Who’s Behind the SWAT USA Reshipping Service? – Krebs on Security
Based in Russia, SWAT USA recruits people in the United States to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 story, SWAT currently employs more than 1,200
U.S.residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.
The current co-owner of SWAT, a cybercriminal who uses the nickname “ Fearlless ,” operates primarily on the cybercrime forum Verified . This Russian -language forum has tens of thousands of members, and it has suffered several hacks that exposed more than a decade ’s worth of user data and direct messages.
January 2021posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT , who’d been operating the service for years . SWAT agreed to transfer the business in exchange for 30 percent of the net profit over the ensuing six months .
Cyber intelligence firm Intel
firstregistered on Verified in February 2013 . The email address Fearlless used on Verified leads nowhere, but a review of Fearlless ’ direct messages on Verified indicates this user originally registered on Verified
a year earlieras a reshipping vendor, under the alias “Apathyp.”
There are twoclues supporting the conclusion that Apathyp and Fearlless are the same person. First , the Verified administrators warned Apathyp he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified ’s automated systems had detected that Apathyp and Fearlless were logging in from the same device. Second , in his earliest private messages on Verified , Fearlless told others to contact him on an instant messenger address that Apathyp had claimed as his.
471 [email protected]. A search on that email address at the breach intelligence service Constella Intelligence found that a password commonly associated with it was “niceone.” But the [email protected] account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte , the Russian answer to Facebook .says Apathyp registered on Verified using the email address
However, in Sept. 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp told the proprietor that his chosen password on the service was “12Apathy.”
A search on that password at Constella [email protected] and [email protected]. Constella discovered that both of these addresses were previously associated with the same password as [email protected] — “niceone,” or some variation thereof.reveals it was used by just four different email addresses, two of which are particularly interesting:
Constella [email protected] was used to create a Vkontakte account under the name Ivan Sherban (former password: “ 12niceone “) from Magnitogorsk , an industrial city in the southern region of Russia . That same email address is now tied to a Vkontakte account for an Ivan Sherban who lists his home as Saint Petersburg , Russia . Sherban ’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.found that years ago
A pivotal clue for validating the research into Apathyp/Fearlless [email protected] at one time used the passwords “ геззи1991 ” ( gezze1991 ) and “ gezze18081991 .”came from the identity intelligence firm myNetWatchman , which found that
Care to place a wager on when Vkontaktesays is Mr. Sherban ’s birthday? Ten points if you answered August 18 ( 18081991 ).
Mr. Sherbandid not respond to multiple requests for comment.