His free days numbered. If he does not get caught while traveling outside, some enthusiastic and inventive kgb operatives or local policemen or mobsters will pack him and travel to some neighboring to collect the bounty and then maybe ask for political asylum in Spain or somewhere close to a beach.
This, however, is far more interesting.
> Authorities were able to identify that Kulkov had an iCloud account tied to the address nordexin@icloud.com, and upon subpoenaing that found passport photos of Kulkov, and well as more photos of his family and pricey cars.
Isn’t iCloud data E2EE? Or did they subpoena it before E2EE became available for iCloud?
And catching cybercriminals is nice and all, but why not shift a little bit of blame on banking and card systems? My bank phased out virtual credit card numbers, that were be restricted to one seller and limited in transaction amount. And I rarely encountered a US merchant using 3D secure transaction, while in Europe many did. Maybe it just my experience though. Somewhat unrelated, but my bank for two 2FA offers only SMS code, I still see cards with magnetic stripes, which should've been obsolete a decade ago, chase still has some weird password requirements that forces you to simplify it, instead of testing it for entropy and plaid still wants your password to connect your bank account to a service. The fin industry is not security minded, so that few man in russia can cause so much damage.
Alas, the KGB (Комитет государственной безопасности → КГБ) is no more. But never fear, the FSB (Федеральная служба безопасности → ФСБ) now may heed your call.
I like how "but Apple encrypts and never gives your info to anyone1111" folks are surprised.
> 79608229389 — is exactly like Anna’s, only minus the (mis?)leading “8”.
Ah, those falsehoods programmers believe about phone numbers
Add:
> One of those was Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was apprehended in March 2022 after fleeing Ukraine’s mandatory military service orders.
Read the article on him. So the guy operated with the impunity from Ukraine and only when he left he was apprehended. *shurg_emoji*
> > 79608229389 — is exactly like Anna’s, only minus the (mis?)leading “8”.
> Ah, those falsehoods programmers believe about phone numbers
This actually has a reasonable technical explanation that will come to mind of most people who lived in Russia for a prolonged period at some point.
So, when you call internationally, each phone number has a country country that starts with a plus (+) character. E.g., US is +1, Russia is +7.
However, when you call domestically, there is some light magic done by telcoms (in each country, i assume) in regards to country codes to make domestic calls a bit easier to input. In the US, the country code can be entirely omitted for domestic calls. E.g., +1-xxx-xxx-xxxx becomes xxx-xxx-xxxx.
In Russia, it cannot be omitted, but instead can be replaced by character 8 (one character vs. two, and no need to deal with the awkward entry of the plus character). So +7-xxx-xxx-xxxx becomes 8-xxx-xxx-xxxx. No idea why +7 gets replaced by 8 instead of 7, I assume some historical reasons.
With that out of the way, and back to the OP, it seems like one of the sources listed the phone number in the shorthand format used in Russia, while the other one listed in the full form including the country code (with the plus character getting eventually stripped along the way as a special character).
What is more important is what the person who is writing the article doesn't have an idea about what it's about. There could be a completely bogus numbers and it wouldn't matter because nobody checks anything. Just like "Anna Denis Vnrhoturkina Kulkov" and "Kommunistrecheskya St"
> What is more important is what the person who is writing the article doesn't have an idea about what it's about.
> Just like "Anna Denis Vnrhoturkina Kulkov" and "Kommunistrecheskya St"
Not trying to absolve Bryan of making those mistakes, but let's be real, he is a security professional, not a specialist on how telephony works all over the world, and neither he is a linguistics specialist.
As long as the factually relevant info is correct and the reasoning is sound (even with those mistakes), it is ok. I am totally fine with the author not knowing that in russian language, the woman's last name would be "Kulkova" and not "Kulkov". Doubly so, given that a lot of digital systems and pieces indeed would record her last name as "Kulkov". Despite those mistakes, the post still makes perfect sense in its chain of reasoning, and none of it changes the conclusion.
For a specific example - my mother and I (who have that same difference in last names, as I am a man, and she is a woman) occasionally receive emails from businesses that mess the last name up (i.e., i would get emails writing my last name with that women-specific "-a" suffix, and she would get emails without it). It doesn't happen often, but it has been happening occasionally over the years.
Is there a listing of current US bounties somewhere? Presumably there was an initially smaller offering before it jumped to $10 million? Curious what goes into the mechanics of pricing out someone like this. The Try2Check website evidently launched in 2005 -that's a long time in operation before throwing money at the problem.-
The award for information on Osama Bid Laden was $27 million.
Now that the complaint is unsealed this guy is probably never going to leave except at gunpoint. Plus he "only" made 18 million (who knows how much of which has already been spent) which is a lot but probably nothing compared to cardholder losses and other people in the stolen card chain. Why didn't they try to shut down Joker's Stash earlier before they walked away with 9 figures and why did they let Russia take down UniCC/Ferum which means none of the actual victims will get any restitution? Disrupting a marketplace that benefits from network effects and reputation is vastly preferable to some inexpensive service that most people here could probably create in a weekend.
> Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data
I know nothing about carding, but how does it actually work? How is that website able to verify a card's validity, and why can't competitors easily build a similar service?
They had access merchant accounts to do pre-authorizations. Which is risky, because it's easy to trace back and shut down, so you would need lots of them. I imagine they had found a large-scale way of gaining merchant account credentials, or somehow triggering ONLY a pre-auth, that nobody else had figured out.
Maybe abusing services that have "free trial, requires credit card" ? I bet a lot of those do pre-auths.
When reading that I thought it was photo requested by iCloud support and stored somewhere by them (common practice by other services). Not a photo made by Kulkov and stored on his own account.
This, however, is far more interesting.
Isn’t iCloud data E2EE? Or did they subpoena it before E2EE became available for iCloud?And catching cybercriminals is nice and all, but why not shift a little bit of blame on banking and card systems? My bank phased out virtual credit card numbers, that were be restricted to one seller and limited in transaction amount. And I rarely encountered a US merchant using 3D secure transaction, while in Europe many did. Maybe it just my experience though. Somewhat unrelated, but my bank for two 2FA offers only SMS code, I still see cards with magnetic stripes, which should've been obsolete a decade ago, chase still has some weird password requirements that forces you to simplify it, instead of testing it for entropy and plaid still wants your password to connect your bank account to a service. The fin industry is not security minded, so that few man in russia can cause so much damage.