Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today’s Part II, we’ll examine clues about the real-life identity of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.
Based in Russia, SWAT USA recruits people in the United States to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 story, SWAT currently employs more than 1,200 U.S. residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.
The current co-owner of SWAT, a cybercriminal who uses the nickname “Fearlless,” operates primarily on the cybercrime forum Verified. This Russian-language forum has tens of thousands of members, and it has suffered several hacks that exposed more than a decade’s worth of user data and direct messages.
January 2021 posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT, who’d been operating the service for years. SWAT agreed to transfer the business in exchange for 30 percent of the net profit over the ensuing six months.
Cyber intelligence firm Intel 471 says Fearlless first registered on Verified in February 2013. The email address Fearlless used on Verified leads nowhere, but a review of Fearlless’ direct messages on Verified indicates this user originally registered on Verified a year earlier as a reshipping vendor, under the alias “Apathyp.”
There are two clues supporting the conclusion that Apathyp and Fearlless are the same person. First, the Verified administrators warned Apathyp he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified’s automated systems had detected that Apathyp and Fearlless were logging in from the same device. Second, in his earliest private messages on Verified, Fearlless told others to contact him on an instant messenger address that Apathyp had claimed as his.
Intel 471 says Apathyp registered on Verified using the email address triploo@mail.ru. A search on that email address at the breach intelligence service Constella Intelligence found that a password commonly associated with it was “niceone.” But the triploo@mail.ru account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte, the Russian answer to Facebook.
However, in Sept. 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp told the proprietor that his chosen password on the service was “12Apathy.”
A search on that password at Constella reveals it was used by just four different email addresses, two of which are particularly interesting: gezze@yandex.ru and gezze@mail.ru. Constella discovered that both of these addresses were previously associated with the same password as triploo@mail.ru — “niceone,” or some variation thereof.
Constella found that years ago gezze@mail.ru was used to create a Vkontakte account under the name Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial city in the southern region of Russia. That same email address is now tied to a Vkontakte account for an Ivan Sherban who lists his home as Saint Petersburg, Russia. Sherban’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.
A pivotal clue for validating the research into Apathyp/Fearlless came from the identity intelligence firm myNetWatchman, which found that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”
Care to place a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten points if you answered August 18 (18081991).
Mr. Sherban did not respond to multiple requests for comment.
One more reason not to reuse passwords.
Or, for that matter, public information about yourself such as your birthday.
Brian,
I am amazed that you are able to follow the rabbit trail and find the rabbit so often. Are you able to read the Russian posts or do you use a translate program?
I started learning Russian around 2006, but mainly to be able to read w/out the aid a translation service. Not much practice speaking it. But I also am only now getting back into refreshing my vocab and reading comprehension. It helps that I am just lurking, not trying to speak Russian to anyone really.
Who? Perhaps the same perp who calls himself atf while selling assault weapons in America’s Heartland?
I have an email that I have alleged was trying to do something just like this SWAT garbage. Sender said they wanted to hire me to receive, inspect, document, and repackage their shipments. Beyond putting another layer between the criminals, the seller and buyer, it would have put my finger prints all over THEIR crimes. I’ve always suspected local North Georgia nationalist cartel….
And it still could be, especially if weapons seller, atf, ever turns out to be involved.
Thanks for all the safety work you do.
Found it. It’s dated January 26, 2016. Forgot why I’ve always assumed it was North Georgia’s supremacy cartel. Email’s sender matches a user name from a couple posts on a now non-existent website. Website was broken down into subdomains that represented EVERY town and city in the United States.
Here’s some of the repackaging job offer email**:
“`
“Get started with a promising fully real work from home career in Logistics with no investment or startup charges and acquire new experience. Work individually without too much supervision and receive $2500 every month.
This job offer is offered by a legitimate USA logistics business which allows its worldwide users to accept shipments in the US and then forward it to their destination using a a appropriate online system.
The corporation trusts in the work at home approach because it allows to save on warehousing expenses and offer delivery points throughout the USA.
Duties:
– Remain at your address to accept packages and letters directed to your residential or business address via USPS, DHL, UPS, and FedEx within regular business hours from 10:00 AM to 6:00 PM daily.
– Accept a list of incoming deliveries, your daily work tasks, and the prepaid shipping labels.
– Check packages and take and upload photographs of the contents of each item.
– Resend the mail to customers by printing and affixing labels and supplying the mail to the nearest USPS offices.”
“`
Beyond priceless is their last line of requirements that says…
“This position is full-time and cannot be combined with any other job.”
Yeah, righhhht.
That perp on the local website subdomain was allegedly posting from Charleston, South Carolina, while calling him/herself something that referenced Carolina. The name “Jose Sanchez” played part of the Hotmail email address.
My inbox is also being spammed with other.. junk.. from the Charleston area. They were addressing it to someone who isn’t me. Putting that all out there in case it ever “coincidentally” jives with facts you uncover.
** Law Enforcement is more than welcome in my inbox to retrieve that email without further adieu. You already have the date. The subject is my full name in all lower case letters. That was another reason for just this side of KNOWING that email was tied to North Georgia criminal supremacists. They used my full name as I do.
Notable would be that there is possibly some useful email header attached to that… COUGH… job offer.
See ya…..
Classic reshipping scammer.
I just want to remind you that the coup d’état leading up to Gorbachev’s resignation was put into action on August 18th, 1991. Reference: https://en.wikipedia.org/wiki/1991_Soviet_coup_d%27%C3%A9tat_attempt This marks the beginning of the end for the old Soviet Rule. If that dude really was born on that day, it’s a hell of a coincidence.
Wow, that would be a hell of a coincidence. Might not take too much work to find his real bday…
Is their evidence these reshipping services are in one way used to get around sanctions and supply russia with electronics for that “special operation” in Ukraine?
I think You just discovered biggest conspiracy of XXI century bro
No country for script kiddies.
I’ll reply to my own comment. It was just a question y’all. Calm down… I’m taking interest in subjects that I didn’t before. Best thing about forums is asking a question and receiving unrelated answers. Is this stack exchange or I got more skin in the game then you do bruh 😉 Anyways Brian, I love your work. Take care see you soon.
Great!
Your work is amazing. I love reading your reports as they are intelligent and nonbiased. Thank you for bringing this to light.
> Mr. Sherban did not respond to multiple requests for comment.
I’m sure he’s just a busy guy, what with the honeymoon and all.
Mr. Sherban has the warm, fuzzy look of someone who’d play marbles with his opponent’s/enemy’s eyeballs.
How are you getting all that very useful information off of Constella Intelligence ?
Hahaha! Fearlless(sp) is now renaming and identifying as Nervvous.
Is their evidence these reshipping services are in one way used to get around sanctions and supply russia with electronics for that “special operation” in Ukraine?
Damn Krebbs I was hoping for a comprehensive article on the financials down to the penny, like what TorrentFreak did on a massive IPTV service bust that was raking in millions.
The pictures of this guy and wife were good, you can tell he’s not a real hacker just a notch up from script kiddie most likely.
It’s crazy how in Russia a basic criminal like that is making $100k a month and has a beautiful wife and no worries.
But if he lived in America he wouldn’t even be able to afford those tattoos with his skill level, there would be no hot wife and instead he would be covered in crappy prison tattoos with “ink” made from melted black chess pieces.
this goes on all the time on craigslist…..and other forums….
Sounds like you took a lot of work to find out who this POS is. Too bad he would ever be punished for his theft.