FBI officials last week arrested a Russian computer security researcher on suspicion of operating
deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.
Kirill V. Firsov was arrested Mar. 7 after arriving at New York’s John F. Kennedy Airport, according to court documents unsealed Monday. Prosecutors with the
U.S. District Court for the Southern District of California allege Firsov was the administrator of deer.io, an online platform that hosted more than 24,000 shops for selling stolen and/or hacked usernames and passwords for a variety of top online destinations.
An example seller’s panel at deer.io.
The indictment against Firsov says deer.io was responsible for $17 million worth of stolen credential sales since its inception in 2013.
“The FBI’s review of approximately 250 DEER.IO storefronts reveals thousands of compromised accounts posted for sale via this platform and its customers’ storefronts, including videogame accounts (gamer accounts) and PII files containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses,” the indictment states.
In addition to facilitating the sale of hacked accounts at video streaming services like
Netflix and
Hulu and social media platforms like
Facebook,
Twitter and
Vkontakte (the Russian equivalent of Facebook), deer.io also is a favored marketplace for people involved in selling phony social media accounts.
For example, one early adopter of deer.io was a now-defunct shop called “Dedushka” (“grandpa” in transliterated Russian), a service offering aged, fake Vkontakte accounts that was quite popular among crooks involved in various online dating scams.
The indictment doesn’t specify how prosecutors pegged Firsov as the mastermind behind deer.io, but there are certainly plenty of clues that suggest such a connection.
Firsov’s
https://twitter.com/k_firsov?fbclid=...9738oL7j3vK5pcsays he is a security researcher and developer who currently lives in Moscow. Previous tweets from that account indicate Firsov made a name for himself after discovering a number of serious security flaws in Telegram, a popular cross-platform messaging application.
Firsov also tweeted about competing in and winning several “capture the flag” hacking competitions, including the 2016 and 2017 CTF challenges at
https://en.wikipedia.org/wiki/Positive_Hack_Days (PHDays), an annual security conference in Moscow.
Isis’ profile on antichat.
Deer.io was originally advertised on the public Russian-language hacking forum
Antichat by a venerated user in that community who goes by the alias “
Isis.” A Google Translate version of that advertisement is
https://krebsonsecurity.com/wp-conte...ntichat-en.pdf(PDF).
In 2016, Isis would post to Antichat
https://twitter.com/k_firsov/status/722534067670020097on how he was able to win a PHDays hacking competition (translated thread
https://krebsonsecurity.com/wp-conte...-thread-en.pdf). In one section of the writeup Isis claims authorship of a specific file-dumping tool, and links to
https://gist.github.com/firsov/734b9...f72eb83b9b607b under the username “Firsov.”
In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. The user asks why Isis’s site — a video and music search site called
vpleer[.]ru — wasn’t working at the time. Isis responds that he hasn’t owned the site for 10 years.
According to historic WHOIS records maintained by
https://www.domaintools.com/ (an advertiser on this site), vpleer was originally registered in 2008 to someone using the email address
[email protected].
That same email address was used to register the account “Isis” at several other top Russian-language cybercrime forums, including Damagelab, Zloy, Evilzone and Priv-8. It also was used in 2007 to register
xeka[.]ru, a cybercrime forum in its own right that called itself “
https://web.archive.org/web/20070808...//www.xeka.ru/.”
A cached copy of the entry page for xeka[.]ru. Image courtesy archive.org.
More importantly, that same
mailto:[email protected] email address was used to register accounts at Facebook, Foursquare, Skype and Twitter in the name of Kirill Firsov.
Russian hacking forums have taken note of Firsov’s arrest, as they do whenever an alleged cybercriminal in their midst gets apprehended by authorities; typically such a user’s accounts are then removed from the forum as a security precaution. An administrator of one popular crime forum posted today that Firsov is a 28-year-old from Krasnodar, Russia who studied at the
http://mpi.fsb.ru/r4/index.html, a division of the Russian
https://en.wikipedia.org/wiki/Federal_Security_Service (FSB).
Firsov is slated to be arraigned later this week, when he will face two felony counts, specifically aiding and abetting the unauthorized solicitation of access devices, and aiding and abetting trafficking in “false authentication features.” A copy of the indictment is available
https://krebsonsecurity.com/wp-conte...indictment.pdf(PDF).
@krebsonsecurity
01-14-2025, 08:19 AM
Linear Mode
