WASHINGTON — The United States arrested a Russian citizen on charges of running a vast online marketplace for stolen account credentials, the latest in a series of suspected Russian cybercriminals nabbed during overseas travel.
Federal Bureau of Investigation (FBI) officers detained Kirill Firsov on March 7 as he arrived at JFK Airport in New York City, court records show. The charges were unsealed by a California court on March 9 and he is expected to be arraigned later this week.
The United States accuses Firsov of running deer.io, a Russia-based online platform that allows cybercriminals to buy and sell hacked usernames and passwords, including those belonging to U.S. citizens. He faces two felony counts of aiding and abetting the unauthorized solicitation and trafficking of personal data.
The criminal complaint states that the platform became active in 2013 and has over 24,000 active virtual shops with total sales exceeding $17 million.
It offers an individual a ready-made virtual store with all the necessary infrastructure, including design, web hosting, and payment services and is thus similar to Shopify, the popular global ecommerce platform for online stores.
Customers can browse the storefronts on the platform — the virtual equivalent of walking through a mall — or search for relevant stores by a topic. Purchases are made with cryptocurrency or Russian versions of Paypal.
The FBI studied about 250 virtual stores on the platform, finding thousands of hacked accounts and personal information, including U.S. Social Security numbers, the complaints states.
“Thus far, law enforcement has found no legitimate business advertising its services and/or products through a deer.io storefront,” the U.S. complaint states.
The FBI said it purchased about 1,100 gamer accounts, including logins and passwords, on March 4 for less than $20 worth of bitcoin.
The FBI also purchased the personal information of 2,650 people for $522 in bitcoin, including U.S. citizens living in California.
Travel Blogger & FSB
Firsov describes himself on his Twitter account as a security researcher and web developer. He is also a popular travel blogger with nearly 200,000 followers on Instagram who has been profiled in Russian media.
https://www.instagram.com/kfirsov/
According to a biography in Russian weekly Argumenty i Fakty that features a selfie of Firsov standing across from Manhattan, he was born in the southern region of Krasnodar in 1991 and moved to Moscow when he was 9 years old.
https://www.aif.by/social/buisiness/kirill_firsov_puteshestvennik_bloger_i_specialist_po_it-bezopasnosti
He completed his degree at the Federal Security Service’s Moscow Border Institute before joining Habrahabr, a Russian collaborative blog about Internet technology.
Firsov left Habrahabr to launch his own IT projects and, according to the article, later discovered flaws in Telegram’s messenger app, helping raise his profile as a security expert.
The article said he also regularly takes part in hacking competitions.
However, Firsov may have left an easy trail for the U.S. to determine that he was the individual behind deer.io, Brian Krebs, an independent investigative journalist focusing on cyber security, posted on his website Krebs On Security.
https://krebsonsecurity.com/2020/03/fbi-arrests-alleged-owner-of-deer-io-a-top-broker-of-stolen-accounts/
In just one example, Krebs said that deer.io was promoted on a Russian hacker forum called Antichat by an individual using the alias Isis.
The user Isis described himself as the winner of a hacking competition while one of his posts linked to a file under the username Firsov.
“In my experience, very few criminals have good [operations security]. The ones who do invariably are true sociopaths,” Krebs said in response to a reader’s comment about Firsov leaving his footprints.