Category Archives: Get-Net LLC

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme

The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.

A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.

As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.

Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”

All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.

The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.

Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.

But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.

At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.

The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.

In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”

Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme

The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.

A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.

As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.

Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”

All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.

The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.

Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.

But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.

At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.

The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.

In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”

Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.

Russian Govt. Continues Carding Shop Crackdown

Russian authorities have arrested six men accused of operating some of the most active online bazaars for selling stolen payment card data. The crackdown — the second closure of major card fraud shops by Russian authorities in as many weeks — comes closely behind Russia’s arrest of 14 alleged affiliates of the REvil ransomware gang, and has many in the cybercrime underground asking who might be next.

Dept. K’s message for Trump’s Dumps users.

On Feb. 7 and 8, the domains for the carding shops Trump’s Dumps, Ferum Shop, Sky-Fraud and UAS were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses on computer crimes. The websites for the carding stores were retrofitted with a message from Dept. K asking, “Which one of you is next?”

According to cyber intelligence analysts at Flashpoint, that same message was included in the website for UniCC, another major and venerated carding shop that was seized by Dept. K in January.

Around the same time Trump’s Dumps and the other three shops began displaying the Dept. K message, the Russian state-owned news outlet TASS moved a story naming six Russian men who were being charged with “the illegal circulation of means of payment.”

TASS reports the six detained include Denis Pachevsky, general director of Saratovfilm Film Company LLC; Alexander Kovalev, an individual entrepreneur; Artem Bystrykh, an employee of Transtekhkom LLC; Artem Zaitsev; an employee of Get-net LLC; and two unemployed workers, Vladislav Gilev and Yaroslav Solovyov.

None of the stories about the arrests tie the men to the four carding sites. But Flashpoint found that all of the domains seized by Dept. K. were registered and hosted through Zaitsev’s company — Get-net LLC.

“All four sites frequently advertised one another, which is generally atypical for two card marketplaces competing in the same space,” Flashpoint analysts wrote.

Stas Alforov is director of research for Gemini Advisory, a New York firm that monitors underground cybercrime markets. Alforov said it is most unusual for the Russians to go after carding sites that aren’t selling data stolen from Russian citizens.

“It’s not in their business to be taking down Russian card shops,” Alforov said. “Unless those shops were somehow selling data on Russian cardholders, which they weren’t.”

A carding shop that sold stolen credit cards and invoked 45’s likeness and name was among those taken down this week by Russian authorities.

Debuting in 2011, Ferum Shop is one of the oldest observed dark web marketplaces selling “card not present” data (customer payment records stolen from hacked online merchants), according to Gemini.

“Every year for the last 5 years, the marketplace has been a top 5 source of card not present records in terms of records posted for sale,” Gemini found. “In this time period, roughly 66% of Ferum Shop’s records have been from United States financial institutions. The remaining 34% have come from over 200 countries.”

In contrast, Trump’s Dumps focuses on selling card data stolen from hacked point-of-sale devices, and it benefited greatly from the January 2021 retirement of Joker’s Stash, which for years dwarfed most other carding shops by volume. Gemini found Trump’s Dumps gained roughly 40 percent market share after Joker’s closure, and that more than 87 percent of the payment card records it sells are from U.S. financial institutions.

“In the past 5 years, Ferum Shop and Trump’s Dumps have cumulatively added over 64 million compromised payment cards,” Alforov wrote. “Based on average demand for CP and CNP records and the median price of $10, the total revenue from these sales is estimated to be over $430 million. Due to the 20 to 30% commission that shops generally receive, the administrators of Ferum Shop and Trump’s Dumps likely generated between $86 and $129 million in profits from these card sales.”

The arrests of the six men comes less than two weeks after Russian law enforcement officials detained four suspected carders — including Andrey Sergeevich Novak, the reputed owner of the extremely popular and long-running UniCC carding shop.

In 2018, the U.S. Justice Department charged Novak and three dozen other defendants thought to be key members of “Infraud,” a long-running cybercrime forum that prosecutors say cost merchants and consumers more than half a billion dollars.

Unicc shop, which sold stolen credit card data as well as Social Security numbers and other consumer information that can be used for identity theft. It was seized by Dept. K in January 2020.

Flashpoint said the recent arrests represent the first major actions against Russia-based cybercriminals since March 2020, when the FSB detained more than thirty members of an illicit carding operation, charging twenty-five of them with “illegal circulation of means of payment.”

Dumps, or card data stolen from compromised point-of-sale devices, have been declining in popularity among fraudsters for years as more financial institutions have issued more secure chip-based cards. In contrast, card-not-present data stolen from online stores continues to be in high demand, because it helps facilitate fraud at online retailers. Gemini says the supply of card-not-present data rose by 50 percent in 2021 versus 2020, fed largely by the success of Magecart e-skimmers that target vulnerabilities in e-commerce sites.

Alforov says while the carding shop closures are curiously timed, he doubts the supply of stolen card data is going to somehow shrink as a result. Rather, he said, some of the lower-tier card shops that were previously just resellers working with Trump’s Dumps and others are now suddenly ramping up inventory with their own new suppliers — very likely thanks to the same crooks who were selling cards to the six men arrested this week in Russia.

“What we’re seeing now is a lot of those reseller shops are coming to the market and saying, ‘We don’t have that order data we were getting from Ferum Shop but now have our own vendors,'” Alforov said. “Some of the lesser tier shops are starting to move up the food chain.”