July 3, 2024

Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is “x999xx,” the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.

x999xx is a well-known “access broker” who frequently sells access to hacked corporate networks — usually in the form of remote access credentials — as well as compromised databases containing large amounts of personal and financial data.

In an analysis published in February 2019, cyber intelligence firm Flashpoint called x999xx one of the most senior and prolific members of the top-tier Russian-language cybercrime forum Exploit, where x999xx could be seen frequently advertising the sale of stolen databases and network credentials.

In August 2023, x999xx sold access to a company that develops software for the real estate industry. In July 2023, x999xx advertised the sale of Social Security numbers, names, and birthdays for the citizenry of an entire U.S. state (unnamed in the auction).

A month earlier, x999xx posted a sales thread for 80 databases taken from Australia’s largest retail company. “You may use this data to demand a ransom or do something different with it,” x999xx wrote on Exploit. “Unfortunately, the flaw was patched fast. [+] no one has used the data yet [+] the data hasn’t been used to send spam [+] the data is waiting for its time.”

In October 2022, x999xx sold administrative access to a U.S. healthcare provider.

ALIAS: MAXNM

The oldest account by the name x999xx appeared in 2009 on the Russian language cybercrime forum Verified, under the email address maxnm@ozersk.com. Ozersk is a city in the Chelyabinsk region of west-central Russia.

According to the breach tracking service Constella Intelligence, the address maxnm@ozersk.com was used more than a decade ago to create an account at Vktontakte (the Russian answer to Facebook) under the name Maxim Kirtsov from Ozersk. Mr. Kirtsov’s profile — “maxnm” — says his birthday is September 5, 1991.

Personal photos Maxnm shared on Vktontakte in 2016. The caption has been machine translated from Russian.

The user x999xx registered on the Russian language cybercrime community Zloy in 2014 using the email address maxnmalias-1@yahoo.com. Constella says this email address was used in 2022 at the Russian shipping service cdek.ru by a Maksim Georgievich Kirtsov from Ozersk.

Additional searches on these contact details reveal that prior to 2009, x999xx favored the handle Maxnm on Russian cybercrime forums. Cyber intelligence company Intel 471 finds the user Maxnm registered on Zloy in 2006 from an Internet address in Chelyabinsk, using the email address kirtsov@telecom.ozersk.ru.

That same email address was used to create Maxnm accounts on several other crime forums, including Spamdot and Exploit in 2005 (also from Chelyabinsk), and Damagelab in 2006.

A search in Constella for the Russian version of Kirtsov’s full name — Кирцов Максим Георгиевич — brings up multiple accounts registered to maksya@icloud.com.

A review of the digital footprint for maksya@icloud.com at osint.industries reveals this address was used a decade ago to register a still-active account at imageshack.com under the name x999xx. That account features numerous screenshots of financial statements from various banks, chat logs with other hackers, and even hacked websites.

x999xx’s Imageshack account includes screenshots of bank account balances from dozens of financial institutions, as well as chat logs with other hackers and pictures of homegrown weed.

Some of the photos in that Imageshack account also appear on Kirtsov’s Vkontakte page, including images of vehicles he owns, as well as pictures of potted marijuana plants. Kirtsov’s Vkontakte profile says that in 2012 he was a faculty member of the Ozersk Technological Institute National Research Nuclear University.

The Vkontakte page lists Kirtsov’s occupation as a website called ozersk[.]today, which on the surface appears to be a blog about life in Ozersk. However, in 2019 the security firm Recorded Future published a blog post which found this domain was being used to host a malicious Cobalt Strike server.

Cobalt Strike is a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten Cobalt Strike licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network.

In August 2023, x999xx posted a message on Exploit saying he was interested in buying a licensed version of Cobalt Strike. A month earlier, x999xx filed a complaint on Exploit against another forum member named Cobaltforce, an apparent onetime partner whose sudden and prolonged disappearance from the community left x999xx and others in the lurch. Cobaltforce recruited people experienced in using Cobalt Strike for ransomware operations, and offered to monetize access to hacked networks for a share of the profits.

