In 2020, america introduced expenses towards 4 males accused of constructing a bulletproof internet hosting empire that after dominated the Russian cybercrime trade and supported a number of organized cybercrime teams. All 4 pleaded responsible to conspiracy and racketeering expenses. However there’s a fascinating and untold backstory behind the 2 Russian males concerned, who co-ran the world’s prime spam discussion board and labored carefully with Russia’s most harmful cybercriminals.
From January 2005 to April 2013, there have been two major directors of the cybercrime discussion board Spamdot (a.ok.a Spamit), an invite-only group for Russian-speaking individuals within the companies of sending spam and constructing botnets of contaminated computer systems to relay mentioned spam. The Spamdot admins glided by the nicknames Icamis (a.ok.a. Ika), and Salomon (a.ok.a. Sal).
Spamdot discussion board administrator “Ika” a.ok.a. “Icamis” responds to a message from “Tarelka,” the botmaster behind the Rustock botnet. Dmsell mentioned: “I’m truly very glad that I switched to authorized spam mailing,” prompting Tarelka and Ika to scoff.
As detailed in my 2014 guide, Spam Nation, Spamdot was house to crooks controlling a number of the world’s nastiest botnets, international malware contagions that glided by unique names like Rustock, Cutwail, Mega-D, Festi, Waledac, and Grum.
Icamis and Sal have been in day by day communications with these botmasters, by way of the Spamdot discussion board and personal messages. Collectively in management over tens of millions of spam-spewing zombies, these botmasters additionally repeatedly harvested passwords and different knowledge from contaminated machines.
As we’ll see in a second, Salomon is now behind bars, partly as a result of he helped to rob dozens of small businesses in the United States utilizing a few of those self same harvested passwords. He’s at the moment housed in a federal jail in Michigan, serving the ultimate stretch of a 60-month sentence.
However the id and whereabouts of Icamis have remained a thriller to this creator till lately. For years, safety consultants — and certainly, many prime cybercriminals within the Spamit associates program — have expressed the idea that Sal and Icamis have been probably the identical individual utilizing two totally different identities. And there have been many good causes to assist this conclusion.
For instance, in 2010 Spamdot and its spam associates program Spamit have been hacked, and its consumer database reveals Sal and Icamis typically accessed the discussion board from the identical Web deal with — often from Cherepovets, an industrial city located roughly 230 miles north of Moscow. Additionally, it was widespread for Icamis to answer when Spamdot members communicated a request or grievance to Sal, and vice versa.
Picture: maps.google.com
Nonetheless, different clues prompt Icamis and Sal have been two separate people. For starters, they incessantly modified the standing on their instantaneous messenger purchasers at totally different occasions. Additionally, they every privately mentioned with others having attended totally different universities.
KrebsOnSecurity started researching Icamis’s real-life id in 2012, however didn’t revisit any of that analysis till lately. In December 2023, KrebsOnSecurity published new details about the identity of “Rescator,” a Russian cybercriminal who’s regarded as carefully related to the 2013 knowledge breach at Goal.
That story talked about Rescator’s real-life id was uncovered by Icamis in April 2013, as a part of a prolonged farewell letter Ika wrote to Spamdot members whereby Ika mentioned he was closing the discussion board and quitting the cybercrime enterprise fully.
To nobody’s shock, Icamis didn’t stop the enterprise: He merely turned extra quiet and circumspect about his work, which more and more was centered on serving to crime teams siphon funds from U.S. financial institution accounts. However the Rescator story was a reminder that 10 years value of analysis on who Ika/Icamis is in actual life had been fully put aside. This put up is an try and treatment that omission.
The farewell put up from Ika (aka Icamis), the administrator of each the BlackSEO discussion board and Pustota, the successor discussion board to Spamit/Spamdot.
GENTLEMEN SCAMMERS
Icamis and Sal supplied a complete bundle of products and companies that any aspiring or completed spammer would want on a day-to-day foundation: Nearly limitless bulletproof area registration and internet hosting companies, in addition to companies that helped botmasters evade spam block lists generated by anti-spam teams like Spamhaus.org. Right here’s snippet of Icamis’s advert on Spamdot from Aug. 2008, whereby he addresses discussion board members with the salutation, “Hiya Gents Scammers.”
We’re glad to current you our companies!
Many are already conscious (and are our purchasers), however publicity is rarely superfluous. 🙂Domains.
