Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services used to launder stolen goods was recently hacked, exposing its internal operations, finances, and organizational structure.In today’s part two, we’ll look at clues about real-life identityfearless,” a nickname chosen by the owner U.S. SWAT airdrop Serve.
A U.S. SWAT team based in Russia recruits people across the United States to re-ship packages containing expensive electronics purchased with stolen credit cards. As this Nov. 2 story details, the SWAT team currently employs more than 1,200 U.S. residents, all of whom will be laid off at the end of the first month without a promised payday to rehabilitate the stolen goods. .
SWAT’s current co-owner is a cybercriminal nicknamed “Fearless” who operates primarily on cybercrime forums Verified. The Russian-language forum has tens of thousands of members and has been hit by multiple hacks that have exposed more than a decade of user data and direct messages.
A January 2021 post on Verified shows Fearllless and his partner common The SWAT forwarding business was purchased from a verified member named SWAT who has been operating this service for many years. SWAT agreed to transfer the business in exchange for 30% of net profits for the following six months.
Network intelligence company Intel 471 said Fearless first registered on Verified in February 2013. The email address used by Fearlless on Verified is nowhere to be found, but a review of Fearlless’s direct messages on Verified shows that the user originally signed up on Verified a year ago as a forwarding provider, under the alias “cold type”.
There are two clues supporting the conclusion that Apathyp and Fearllless are the same person. First, Verified administrators warned Apathyp that he was violating the forum’s rules prohibiting the same person from using multiple accounts, and Verified’s automated systems detected that Apathyp and Fearllless were logging in from the same device. Second, in his earliest Verified private messages, Fearless told others to contact him at an instant messaging address that Apathyp claimed belonged to him.
Intel 471 says Apathyp used email address to register on Verified triploo@mail.ru. A search of the email address in Constella Intelligence, a vulnerability intelligence service, revealed that the password usually associated with it is “nice one”. However, the triploo@mail.ru account was not associated with anything interesting other than the now-deleted account. contact methodRussia’s answer to Facebook.
However, in September 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card store, stating that his credentials were no longer valid. Apathyp told the store owner that the password he had chosen on the service was “12Indifference”.
A Constella search for the password revealed that it was only used by four different email addresses, two of which were particularly interesting: gezze@yandex.ru and gezze@mail.ru. Constella found that both addresses were previously associated with the same password as triploo@mail.ru – “niceone”, or some variation thereof.
Constella discovered that gezze@mail.ru was used to create an account called Vkontakte a few years ago Ivan Sherban (old password:”12niceone“) from the industrial city of Magnitogorsk in Russia’s southern region. The email address is now tied to Ivan Sherban’s Vkontakte account, which lists his home as St. Petersburg, Russia. Sherban’s profile photo shows , a heavily tattooed, muscular man who has just been married and his beautiful bride are getting ready to drive off in a roadster.
A key clue validating the Apathyp/Fearllless research came from identity intelligence company myNetWatchman, which discovered that the password gezze@mail.ru had been used “Gates 1991“(gezze1991) and “GEZE18081991”.
Want to bet on when Vkontakte says it’s Mr. Sherban’s birthday?Ten points if you answered August 18 (18081991).
Mr. Sherban did not respond to repeated requests for comment.
