‘Spam Nation’ villain Vrublevsky charged with fraud – Krebs on Security


Pavel Vrublevskyfounder of the Russian payment technology company ChronoPay and the antagonist of my 2014 book “Spam Nation”, was arrested in Moscow this month and charged with fraud. Russian authorities allege that Vrublevsky operated several fraudulent SMS payment systems and facilitated money laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is just as likely that Vrublevsky was arrested thanks to his propensity to carefully document the links between Russian state security services and the cybercriminal underground.

An undated photo of Vrublevsky in his ChronoPay office in Moscow.

ChronoPay specializes in providing access to global credit card networks for “high risk” merchants – businesses involved in the sale of online services that tend to generate an unusually high number of chargebacks and chargebacks. fraud, and therefore present a higher risk of failure.

When I started writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister company Red & Partners (RNP) were making millions by setting up a payment infrastructure for fake antivirus and spammers who pimp male enhancement drugs.

Using the hacker’s alias “Red eyes‘, the CEO of ChronoPay oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with spamming spam. promotion of Rx-Promotion pills stores. RedEye was also the administrator of Crutopa Russian-language forum and affiliate program that catered to thousands of adult webmasters.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his main affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor who shut down the ticketing system of the state corporation. Aeroflot Airline company.

After his release from prison, Vrublevsky started working on a new Hong Kong-based digital payment platform called HPPay Ltd (aka Hong Kong Processing Corporation). HPay seems to have had a large number of customers who ran schemes that tricked people into fake lotteries and prize contests.

According to Russian prosecutors, the scam went like this: consumers received an SMS containing links to sites that falsely claimed that a number of well-known companies were sponsoring sweepstakes and lotteries for people who registered or agreed to respond to surveys. Everyone who responded was notified that they were a winner, but also that they had to pay a commission to collect the prize. This scheme allegedly stole 500 million rubles (~US$4.5 million) from over 100,000 consumers.

There are few public records showing a connection between ChronoPay and HPay, other than the fact that the latter’s website – hpay[.]io – was originally hosted on the same server ( with a handful of other domains, including Vrublevsky’s personal website RNP[.]com.

But earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the operation of the company. Confluence server. Confluence is a web-based enterprise wiki platform, and ChronoPay has used its Confluence facility to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors.

A Google-translated excerpt of the hacked installation of ChronoPay Confluence. Click to enlarge.

Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his more than 20 years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. . The last document in the hacked archive is dated April 2021.

These diary entries, interspersed with very technical tutorials, are all written in Russian and in the third person. But these are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to the theories that Vrublevsky himself espoused me over hundreds of hours of phone interviews. Also, in some entries, the narrator switches from “he” to “I” when describing Vrublevsky’s actions.

Vrublevsky’s memoir/wiki invokes nicknames and real names of Russian hackers who worked with protecting corrupt officials in Russia Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various Russian cybercriminals and law enforcement officials involved in processing credit card payments related to online gambling sites.

Russian banks are prohibited from processing payments for online gambling, and therefore many online gambling sites aimed at Russian speakers have opted to process credit card payments through Ukrainian financial institutions.

It depends Vladislav “BadB” Horohorin, the convicted cybercriminal who shared ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a US prison for his role in the 2009 theft of more than $9 million from RBS Worldpay.

Horohorin said Vrublevsky used his knowledge of card processing networks to extort people in the online gambling industry who might be breaking Russian laws.

“Russia has strict regulations against processing for the gambling industry,” Horohorin said. “While Russian banks can’t, Ukrainians can, so we have Ukrainian banks that deal with gambling and casinos, which most Russian players use. What Pavel does is that “He blackmails these Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of this kind of abuse.

Originally from Donetsk, Ukraine, Horohorin told KrebsOnSecurity that he hacked and shared the ChronoPay Confluence installation because Vrublevsky threatened a family member. Horohorin believes that Vrublevsky secretly exploited the “bad bankon Telegram, which draws attention to online gambling operations that violate Visa and MasterCard regulations (violations that can result in hundreds of thousands of dollars in fines for the offender).

“Pavel has been diligently writing his diary for a long time, and there is a lot of information about people he knows,” Horohorin told KrebsOnSecurity. “I understand that he wrote this in order to blackmail people later. There are a lot of interesting things, a lot of names and a lot of very intimate information about the Russian card processing market, as well as the Pavel’s own escapades.

ChronoPay’s hacked Confluence server contains numerous log entries about major players in the Russian gambling and online bookmaking industries.

Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Alexander “Nastra” Zhukova Russian national who ran an ad fraud ring dubbed “Methbot” that stole $7 million from publishers via bots designed to look like humans watching online videos.

The newspaper explains that Zhukov lived with a ChronoPay employee and had a lot of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jewel watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison.

According to the Russian media KommersantVrublevsky and the exploited society “Infernal pay”, a payment portal that has worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware and counterfeit currency and documents.

Inferno Pay, a cryptocurrency and payment API allegedly operated by the CEO of ChronoPay.

“The services of Inferno Pay, whose commission amounted to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on March 12.

The drama surrounding Vrublevsky’s latest arrest recalls the events that led to his imprisonment nearly a decade ago, when several years of internal ChronoPay emails were leaked online.

Kommersant said Russian authorities also searched the home of Dmitry Artimovicha former director of ChronoPay who, with his brother igor was responsible for running the Festi botnet, the same spam botnet that has been used for years to pump out spam promoting websites affiliated with Vrublevsky’s Pharmacy. Festi was also the botnet used in the DDoS attack that sent Vrubelvsky to jail for two years in 2013.

Artimovich says he fell out with Vrublevsky about five years ago and has been pursuing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activity, he doubts Vrublevsky’s arrest is really about SMS payment scams, as the government claims.

“I don’t think that was a reason for his arrest,” Artimovich said. “OYour law enforcement usually doesn’t care about sites like this. And I don’t think Vrublevsky made a lot of money there. I believe he irritated a high-ranking person. Because the scale of the case is much larger than Aeroflot. The police did looking for 22 people. Illegal seizure of money, computers.

The Hydra darknet market. Picture: bitcoin.com


Comments are closed.