DomainTools.com finds ozersk[.]today was registered to the email address dashin2008@yahoo.com, which also was used to register roughly two dozen other domains, including x999xx[.]biz. Virtually all of those domains were registered to Maxim Kirtsov from Ozersk. Below is a mind map used to track the identities mentioned in this story.

A visual depiction of the data points connecting x999xx to Max Kirtsov.

x999xx is a prolific member of the Russian webmaster forum “Gofuckbiz,” with more than 2,000 posts over nearly a decade, according to Intel 471. In one post from 2016, x999xx asked whether anyone knew where he could buy a heat lamp that simulates sunlight, explaining that one his pet rabbits had recently perished for lack of adequate light and heat. Mr. Kirtsov’s Vkontakte page includes several pictures of caged rabbits from 2015 and earlier.

CONFIRMATION

Reached via email, Mr. Kirtsov acknowledged that he is x999xx. Kirtsov said he and his team are also regular readers of KrebsOnSecurity.

“We’re glad to hear and read you,” Kirtsov replied.

Asked whether he was concerned about the legal and moral implications of his work, Kirtsov downplayed his role in ransomware intrusions, saying he was more focused on harvesting data.

“I consider myself as committed to ethical practices as you are,” Kirtsov wrote. “I have also embarked on research and am currently mentoring students. You may have noticed my activities on a forum, which I assume you know of through information gathered from public sources, possibly using the new tool you reviewed.”

“Regarding my posts about selling access, I must honestly admit, upon reviewing my own actions, I recall such mentions but believe they were never actualized,” he continued. “Many use the forum for self-serving purposes, which explains why listings of targets for sale have dwindled — they simply ceased being viable.”

Kirtsov asserted that he is not interested in harming healthcare institutions, just in stealing their data.

“As for health-related matters, I was once acquainted with affluent webmasters who would pay up to $50 for every 1000 health-themed emails,” Kirtsov said. “Therefore, I had no interest in the more sensitive data from medical institutions like X-rays, insurance numbers, or even names; I focused solely on emails. I am proficient in SQL, hence my ease with handling data like IDs and emails. And i never doing spam or something like this.”

On the Russian crime forums, x999xx said he never targets anything or anyone in Russia, and that he has little to fear from domestic law enforcement agencies provided he remains focused on foreign adversaries.

x999xx’s lackadaisical approach to personal security mirrors that of Wazawaka, another top Russian access broker who sold access to countless organizations and even operated his own ransomware affiliate programs.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his own personal mantra. “Mother Russia will help you. Love your country, and you will always get away with everything.”

In January 2022, KrebsOnSecurity followed clues left behind by Wazawaka to identify him as 32-year-old Mikhail Matveev from Khakassia, Russia. In May 2023, the U.S. Department of Justice indicted Matveev as a key figure in several ransomware groups that collectively extorted hundreds of millions of dollars from victim organizations. The U.S. State Department is offering a $10 million reward for information leading to the capture and/or prosecution of Matveev.

Perhaps in recognition that many top ransomware criminals are largely untouchable so long as they remain in Russia, western law enforcement agencies have begun focusing more on getting inside the heads of those individuals. These so-called “psyops” are aimed at infiltrating ransomware-as-a-service operations, disrupting major cybercrime services, and decreasing trust within cybercriminal communities.

When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.

In May 2024, law enforcement agencies in the United States and Europe announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. The Operation Endgame website also included a countdown timer, which served to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online.


18 thoughts on “The Not-So-Secret Network Access Broker x999xx

  1. Hackerman

    “Some of the photos in that Imageshack account also appear on Kirtsov’s Vkontakte page, including images of vehicles he owns”

    Isn’t that just a screenshot from GTA 5?

    Also, the article feels sponsored by Constella Intelligence.