– all main gtlds (com, internet, org, information, biz)
– many fascinating and uninteresting cctlds
– choices for any subject
– processing of any portions
– ensures
– exceptionally low costs for domains for white and grey schemes (together with any search engine optimization and affiliate spam )
– management panel with balances and auto-registration
– all companies below the Ikamis model, confirmed through the years;)Servers.
– long-term partnerships with a number of [data centers] in a number of elements of the world for any subject
– your individual knowledge heart (not in Russia ;)) for grey and white subjects
– any configuration and any {hardware}
– your individual IP networks (PI, not PA) and full authorized assist
– realtime backups to impartial websites
– ensures and full duty for the companies supplied
– non-standard gear on request
– our personal admins to resolve any technical points (companies are free for purchasers)
– internet hosting (shared and vps) can also be potentialNon-standard and associated companies.
– ssl certificates signed by geotrust and thawte
– previous domains (any 12 months, any amount)
– lovely domains (key phrase, quick, and so on.)
– domains with indicators (any, for search engine optimization, and so on.)
– making unstable gtld domains secure
– interception and hijacking of customized domains (costly)
– full area posting by way of net.archive.org with restoration of native content material (preliminary functions)
– any updates to our panels to fit your wants upon request (our personal coders)All orders for the “Domains” sections and “Servers” are carried out in the course of the day (relying on our workload).
For non-standard and associated companies, a preliminary software is required 30 days prematurely (aside from ssl certificates – inside 24 hours).
Icamis and Sal incessantly claimed that their service saved Spamhaus and different anti-spam teams a number of steps behind their operations. However it’s clear that these anti-spam operations had an actual and painful influence on spam revenues, and Salomon was obsessive about putting again at anti-spam teams, notably Spamhaus.
In 2007, Salomon collected greater than $3,000 from botmasters affiliated with competing spam affiliate packages that needed to see Spamhaus undergo, and the cash was used to fund a week-long distributed denial-of-service (DDoS) assault towards Spamhaus and its on-line infrastructure. However reasonably than divert their spam botnets from their regular exercise and thereby lower gross sales, the botmasters voted to create a brand new DDoS botnet by buying installations of DDoS malware on hundreds of already-hacked PCs (at a charge of $25 per 1,000 installs).
SALOMON
As an affiliate of Spamdot, Salomon used the e-mail deal with [email protected], and the password 19871987gr. The breach monitoring service Constella Intelligence discovered the password 19871987gr was utilized by the e-mail deal with [email protected]. A number of accounts are registered to that electronic mail deal with below the title Alexander Valerievich Grichishkin, from Cherepovets.
In 2020, Grichishkin was arrested outdoors of Russia on a warrant for offering bulletproof internet hosting companies to cybercriminal gangs. The U.S. authorities mentioned Grichishkin and three others arrange the infrastructure utilized by cybercriminals between 2009 to 2015 to distribute malware and assault monetary establishments and victims all through america.
These purchasers included crooks utilizing malware like Zeus, SpyEye, Citadel and the Blackhole exploit kit to construct botnets and steal banking credentials.
“The Group and its members helped their purchasers to entry computer systems with out authorization, steal monetary data (together with banking credentials), and provoke unauthorized wire transfers from victims’ monetary accounts,” the federal government’s grievance acknowledged.
Grichishkin pleaded guilty to conspiracy expenses and was sentenced to 4 years in jail. He’s 36 years previous, has a spouse and children in Thailand, and is slated for launch on February 8, 2024.
ICAMIS, THE PHANTOM GRADUATE
The id of Icamis got here into view when KrebsOnSecurity started specializing in clues that may join Icamis to Cherepovets (Ika’s obvious hometown based mostly on the Web addresses he commonly used to entry Spamdot).
Historic area possession information from DomainTools.com reveal that most of the electronic mail addresses and domains related to Icamis invoke the title “Andrew Artz,” together with icamis[.]ws, icamis[.]ru, and icamis[.]biz. Icamis promoted his services in 2003 — similar to bulk-domains[.]information — utilizing the e-mail deal with [email protected]. From one among his adverts in 2005:
Domains For Initiatives Marketed By Spam
I can register bulletproof domains for websites and tasks marketed by spam(after all they have to be authorized). I cannot present DNS for u, solely domains. The worth can be:
65$ for area[if u will buy less than 5 domains]
50$ for area[more than 5 domains]
45$ for area[more than 10 domains]
These costs are for domains within the .internet & .com zones.
