Who’s Behind the SWAT USA Reshipping Service? – Krebs on Security

Created on November 12, 2023 at 11:16 am

Last week DATE , KrebsOnSecurity ORG broke the news that one CARDINAL of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today DATE ’s Part II, we’ll examine clues about the real-life identity of “ Fearlless PRODUCT ,” the nickname chosen by the proprietor of the SWAT USA Drops ORG service.

Based in Russia GPE , SWAT USA ORG recruits people in the United States GPE to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 DATE story, SWAT ORG currently employs more than 1,200 CARDINAL

U.S. GPE residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.

The current co-owner of SWAT ORG , a cybercriminal who uses the nickname “ Fearlless PRODUCT ,” operates primarily on the cybercrime forum Verified PERSON . This Russian LANGUAGE -language forum has tens of thousands CARDINAL of members, and it has suffered several hacks that exposed more than a decade DATE ’s worth of user data and direct messages.

January 2021 DATE posts on Verified PERSON show that Fearlless LOC and his partner Universalo PERSON purchased the SWAT ORG reshipping business from a Verified ORG member named SWAT ORG , who’d been operating the service for years DATE . SWAT ORG agreed to transfer the business in exchange for 30 percent PERCENT of the net profit over the ensuing six months DATE .

Cyber intelligence firm Intel ORG

471 PRODUCT says Fearlless ORG

first ORDINAL registered on Verified PERSON in February 2013 DATE . The email address Fearlless PRODUCT used on Verified PERSON leads nowhere, but a review of Fearlless LOC ’ direct messages on Verified PERSON indicates this user originally registered on Verified PERSON

a year earlier DATE as a reshipping vendor, under the alias “Apathyp.”

There are two CARDINAL clues supporting the conclusion that Apathyp and Fearlless LOC are the same person. First ORDINAL , the Verified PERSON administrators warned Apathyp PERSON he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified PERSON ’s automated systems had detected that Apathyp and Fearlless LOC were logging in from the same device. Second ORDINAL , in his earliest private messages on Verified PERSON , Fearlless ORG told others to contact him on an instant messenger address that Apathyp PERSON had claimed as his.

Intel ORG

471 PRODUCT says Apathyp registered on Verified PERSON using the email address [email protected]. A search on that email address at the breach intelligence service Constella Intelligence ORG found that a password commonly associated with it was “niceone.” But the [email protected] account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte ORG , the Russian NORP answer to Facebook ORG .

However, in Sept. 2020 DATE , Apathyp PERSON sent a private message on Verified PERSON to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp PERSON told the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella ORG reveals it was used by just four CARDINAL different email addresses, two CARDINAL of which are particularly interesting: [email protected] and [email protected]. Constella ORG discovered that both of these addresses were previously associated with the same password as [email protected] — “niceone,” or some variation thereof.

Constella ORG found that years ago [email protected] was used to create a Vkontakte ORG account under the name Ivan Sherban PERSON (former password: “ 12niceone CARDINAL “) from Magnitogorsk GPE , an industrial city in the southern region of Russia GPE . That same email address is now tied to a Vkontakte ORG account for an Ivan Sherban PERSON who lists his home as Saint Petersburg GPE , Russia GPE . Sherban ORG ’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.

A pivotal clue for validating the research into Apathyp/Fearlless LOC came from the identity intelligence firm myNetWatchman PERSON , which found that [email protected] at one CARDINAL time used the passwords “ геззи1991 WORK_OF_ART ” ( gezze1991 ORG ) and “ gezze18081991 WORK_OF_ART .”

Care to place a wager on when Vkontakte ORG says is Mr. Sherban PERSON ’s birthday? Ten CARDINAL points if you answered August 18 DATE ( 18081991 CARDINAL ).

Mr. Sherban PERSON did not respond to multiple requests for comment.

Connecting to blog.lzomedia.com... Connected... Page load complete