Previous stories on this blog have highlighted the damage wrought by an identity theft service marketed in the underground called ssndob[dot]ru, which sold Social Security numbers, credit reports, drivers licenses and other sensitive information on more than four million Americans. Today’s post looks at a real-life identity behind the man likely responsible for building this service.

Last summer, ssndob[dot]ru (hereafter referred to as “SSNDOB”) was compromised by multiple attackers, its own database plundered. A copy of the SSNDOB database was exhaustively reviewed by KrebsOnSecurity.com. The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Private messages and postings on various crime forums show that the service offered at ssndob[dot]ru was originally registered in 2009 at a domain called ssndob-search.info. A historic records lookup purchased from domaintools.com shows that ssndob-search was first registered to an Armand Ayakimyan from Apsheronsk, Russia. This registrant used the email address lxg89@rambler.ru.

In 2013, a copy of the carding forum carder[dot]pro was leaked online. Forum records show that the lxg89@rambler.ru address was used by a member who picked the username “Zack,” and who told other members to contact him on the ICQ instant messenger account 383337. On Vkontakte.ru, a popular Russian social networking site, Mr. Zack is the name of a profile for a 24-year-old Armand Ayakimyan from Sukhumi, a city in western Georgia and the capital of Abkhazia — a disputed region on the Black Sea coast.

Mr. Zack lists his date of birth as August 27 and current town as Sochi, the site of the 2014 Winter Olympics, (although the Mr. Zack account appears to have been dormant for some time). We can see some pictures of Mr. Ayakimyan (DOB: Aug. 27, 1989) at this profile by the same name at promodj.com, a music mixing site. That profile is tied to a group profile created by an Armand Ayakimyan in Sochi.

Mr. Ayakimyan appears to have used a number of different nicknames on various forums, including “Darkill,” “Darkglow” and “Planovoi”. That’s according to the administrators of verified[dot]cm, a top Russian crime forum at which he had apparently created numerous accounts. In an amusing multi-page thread on verified, the administrators respond to multiple member complaints about Plaovoi’s behavior by “doxing” him, essentially listing all of the identifiers that point from various email addresses, ICQ numbers and aliases back to accounts tied to Armand Ayakimyan.

KrebsOnSecurity attempted to reach Ayakimyan via multiple email addresses tied to his various profiles, including Facebook. An individual responding at the main Jabber address used by the operator of SSNDOB — ssndob@swissjabber.ch — declined to comment for this story, saying only “Я против блога. Выберите другой сервис,” or, “I am against the blog. Choose another service.” This reply came immediately after the user of this profile updated his status message notifying customers that his identity theft service was just freshly stocked with a huge new update of personal data on Americans.

The conclusion that Ayakimyan is/was involved with the operation of SSNDOB is supported with evidence gathered from Symantec, which published a blog post last week linking the young man to the identity theft service. According to Big Yellow, Ayakimyan is but one of several men allegedly responsible for creating and stocking the ID theft bazaar, a group Symantec calls the “Cyclosa gang.” From their report:

“To keep their store stocked, the Cyclosa gang had to continue to attack companies for their databases of personal data. Along with the major breaches covered in Krebs’ report, Symantec found that the Cyclosa gang compromised a number of other firms. In May 2012, the Cyclosa gang breached a US-based credit union. A few months later, they compromised a bank based in California, USA, and a Georgian government agency. While the Georgian agency may not have a lot of information pertaining to US and UK citizens, it’s possible that this attack was of personal interest to the Cyclosa gang, considering Armand’s background.” “At the start of 2009, evidence emerged of Armand’s partnership with three other people who used the handles ‘Tojava’, ‘JoTalbot’ and ‘DarkMessiah’ on cybercrime forums. There may be other players involved with this organization but these four individuals appear to be the main actors in this group. The four of them carried out numerous acts of cybercrime, such as conducting malware-based search engine optimization and pay-per-click schemes. They also bought and sold hijacked chat accounts, botnet traffic, and personal and financial information. Armand’s relationship with Tojava was vital for the formation of SSNDOB. Tojava was allegedly responsible for introducing Armand to the world of cybercrime and carding. We believe that Tojava created many of SSNDOB’s technical features, such as its search engine and its social security number query scripts.”

I created the following mind map to keep track of various identities and contact addresses apparently used by Ayakimyan over the years.

DATA BROKER BOTNET

As Symantec alludes, the owners of SSNDOB appear to have supplemented their stock of personal data by hacking into some of the largest data brokers in America. As I wrote in a September 2013 exclusive story — Data Broker Giants Hacked by Identity Theft Service — the operators of SSNDOB also ran a very small botnet that hooked directly into servers owned and operated by some of the biggest personal information brokers on the planet — including LexisNexis, Kroll and Dun & Bradstreet.

There is no direct evidence that the hackers behind SSNDOB managed to tap directly into consumer data stores maintained by these brokers; LexisNexis said it found no signs of consumer data exfiltration, and the other two firms acknowledged the break-ins but left it at that. But given their line of work, it seems unlikely that the hackers wasted such an opportunity; the person(s) in control of that botnet had access to the hacked servers for at least five months before they were discovered.

Meanwhile, it’s unclear whether Ayakimyan is still involved with SSNDOB. As Symantec notes, “Armand appears to have made a few career moves throughout his adult life, including working in a photo studio and becoming a sales manager for a cosmetics firm. He also considered using his technical skills for legitimate work, as he discussed creating an online dating service and a real estate website for properties in Abkhazia. However, neither of these services became a reality. In 2013, Armand appeared to be working at a church in Russia.”

As I mentioned at the top of this post, sometime in 2013, SSNDOB was hacked — its entire store of four million consumer records plundered (these were merely the records that customers of SSNDOB had paid the service to look up). According to information obtained by KrebsOnSecurity, the database and service was compromised by the same group of young American hackers responsible for launching exposed[dot]su, a site erected to leak the personal data of celebrities and public figures, including First Lady Michelle Obama, then-director of the FBI Robert Mueller, and U.S. Attorney General Eric Holder, among many others (see screen shot below).

Tags: Armand Ayakimyan, Cyclosa gang, Dun & Bradstreet, Kroll, LexisNexis, lxg89@rambler.ru, promodj.com, ssndob-search.info, Symantec, verified[dot]cm, Vkontakte.ru, Арманд Авакимян