If u wish to order domains write me to: [email protected]
In 2009, an “Andrew Artz” registered on the internet hosting service FirstVDS.com utilizing the e-mail deal with [email protected], with a notation saying the corporate title hooked up to the account was “WMPay.” Likewise, the bulletproof area service icamis[.]ws was registered to an Andrew Artz.
The area wmpay.ru is registered to the phonetically related title “Andrew Hertz,” at [email protected]. A search on “icamis.ru” in Google brings up a 2003 post by him on a discussion forum designed by and for college kids of Amtek, a secondary college in Cherepovets (Icamis was commenting from an Web deal with in Cherepovets).
The web site amtek-foreva-narod.ru remains to be on-line, and it hyperlinks to a number of yearbooks for Amtek graduates. It states that the yearbook for the Amtek class of 2004 is hosted at 41.wmpay[.]com.
The yearbook images for the Amtek class of 2004 will not be listed within the Wayback Machine at archive.org, however the names and nicknames of 16 students remain. Nonetheless, it seems that the entry for one scholar — the Wmpay[.]com web site administrator — was eliminated in some unspecified time in the future.
In 2004, the administrator of the Amtek dialogue discussion board — a 2003 graduate who used the deal with “Grand” — noticed that there have been three individuals named Andrey who graduated from Amtek in 2004, however one among them was conspicuously absent from the yearbook at wmpay[.]ru: Andrey Skvortsov.
To carry this full circle, Icamis was Andrey Skvortsov, the other Russian man charged alongside Grichiskin (the 2 others who pleaded responsible to conspiracy expenses have been from Estonia and Lithuania). The entire defendants in that case pleaded responsible to conspiracy to interact in a Racketeer Influenced Corrupt Organization (RICO).
[Author’s note: No doubt government prosecutors had their own reasons for omitting the nicknames of the defendants in their press releases, but that information sure would have saved me a lot of time and effort].
SKVORTSOV AND THE JABBERZEUS CREW
Skvortsov was sentenced to time served, and presumably deported. His present whereabouts are unknown and he was not reachable for remark by way of his recognized contact addresses.
The federal government says Ika and Sal’s bulletproof internet hosting empire supplied intensive assist for a extremely damaging cybercrime group referred to as the JabberZeus Crew, which labored carefully with the creator of the Zeus Trojan — Evgeniy Mikhailovich Bogachev — to develop a then-advanced pressure of the Zeus malware that was designed to defeat one-time codes for authentication. Bogachev is a prime Russian cybercriminal with a standing $3 million bounty on his head from the FBI.
The JabberZeus Crew stole cash by continually recruiting money mules, individuals in america and in Europe who might be enticed or tricked into forwarding cash stolen from cybercrime victims. Apparently, Icamis’s varied electronic mail addresses are related to web sites for an unlimited community of phony expertise corporations that claimed they wanted individuals with financial institution accounts to assist pay their abroad workers.
Icamis used the e-mail deal with [email protected] on Spamdot, and this electronic mail deal with is tied to the registration information for a number of phony expertise corporations that have been set as much as recruit cash mules.
One such web site — sun-technology[.]net — marketed itself as a Hong Kong-based electronics agency that was in search of “sincere, accountable and motivated individuals in UK, USA, AU and NZ to be Gross sales Representatives in your explicit area and obtain funds from our purchasers. Agent fee is 5 % of complete quantity obtained to the non-public checking account. You could use your present checking account or open a brand new one for these functions.”
In January 2010, KrebsOnSecurity broke the information that the JabberZeus crew had just used money mules to steal $500,000 from tiny Duanesburg Central School District in upstate New York. As a part of his sentence, Skvortsov was ordered to pay $497,200 in restitution to the Duanesburg Central Faculty District.
The JabberZeus Crew operated primarily out of the jap Ukraine metropolis of Donetsk, which was all the time pro-Russia and is now occupied by Russian forces. However when Russia invaded Ukraine in February 2022, the alleged chief of the infamous cybercrime gang — Vyacheslav Igoravich Andreev (a.ka. Penchukov) — fled his obligatory navy service orders and was arrested in Geneva, Switzerland. He’s at the moment in federal custody awaiting trial, and is slated to be arraigned in U.S. federal court docket tomorrow (Jan. 9, 2024). A duplicate of the indictment towards Andreev is here (PDF).
Andreev, aka “Tank,” seen right here performing as a DJ in Ukraine in an undated photograph from social media.
