The USA as we speak unveiled sanctions and indictments in opposition to the alleged proprietor of Joker’s Stash, a now-defunct cybercrime retailer that peddled tens of hundreds of thousands of cost playing cards stolen in among the largest knowledge breaches of the previous decade. The federal government additionally indicted and sanctioned a high Russian cybercriminal referred to as Taleon, whose cryptocurrency trade Cryptex has advanced into considered one of Russia’s most energetic cash laundering networks.
A 2016 display screen shot of the Joker’s Stash homepage. The hyperlinks have been redacted.
The U.S. Division of Justice (DOJ) as we speak unsealed an indictment in opposition to a 38-year-old man from Novosibirsk, Russia for allegedly working Joker’s Stash, a particularly profitable carding store that got here on-line in late 2014. Joker’s offered playing cards stolen in a gradual drip of breaches at U.S. retailers, together with Saks Fifth Avenue, Lord and Taylor, Bebe Shops, Hilton Inns, Jason’s Deli, Entire Meals, Chipotle, Wawa, Sonic Drive-In, the Hy-Vee grocery store chain, Buca Di Beppo, and Dickey’s BBQ.
The federal government believes the brains behind Joker’s Stash is Timur Kamilevich Shakhmametov, a person who’s listed in Russian incorporation paperwork as the proprietor of Arpa Plus, a Novosibirsk firm that makes cell video games.
Early in his profession (circa 2000) Shakhmametov was referred to as “v1pee” and was the founding father of the Russian hacker group nerf[.]ru, which periodically revealed hacking instruments and exploits for software program vulnerabilities.
The Russian hacker group Nerf as described in a March 2006 article within the Russian hacker journal xakep.ru.
By 2004, v1pee had adopted the moniker “Vega” on the unique Russian language hacking discussion board Mazafaka, the place this person turned one of many extra dependable distributors of stolen cost playing cards.
Within the years that adopted, Vega would cement his status as a high carder on different boards, together with Verified, DirectConnection, and Carder[.]professional.
Vega additionally turned referred to as somebody who had the within observe on “limitless cashouts,” a globally coordinated cybercrime scheme by which crooks hack a financial institution or cost card processor and use cloned playing cards at money machines to quickly withdraw hundreds of thousands of {dollars} in just some hours.
“Hello, there may be work on d+p, limitless,” Vega wrote in a personal message to a different person on Verified in Dec. 2012, referring to “dumps and PINs,” the slang time period for stolen debit playing cards with the corresponding PINs that may permit ATM withdrawals.
This batch of some 5 million playing cards put up on the market Sept. 26, 2017 on the now-defunct carding website Joker’s Stash has been tied to a breach at Sonic Drive-In.
Joker’s Stash got here on-line within the wake of a number of monumental card breaches at retailers like Goal and Residence Depot, and the ensuing glut of stock had depressed costs for stolen playing cards. However Joker’s would distinguish itself by catering to high-roller clients — primarily road gangs in america that may buy 1000’s of stolen cost playing cards in a single go.
Confronted with a purchaser’s market, Joker’s Stash set themselves aside by specializing in loyalty applications, frequent purchaser reductions, money-back ensures, and simply plain good customer support. Massive spenders got entry to essentially the most freshly hacked cost playing cards, and have been provided the flexibility to get free substitute playing cards if any turned out to be duds.
Joker’s Stash additionally was distinctive as a result of it claimed to promote solely cost playing cards that its personal hackers had stolen immediately from retailers. On the time, card retailers usually resold cost playing cards that have been stolen and provided by many third-party hackers of unknown reliability or status.
In January 2021, Joker’s Stash introduced it was closing up store, after European authorities seized a variety of servers for the fraud retailer, and its proprietor got here down with the Coronavirus.
Prosecutors allege Joker’s Stash earned revenues of no less than $280 million, however presumably greater than $1 billion (the broad vary is a consequence of a number of variables, together with the fast fluctuation within the value of bitcoin and the stolen items they have been peddling).
TALEON
The proprietors of Joker’s Stash might have offered tens of hundreds of thousands of stolen cost playing cards, however Taleon is by far the larger fish on this legislation enforcement motion as a result of his varied cryptocurrency and money exchanges have allegedly helped to maneuver billions of {dollars} into and out of Russia over the previous 20 years.
An indictment unsealed as we speak names Taleon as Sergey Sergeevich Ivanov, 44, of Saint Petersburg, Russia. The federal government says Ivanov, who possible modified his surname from Omelnitskii in some unspecified time in the future, laundered cash for Joker’s Stash, amongst many different cybercrime shops.
In a press release as we speak, the Treasury Division mentioned Ivanov has laundered a whole lot of hundreds of thousands of {dollars}’ value of digital forex for ransomware actors, preliminary entry brokers, darknet market distributors, and different legal actors for roughly the final 20 years.