    Reply
    1. BrianKrebs Post author

      That collection of images at the top is just a randomly displayed set of pictures from the x999xx profile. I didn’t chose them. You are correct that some of the images of cars in both the Imageshack and VK profiles are from GTA 5, but others show a black SUV that appears to belong to Kirtsov.

      Also, while a good number of Breadcrumbs stories here do indeed mention Constella, that is because their service is extremely useful. They have pitched me on things in the past, but I can’t recall ever biting on any of those. When I reference them in a story it is almost always an investigation I initiated on my own. But I mention them, as I do other sources of useful intel, so that others can check my work.

      I should add that Constella is neither a sponsor or a benefactor/advertiser, nor have they been in the past. That could change in the future, obviously.

      Reply
  2. Catwhisperer

    I love your Mind Maps, Mr. Krebs. They provide so much actionable information, LOL…

    But how will we ever hope to succeed against adversaries with the mantra of Mr. Wazawaka, when the country of origin is in cahoots? Well, since things are becoming more and more unhinged as time goes by, I’m hoping America will bring forth a cybersecurity version of privateers and make their work immune from prosecution. As long as the pooping is done in another’s back yard, what’s good for the goose is good for the gander, IMHO.

    Reply
    1. John Doe

      Are you planning on writing a story on the CDK global ransomware debacle?

      Reply
      1. Catwhisperer

        What’s up Mohamed? You don’t like the idea of what is good for the goose is good for the gander. Death to America? We laugh a you Mohamed, because all that is in your own mind, and that hatred will poison you. Americans don’t think “Death to that person’s crap-hole country!”, LOL! You know why, Mohamed? Because though America is NOT perfect, and I might be American trash, you know that given a chance your fellow citizens in your third world country would rather live like an American in America than live what it’s like wherever your are at. That’s why we have an immigration problem here in the States…

        God Bless America this Fourth of July, and America thanks you, Mohammed and the likes of you, for the generosity of your allowing Her to live rent free in your head!

        Reply
  3. R.Cake

    “…as committed to ethical practices as you are…” well that one sure gave me a good laugh. Thanks a lot for the excellent investigation and article, @Brian.

    Reply
  4. Syra

    This post was very informative and well-researched. One thing I thought could be expanded upon is the countermeasures organizations can take to protect themselves from such brokers.

    Reply
  5. Ed.

    Describing him as “a venerated Russian hacker” makes it sound like the admiration goes far beyond the criminal element, and gives it an unfortunately positive aspect.

    Why not describe him from the perspective of the law-abiding community and say “a notorious Russian hacker” or “an infamous Russian hacker”?

    Reply
    1. Mahhn

      Hacking is not a crime, it is taking things apart to understand them and possibly use beyond its intended purpose.
      A cybercriminal is more of what you are asking to label him as, which he has been. He can be both.

      Reply
    1. Just a Wannabe Techguy

      What’s a jocker? Is that a sports person of some sort?

      Reply
  6. aquasticky

    port and its publication after the short sale know about its short selling motives and did they financially benefit from it?
    3. Did KMIL and the said Indian actors know abo

    Reply
  7. Secunetcon

    Anyone that preys on healthcare providers and sells social security numbers are scum! Some people rely on their disability benefits just to survive, and imagine if a whole month’s worth of money went missing because of some hack like x999xx?!

    Reply
  8. Ron

    > Perhaps in recognition that many top ransomware criminals are largely untouchable so long as they remain in Russia

    No extradition. But that does not rule out other means.

    Makes one wonder if these cybercrims fall out of the good graces of Russia if they will be sent on an involuntary vacation to The Hague or USA.

    Reply
    1. Fr00tL00ps

      A stint in a Western prison would be a holiday compared to conditions in a Russian gulag. Russian hackers know this and the Kremlin knows this. Which is why they only target the West. If some one really upset an official, they’d just get pushed out of an upper storey window. Simple, low cost and no risk of any embarrassing ‘loose talk’.

      Reply
      1. Ron

        Dunno man. Some of those American for-profit prisons seem pretty harsh. But point taken.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *