Russian authorities seized the websites of several Russian cybercrime forums Monday, the latest in a string of high-profile actions the government there has taken against cybercriminals.
Visitors to the websites for Sky Fraud, a forum for stolen credit card data, were greeted with a message posted by the Russian Ministry of Internal Affairs announcing that the page was blocked. Other “carding” and cybercrime forums were also seized, including Ferum and Trump’s Dumps, as well as U-A-S Shop, which offered illicit remote access to various organizations through the remote desktop protocol (RDP) tool.
“The SKYFRAUD resource was closed forever during a special law enforcement operation,” the message reads in Russian translated to English. “Management ‘K’ of the BSTM of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!”
Within the source code of the seized website, the Russian government left a message: “Which of you is next?”
A request for comment sent to a Russian government press representative was not returned.
The website seizures came the same day the the Russian government announced the arrest of six people accused of “cyberfraud,” according to the state-run news agency Tass. It’s not clear yet that the arrests and seizures of the carding sites are related, but Tass reported the suspects arrests were charged under Article 187 of the Criminal Code of the Russian Federation, which is the same law cited on the seizure message posted on the Sky Fraud front page.
“We have never seen that many takedowns of card shops and forums within such a short period of time,” Dmitry Volkov, the CEO of international cybersecurity firm Group-IB, told CyberScoop in an email Tuesday. “This latest series of seizures is another blow to the global carding market that has fallen on hard times after the collapse of the Joker’s Stash.”
Joker’s Stash, a formerly high-profile carding forum, shut down in early 2021 following increased international law enforcement pressure. Group-IB’s data suggested that the carding market was already shrinking, dropping by 26 — $1.9 billion to $1.4 billion — between 2020 and 2021. The latest takedowns “will most likely reinforce this trend,” Volkov said. “The market is unlikely to bounce back given the role these platforms played.”
Three is a trend
The Russian government’s actions against Sky Fraud is just the latest in a string of cybercrime crackdowns in Russia, two of which included cooperation with U.S. law enforcement.
On Jan. 22, the Russian government announced it had arrested four suspects associated with the formerly powerful Infraud Organization hacking group, which facilitated identity theft and financial fraud to the tune of $568 million with victims in every U.S. state, according to a 2018 statement from the U.S. Department of Justice. Two of the main suspects in that case have pleaded guilty to the U.S. charges and were sentenced to five and 10-year prison sentences.
A leader of the group, Andrey Novak, was running another carding forum, UniCC when he was arrested, according to The Record. Novak’s arrest was announced Jan. 22 but he’d been detained for two months, Tass reported. He’s wanted in the U.S. in connection with his role at Infraud, but Russian law prohibits extradition.
And a week before that, the Russian government arrested 14 members of the notorious REvil ransomware group in a joint operation with U.S. law enforcement, which former Russian President Dmitry Medvedev recently hailed as an example of the two nations working together in constructive ways.
Further signs of cooperation would be the Russian cybercriminals already indicted in other countries being arrested, said John Fokker, the head of cyber investigations and principal engineer at Trellix, and a former cybercrime law enforcement officer with the Dutch national police. “That would be the next step,” he said.
The full scope of the Russian government’s enforcement actions are not fully clear, as the operation may be ongoing, Fokker added. The takedown message associated with the U-A-S takedown seems to imply the suspects were charged with violating computer crimes, rather than financial crimes, suggesting perhaps there were attacks on Russian entities. Additionally, investigations and arrest operations take time to come together, so this could be reflective of ongoing law enforcement collaboration.
“Let’s face it, it’s not the most communicative collaboration that they have, it’s very fragile right now,” Fokker said. “I think it would be very nice to see if this could continue.”
Both the REvil and Infraud arrests might be examples of joint cooperation, but the Sky Fraud case could reflect typical law enforcement activity, said Oleg Shakirov, an international security expert at the PIR Center, a Russian policy think tank.
“My impression is that these examples just shed some light on regular fight against cybercriminals in Russia,” Shakirov told CyberScoop on Tuesday. “Cyber crime has been on the rise here for several years, just like everywhere else.”