Home Cyber Security Who’s Behind the SWAT USA Reshipping Service? – Krebs on Safety

Who’s Behind the SWAT USA Reshipping Service? – Krebs on Safety

Who’s Behind the SWAT USA Reshipping Service? – Krebs on Safety


Final week, KrebsOnSecurity broke the information that one of many largest cybercrime companies for laundering stolen merchandise was hacked lately, exposing its inner operations, funds and organizational construction. In at this time’s Half II, we’ll look at clues concerning the real-life id of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.

Based mostly in Russia, SWAT USA recruits individuals in america to reship packages containing expensive electronics which are bought with stolen bank cards. As detailed in this Nov. 2 story, SWAT at present employs greater than 1,200 U.S. residents, all of whom shall be lower free with out a promised payday on the finish of their first month reshipping stolen items.

The present co-owner of SWAT, a cybercriminal who makes use of the nickname “Fearlless,” operates totally on the cybercrime discussion board Verified. This Russian-language discussion board has tens of hundreds of members, and it has suffered a number of hacks that uncovered greater than a decade’s price of consumer information and direct messages.

January 2021 posts on Verified present that Fearlless and his accomplice Universalo bought the SWAT reshipping enterprise from a Verified member named SWAT, who’d been working the service for years. SWAT agreed to switch the enterprise in trade for 30 % of the web revenue over the following six months.

Cyber intelligence agency Intel 471 says Fearlless first registered on Verified in February 2013. The e-mail tackle Fearlless used on Verified leads nowhere, however a assessment of Fearlless’ direct messages on Verified signifies this consumer initially registered on Verified a 12 months earlier as a reshipping vendor, underneath the alias “Apathyp.”

There are two clues supporting the conclusion that Apathyp and Fearlless are the identical individual. First, the Verified directors warned Apathyp he had violated the discussion board’s guidelines barring the usage of a number of accounts by the identical individual, and that Verified’s automated programs had detected that Apathyp and Fearlless had been logging in from the identical machine.  Second, in his earliest non-public messages on Verified, Fearlless instructed others to contact him on an instantaneous messenger tackle that Apathyp had claimed as his.

Intel 471 says Apathyp registered on Verified utilizing the e-mail tackle triploo@mail.ru. A search on that e mail tackle on the breach intelligence service Constella Intelligence discovered {that a} password generally related to it was “niceone.” However the triploo@mail.ru account isn’t linked to a lot else that’s fascinating besides a now-deleted account at Vkontakte, the Russian reply to Fb.

Nonetheless, in Sept. 2020, Apathyp despatched a non-public message on Verified to the proprietor of a stolen bank card store, saying his credentials now not labored. Apathyp instructed the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella reveals it was utilized by simply 4 completely different e mail addresses, two of that are significantly fascinating: gezze@yandex.ru and gezze@mail.ru. Constella found that each of those addresses had been beforehand related to the identical password as triploo@mail.ru — “niceone,” or some variation thereof.

Constella discovered that years in the past gezze@mail.ru was used to create a Vkontakte account underneath the title Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial metropolis within the southern area of Russia. That very same e mail tackle is now tied to a Vkontakte account for an Ivan Sherban who lists his dwelling as Saint Petersburg, Russia. Sherban’s profile photograph reveals a closely tattooed, muscular and lately married particular person along with his stunning new bride on the brink of drive off in a convertible sports activities automotive.

A pivotal clue for validating the analysis into Apathyp/Fearlless got here from the id intelligence agency myNetWatchman, which discovered that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”

Care to put a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten factors should you answered August 18 (18081991).

Mr. Sherban didn’t reply to a number of requests for remark.



Please enter your comment!
Please enter your name here