First showing on Mazafaka within the early 2000s, Taleon was identified on the boards as somebody who may reliably transfer massive quantities of bodily money. Sources acquainted with the investigation mentioned Taleon’s service emerged as one of many few remaining home money supply providers nonetheless working after Russia invaded Ukraine in Feb. 2022.
Taleon arrange his service to facilitate transfers between Moscow, St. Petersburg and monetary establishments within the West. Taleon’s non-public messages on some hacker boards have been leaked through the years and listed by the cyber intelligence platform Intel 471. These messages point out Taleon labored on lots of the similar ATM cashouts as Vegas, so it’s clear the 2 had a longtime enterprise relationship effectively earlier than Joker’s Stash got here into being.
Someday round 2013, Taleon launched a partnership with a cash switch enterprise referred to as pm2btc[.]me. PM2BTC allowed clients to transform funds from the digital forex Excellent Cash (PM) into bitcoin, after which have the steadiness (minus a processing payment) accessible on a bodily debit card that may very well be used at ATMs, for buying on-line, or at retail shops.
A screenshot of a web site reviewing PM2BTC.
The U.S. authorities itself set issues in movement for Taleon’s nascent cryptocurrency trade enterprise in 2013 after the DOJ levied cash laundering fees in opposition to the proprietors of Liberty Reserve, one of many largest digital currencies in operation on the time. Liberty Reserve was closely utilized by cybercriminals of all stripes. The federal government mentioned the service had greater than one million customers worldwide, and laundered in extra of $6 billion in suspected legal proceeds.
Within the days following the takedown of Liberty Reserve, KrebsOnSecurity ran a narrative that examined discussions throughout a number of high Russian cybercrime boards about the place crooks may really feel protected parking their stolen funds. The reply concerned Bitcoin, but in addition Taleon’s new service.
UAPS
A part of the attraction of Taleon’s trade was that it gave its vetted clients an “utility programming interface” or API that made it easy for dodgy on-line retailers promoting stolen items and cybercrime providers to simply accept cryptocurrency deposits from their clients, and to handle payouts to any suppliers and associates.
This API is synonymous with a service Taleon and buddies function within the background referred to as UAPS, quick for “Common Nameless Fee System.” UAPS has passed by a number of different names together with “Pinpays,” and in October 2014 it landed Joker’s Stash as its first huge shopper.
A legislation enforcement supply with data of the investigation advised KrebsOnSecurity that Taleon is a pilot who owns and flies round in his personal helicopter.
Ivanov seems to have little to no social media presence, however the 40-year-old girl he lives with in St. Petersburg does, and he or she has a photograph on her Vktontake web page that exhibits the 2 of them in 2019 flying over Lake Ladoga, a big physique of water immediately north of St. Petersburg.
Sergey “Taleon” Ivanov (proper) in 2019 in his helicopter with the girl he lives with, flying over a lake north of St. Petersburg, Russia.
BRIANS CLUB
In late 2015, a significant competitor to Joker’s Stash emerged utilizing UAPS for its back-end funds: BriansClub. BriansClub sullies this writer’s title, images and status to hawk hundreds of thousands of credit score and debit playing cards stolen from retailers in america and world wide.
An advert for BriansClub has been utilizing my title and likeness for years to hawk hundreds of thousands of stolen bank cards.
In 2019, somebody hacked BriansClub and relieved the fraud store of greater than 26 million stolen cost playing cards — an estimated one-third of the 87 million cost card accounts that have been on sale throughout all underground retailers at the moment. An nameless supply shared that card knowledge with KrebsOnSecurity, which in the end shared it with a consortium of economic establishments that issued a lot of the playing cards.
After that incident, the administrator of BriansClub modified the location’s login web page in order that it featured a duplicate of my telephone invoice, Social Safety card, and a hyperlink to my full credit score report [to this day, random cybercriminals confuse Yours Truly with the proprietor of BriansClub].
Alex Holden is founding father of the Milwaukee-based cybersecurity agency Maintain Safety. Holden has lengthy maintained visibility into cryptocurrency transactions made by BriansClub.
Holden mentioned these information present BriansClub sells tens of 1000’s of {dollars} value of stolen bank cards day-after-day, and that within the final two years alone the BriansClub administrator has eliminated greater than $242 million value of cryptocurrency income from the UAPS platform.
The BriansClub login web page, because it seemed from late 2019 till just lately.
Passive area title system (DNS) information present that in its early days BriansClub shared a server in Lithuania together with only a handful of different domains, together with safe.pinpays[.]com, the crime discussion board Verified, and a slew of carding retailers working below the banner Rescator.
As KrebsOnSecurity detailed in December 2023, the Rescator retailers have been immediately concerned in among the largest cost card breaches of the previous decade. These embrace the 2013 breach at Goal and the 2014 breach at Residence Depot, intrusions that uncovered greater than 100 million cost card information.
