 is the long distance dialing prefix in Russia. 7 is the country code. 960 is an area code assigned to mobile numbers. 822-93-89 is the local phone number portion.

    Thinking in terms of the US, you can prefix a US number with a 1 and it is a validly dialed number if the user is dialing long distance, but most people only list their 10-digit phone number. In this case Anna is listing her number with the optional 8 prefix, and Denis is not.

  10. Bart Blom

    There is one thing I don’t understand. How come the large credit card companies don’t know or understand where card validation requests come from? Why can they not detect traffic of validation requests with a higher percentage of stolen or suspicious card numbers? How can a million requests per month remain undetected in todays sophisticated reading of transaction flows? Do their fraught detection systems only focus on purchases?

    1. Perdition

      The first thing you should take in to account is the vast amount of compromised merchants being used to process the “check” transactions. Secondly, you’re making the assumption that the banks extending lines of credit on behalf of the issuers aren’t detecting a good portion of them. It is important to make a distinction between the merchant processor and/or gateway, and the institutions on the other end. There’s laws which limit both the collection, and sharing of customer details and your comment seems to imply some mutual inclusivity which does not exist.
      There are sophisticated protections built into the proprietary risk mitigation systems that may initially appear benign, but frequently apply soft-restrictions or flag cards with heightened risk levels. This conditional approach allows issuers to sufficiently strike a balance that protects customers, merchants, and banks…

  11. WVguy

    What are the qualifiers for the $10 million? The announcement from the state department says “up to $10 million”.

    “Today, the Department of State is announcing a reward offer of up to $10 million for Russian national Denis Gennadievich Kulkov, for information leading to his arrest and/or conviction for transnational organized crime.”

  12. Peter

    Here’s an idea, how about the US bring back the concept of jurisdiction and quit wasting US law enforcement resources prosecuting foreigners in foreign nations. SCOTUS really needs to retouch that one and reel back in the US executive branch claim of domestic jurisdiction over the entire world.

    Dude is a Russian running a business in Russia. The US can either lobby Russia to change their local laws and arrest him, arrest US customers, or they can do what countries do when their neighbors private citizens are obnoxious, increase security or regime change. This simply isn’t a judicial issue.

    Also Griner. Notice how many Americans in America don’t seem to get mailed to Russia, China, Thailand, Saudi, etc for “crimes” such as “sitting in Montana badmouthing the Thai King”. Nope exact opposite, you can illegally smuggle drugs, admit it, and the US president will move heaven and earth to free you even though if you did the exact same thing domestically even with the same drug, you would be a felon lol.

    1. Jim

      Big difference is the crime of credit card fraud, “carding”, is illegal in both countries. It’s just that Russia doesn’t want to prosecute their own when the victims are in the west.
      It’s normal and good that other countries indict criminals from other countries.

      The Internet made it easy for crime across borders, so too must justice reach.
      You don’t understand jurisdiction. It has ALWAYS been the case that the jurisdiction falls within the victim’s area. Credit Card fraud targets are the victims and their tax money goes to law enforcement to stop these crimes.

    2. Okay Pietr

      “her luggage contained vape cartridges with cannabis oil”
      In the US it would have been a sentence of months, at the most. Probably a misdemeanor and probation as it was the first offence.
      Not 9 years in a penal colony.

    3. mealy

      Russian criminal hacking groups don’t need useful idiots spouting whattaboutisms.
      Not even for free.

  13. man

    How hard is it to seize these domain’s of criminal websites? This could be happening every time they break our laws. Should be almost immediate.

    1. Clausewitz4.0

      Point is, USA law is NOT universal law.
      Hence, thepiratebay still online.
      USA is powerless outside USA, except for a few agents from dubious 3-letters gov agencies wacking some guys around from time to time.

      1. Jim

        Intellectual property law tends to be not universal. The US has had powerful music and movie lobbyists for a long time.
        Fraud and other crimes are pretty much universal. Russia absolutely would indict criminals if they targets Russian citizens.
        But they don’t.

        Russian cyber criminals don’t need to travel to the US to get arrested. Just any of the extradition countries throughout Europe.
        European countries may allow stuff that the US is strict about (copyright piracy, etc.), But carding is illegal, and they have no problem extraditing.

  14. ben dover

    The US as always tries to purse their law World-Wide. Fuck the US and their imperialism. They are terrorist gangsters, yep.

  15. Peter

    @Jim, it’s called executive discretion, the US makes use of it routinely to not arrest Americans who break US law, even flagrantly. Russia has no obligation arrest this guy.

    And no the “victims” are not US cardholders, the PCI doesn’t work that way. The only “victims” are the merchants who didn’t do appropriate credit validation hence have to eat the loss or, if some rare cases, the issuers / processors. And even that is questionable between insurance and tax write-offs.

    1. Jim

      @ Peter
      And THERE IT IS. The classic criminal justification. “They are insured for the loss, so they’re not really victims”.
      This is some BS rationale that thieves tell themselves to feel okay about robbing people.

      Whether it’s Russian carders, Indian scammers, Nigerian princes, it’s always the same.
      This forum is crowded with comments from scammers and thieves trying to justify their actions. They’ll get no sympathy here, or in court.

    2. Emma Holiday

      Peter. You’re breaking your mother’s heart. She should not believe the excuses that this is a victimless crime.

  16. SeymourB

    The only country this pudgy doughboy is going to be allowed to visit is Ukraine and that’s via the front lines. Russia won’t let anyone leave now that they’re running low on cannon fodder.

  17. Doug Patricia

    I do online trading, I was a scam victim of BTC investment and SpyWare Cyber recovered my Bitcoins amazingly. Have you experienced the same loss of cryptocurrencies to phony internet investments that I did? or the incorrect wallet? Get in touch with SpyWare Cyber right once if you want to get your BTC restored or need legal advice on how to proceed. I lost about 3.18 BTC. I bought into the promise that I would receive 25% of my investment each week but it led to my loss. SpyWare Cyber did the ultimate job by getting back my lost BTC with effectiveness. They merit praise because of this, and I’m overwhelmed. The contact information for SpyWare Cyber is: Spyware(at)cybergal(.)com Phone/text +19892640381 Website at : https://cybegal.net

Comments are closed.