In 2021, the unique Russian cybercrime discussion board Mazafaka was hacked. The leaked consumer database exhibits one of many discussion board’s founders was an legal professional who suggested Russia’s prime hackers on the authorized dangers of their work, and what to do in the event that they bought caught. A overview of this consumer’s hacker identities exhibits that in his time on the boards he served as an officer within the particular forces of the GRU, the overseas navy intelligence company of the Russian Federation.
Launched in 2001 underneath the tagline “Community terrorism,” Mazafaka would evolve into one of the crucial guarded Russian-language cybercrime communities. The discussion board’s member roster included a Who’s Who of prime Russian cybercriminals, and it featured sub-forums for a variety of cybercrime specialities, together with malware, spam, coding and identification theft.
One illustration of the leaked Mazafaka database.
In virtually any database leak, the primary accounts listed are normally the directors and early core members. However the Mazafaka user information posted online was not a database file per se, and it was clearly edited, redacted and restructured by whoever launched it. In consequence, it may be troublesome to inform which members are the earliest customers.
The unique Mazafaka is thought to have been launched by a hacker utilizing the nickname “Stalker.” Nonetheless, the bottom numbered (non-admin) consumer ID within the Mazafaka database belongs to a different particular person who used the deal with “Djamix,” and the e-mail deal with djamix@mazafaka[.]ru.
From the discussion board’s inception till round 2008, Djamix was one in all its most lively and eloquent contributors. Djamix advised discussion board members he was a lawyer, and almost all of his posts included authorized analyses of assorted public instances involving hackers arrested and charged with cybercrimes in Russia and overseas.
“Hiding with purely technical parameters is not going to assist in a severe matter,” Djamix suggested Maza members in September 2007. “As a way to ESCAPE the legislation, you could KNOW the legislation. That is crucial factor. Technical capabilities can not overcome intelligence and crafty.”
Stalker himself credited Djamix with preserving Mazafaka on-line for thus a few years. In a retrospective post revealed to Livejournal in 2014 titled, “Mazafaka, from conception to the current day,” Stalker stated Djamix had grow to be a core member of the neighborhood.
“This man is all over the place,” Stalker stated of Djamix. “There’s not a factor on [Mazafaka] that he doesn’t participate in. For me, he’s a stimulus-irritant and due to him, Maza remains to be alive. Our rallying pressure!”
Djamix advised different discussion board denizens he was a licensed legal professional who might be employed for distant or in-person consultations, and his posts on Mazafaka and different Russian boards present a number of hackers dealing with authorized jeopardy seemingly took him up on this supply.
“I’ve the correct to characterize your pursuits in courtroom,” Djamix stated on the Russian-language cybercrime discussion board Verified in Jan. 2011. “Remotely (within the type of fixed assist and consultations), or in particular person – that is mentioned individually. In addition to the price of my providers.”
WHO IS DJAMIX?
A search on djamix@mazafaka[.]ru at DomainTools.com reveals this deal with has been used to register not less than 10 domains since 2008. These embrace a number of web sites about life in and round Sochi, Russia, the location of the 2014 Winter Olympics, in addition to a close-by coastal city known as Adler. All of these websites say they had been registered to an Aleksei Safronov from Sochi who additionally lists Adler as a hometown.
The breach monitoring service Constella Intelligence finds that the telephone quantity related to these domains — +7.9676442212 — is tied to a Facebook account for an Aleksei Valerievich Safronov from Sochi. Mr. Safronov’s Fb profile, which was final up to date in October 2022, says his ICQ on the spot messenger quantity is 53765. This is identical ICQ quantity assigned to Djamix within the Mazafaka consumer database.
The Fb account for Aleksey Safronov.
A “Djamix” account on the discussion board privetsochi[.]ru (“Hiya Sochi”) says this consumer was born Oct. 2, 1970, and that his web site is uposter[.]ru. This Russian language information website’s tagline is, “We Create Communication,” and it focuses closely on information about Sochi, Adler, Russia and the warfare in Ukraine, with a robust pro-Kremlin bent.
Safronov’s Fb profile additionally provides his Skype username as “Djamixadler,” and it consists of dozens of pictures of him wearing navy fatigues together with a regiment of troopers deploying in pretty distant areas of Russia. A few of these pictures date again to 2008.
In a number of of the pictures, we are able to see a patch on the arm of Safronov’s jacket that bears the emblem of the Spetsnaz GRU, a particular forces unit of the Russian navy. In accordance with a 2020 report from the Congressional Analysis Service, the GRU operates each as an intelligence company — gathering human, cyber, and alerts intelligence — and as a navy group chargeable for battlefield reconnaissance and the operation of Russia’s Spetsnaz navy commando items.
Mr. Safronov posted this picture of himself on Fb in 2016. The insignia of the GRU could be seen on his sleeve.
“In recent times, studies have linked the GRU to a few of Russia’s most aggressive and public intelligence operations,” the CRS report explains. “Reportedly, the GRU performed a key position in Russia’s occupation of Ukraine’s Crimea area and invasion of jap Ukraine, the tried assassination of former Russian intelligence officer Sergei Skripal in the UK, interference within the 2016 U.S. presidential elections, disinformation and propaganda operations, and a few of the world’s most damaging cyberattacks.”
In accordance with the Russia-focused investigative information outlet Meduza, in 2014 the Russian Protection Ministry created its “information-operation troops” for motion in “cyber-confrontations with potential adversaries.”
“Later, sources within the Protection Ministry defined that these new troops had been meant to ‘disrupt the potential adversary’s data networks,’” Meduza reported in 2018. “Recruiters reportedly went on the lookout for ‘hackers who’ve had issues with the legislation.’”
Mr. Safronov didn’t reply to a number of requests for remark. A 2018 treatise written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Army Intelligence” explains the importance of the bat within the seal of the GRU.
“A method or one other, the bat is an emblem that unites all lively and retired intelligence officers; it’s a image of unity and exclusivity,” Safronov wrote. “And, normally, it doesn’t matter who we’re speaking about – a secret GRU agent someplace within the military or a sniper in any of the particular forces brigades. All of them did and are doing one crucial and accountable factor.”
It’s unclear what position Mr. Safronov performs or performed within the GRU, nevertheless it appears seemingly the navy intelligence company would have exploited his appreciable technical abilities, information and connections on the Russian cybercrime boards.
Looking out on Safronov’s area uposter[.]ru in Constella Intelligence reveals that this area was utilized in 2022 to register an account at a preferred Spanish-language dialogue discussion board devoted to serving to candidates put together for a profession within the Guardia Civil, one in all Spain’s two nationwide police forces. Pivoting on that Russian IP in Constella exhibits three different accounts had been created on the identical Spanish consumer discussion board across the identical date.
Mark Rasch is a former cybercrime prosecutor for the U.S. Division of Justice who now serves as chief authorized officer for the New York cybersecurity agency Unit 221B. Rasch stated there has at all times been a detailed relationship between the GRU and the Russian hacker neighborhood, noting that within the early 2000s the GRU was soliciting hackers with the abilities essential to hack US banks in an effort to procure funds to assist finance Russia’s warfare in Chechnya.
“The man is closely hooked into the Russian cyber neighborhood, and that’s helpful for intelligence providers,” Rasch stated. “He may have been infiltrating the neighborhood to watch it for the GRU. Or he may simply be a man sporting a navy uniform.”