CRYPTEX
In early 2018, Taleon and the proprietors of UAPS launched a cryptocurrency trade referred to as Cryptex[.]internet that has emerged as a significant mover of ill-gotten crypto cash.
Taleon reminds UAPS clients they are going to take pleasure in 0% fee and no “know your buyer” (KYC) necessities “on our trade Cryptex.”
Cryptex has been related to fairly a couple of ransomware transactions, together with the biggest identified ransomware cost so far. In February 2024, a Fortune 50 ransomware sufferer paid a document $75 million ransom to a Russian cybercrime group that calls themselves the Darkish Angels. A legislation enforcement supply with data of the investigation mentioned an evaluation of that cost exhibits roughly half of it was processed by means of Cryptex.
That legislation enforcement supply supplied a display screen shot of Cryptex’s sending and receiving publicity as considered by Chainalysis, an organization the U.S. authorities and plenty of cryptocurrency exchanges depend on to flag transactions related to suspected cash laundering, ransomware payouts, or facilitating funds for darknet web sites.
Chainalysis finds that Cryptex has obtained greater than $1.6 billion since its inception, and that this quantity is roughly equal to its sending publicity (though the overall variety of outflows is almost half of the inflows).
The graphic signifies a substantial amount of cash flowing into Cryptex — roughly 1 / 4 of it — is coming from bitcoin ATMs world wide. Specialists say most of these ATM inflows to Cryptex are bitcoin ATM money deposits from clients of carding web sites like BriansClub and Jokers Stash.
A screenshot of Chainalysis’s abstract of illicit exercise on Cryptex for the reason that trade’s inception in 2018.
The indictments launched as we speak don’t definitively join Taleon to Cryptex. Nevertheless, PM2BTC (which teamed up with Taleon to launch UAPS and Pinpays) and Cryptex have now been sanctioned by the U.S. Division of the Treasury.
Treasury’s Monetary Crimes Enforcement Community (FinCEN) levied sanctions as we speak in opposition to PM2BTC below a strong new “Part 9714” authority included within the Combating Russian Cash Laundering Act, modifications enacted in 2022 to make it simpler to focus on monetary entities concerned in laundering cash for Russia.
Treasury first used this authority final yr in opposition to Bitzlato, a cryptocurrency trade working in Russia that turned a cash laundering conduit for ransomware attackers and darkish market sellers.
THE LAUNDROMAT
An investigation into the company entities behind UAPS and Cryptex reveals a corporation included in 2012 in Scotland referred to as Orbest Investments LP. Data from the UK’s enterprise registry present the homeowners of Orbest Investments are two entities: CS Proxy Options CY, and RM Everton Ltd.
Public enterprise information additional reveal that CS Proxy Options and RM Everton are co-owners of Progate Options, a holding firm that featured prominently in a June 2017 report from Bellingcat and Transparency Worldwide (PDF) on cash laundering networks tied to the Kremlin.
“Legislation enforcement businesses imagine that the overall quantity laundered by means of this course of may very well be as excessive as US$80 billion,” the joint report reads. “Though it’s not clear the place all of this cash got here from, investigators declare it consists of vital quantities of cash that have been diverted from the Russian treasury and state contracts.”
Their story constructed on reporting revealed earlier that yr by the Organized Crime and Corruption Challenge (OCCRP) and Novaya Gazeta, which discovered that no less than US$20.8 billion was secretly moved out of Russia between 2010 and 2014 by means of an unlimited cash laundering machine comprising over 5,000 authorized entities referred to as “The Laundromat.”
Picture: occrp.org
“Utilizing firm information, reporters tracked the names of some purchasers after executives refused to offer them out,” the OCCRP report explains. “They discovered the heavy customers of the scheme have been wealthy and highly effective Russians who had made their fortunes from coping with the Russian state.”
Wealthy Sanders is a blockchain analyst and investigator who advises the legislation enforcement and intelligence group. Sanders simply returned from a three-week sojourn by means of Ukraine, touring with Ukrainian troopers whereas mapping out dodgy Russian crypto exchanges which are laundering cash for narcotics networks working within the area. Sanders mentioned as we speak’s sanctions by the Treasury Division will possible have a right away affect on Cryptex and its clients.
“Every time an entity is sanctioned, the implications on-chain are immense,” Sanders advised KrebsOnSecurity. “No matter whether or not an trade is definitely compliant or simply advantage indicators it, it’s the case throughout the board that exchanges will take note of these sanctions.”
“This motion exhibits these cost processors for illicit platforms will get consideration finally,” Sanders continued. “Even when it took approach too lengthy on this case, Cryptex knew the vast majority of their quantity was problematic, knew why it was problematic, and did it anyway. And this needs to be a get up name for different exchanges that know full effectively that almost all of their quantity is problematic.”