Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Feds Dismantle Ukrainian's $530 Million Carding Empire

'In Fraud We Trust' Was International 'Infraud Organization' Slogan

Source: Department of Justice

The U.S. Department of Justice on Wednesday announced one of its biggest-ever cybercrime disruptions after it shuttered the Infraud Organization, an online forum that prosecutors say had more than 10,000 members dedicated to the pursuit of fraud.

See Also: How to Uplevel Your Defenses with Security Analytics

A nine-count superseding indictment by a federal grand jury in Las Vegas, unsealed on Wednesday, charges 36 individuals with a range of offenses, including racketeering conspiracy. It ties them to $530 million in confirmed losses due to fraud and says they intended to steal more than $2.2 billion.

Operating under the slogan "In Fraud We Trust," as of March 2017, Infraud sent members and potential customers to members' automated vending sites, which sold everything from point-of-sale malware and banking Trojans to stolen payment card details and counterfeit identification, the Justice Department says.

As a result of an international investigation into Infraud's activities code-named Operation Shadow Web, five suspects have been arrested in the United States. Eight other suspects have been arrested in Australia, France, Italy, Kosovo, Serbia and the United Kingdom; all face extradition to the United States. The other 23 suspects remain at large.

"Today's indictment and arrests mark one of the largest cyber fraud enterprise prosecutions ever undertaken by the Department of Justice," says John P. Cronan, the acting assistant attorney general of the Justice Department's criminal division.

Global Operation

Infraud had 10,901 registered members as of March 2017, officials say.

"As alleged in the indictment, Infraud operated like a business to facilitate cyber fraud on a global scale," Cronan says. "Its members allegedly caused more than $530 million in actual losses to consumers, businesses, and financial institutions alike - and it is alleged that the losses they intended to cause amounted to more than $2.2 billion."

The indictment charges 36 individuals by name, except for seven named only as "John Doe," although identified by aliases such as "Aimless88," "Best4Best," "Carlitos" and "Goldenshop." Some of the defendants have also been charged with possessing 15 or more counterfeit and unauthorized access devices.

Excerpt from the indictment. (Source: Department of Justice)

The indicted U.S. suspects are based in Alabama, New York and California.

Beyond the aforementioned seven countries in which suspects were arrested, other countries in which alleged Infraud operators are based include Bangladesh, Canada, Egypt, Italy, Ivory Coast, Kosovo, Macedonia, Moldova, Pakistan and Russia.

Infraud was launched in 2010 by now 34-year-old Ukrainian national Svyatoslav Bondarenko - aka "Obnon," "Rector" and "Helkern" - who acted as administrator of the site, although he appeared to stop using the site in 2015, according to the indictment. He remains at large.

Sergey Medvedev helped co-found Infraud and also acted as a site administrator as well as provider of digital currency escrow - currency exchanging - services "for the benefit of Infraud Organization members engaging in transactions with other members, to ensure the integrity of those transactions," according to the indictment. "After Bondarenko went missing in 2015, Medvedev took his place as owner and administrator of the Infraud Organization."

Medvedev has been arrested.

Infraud Organizational Chart

Source: Department of Justice

A to Z of Carding

The indictment includes a literal A to Z of card fraud forums, defining such terms as:

Automated vending sites : "Automated websites that do require human intervention to function and that are used by Infraud members to purchase and sell illicit goods."

: "Automated websites that do require human intervention to function and that are used by Infraud members to purchase and sell illicit goods." Bulletproof hosting: Web hosting services that take a lenient approach to the type of information that customers can distribute using the firm's servers. "Such material may include spam, compromised credit card data, high-yield investment product (Ponzi) schemes, online gambling and malware distribution infrastructure." (See Hacker Havens: The Rise of Bulletproof Hosting Environments ).

Web hosting services that take a lenient approach to the type of information that customers can distribute using the firm's servers. "Such material may include spam, compromised credit card data, high-yield investment product (Ponzi) schemes, online gambling and malware distribution infrastructure." (See ). Carding: The concept of purchasing goods with stolen payment card data or using counterfeit payment cards encoded with stolen credit card data. Such fraud may be enabled with the help of fraudulent identification documents.

The concept of purchasing goods with stolen payment card data or using counterfeit payment cards encoded with stolen credit card data. Such fraud may be enabled with the help of fraudulent identification documents. Dumps: Batches of compromised debit and credit card account data.

Batches of compromised debit and credit card account data. Fulls: Compromised payment card data that typically contains all of a cardholder's information - except for information encoded on the magnetic track on the rear of the card - including the accountholder's name, birthdate, Social Security number, address, telephone, mother's maiden name and security code on the rear of the payment card.

Compromised payment card data that typically contains all of a cardholder's information - except for information encoded on the magnetic track on the rear of the card - including the accountholder's name, birthdate, Social Security number, address, telephone, mother's maiden name and security code on the rear of the payment card. Malware: Malicious software for compromising PCs, mobile devices and point-of-sale terminals. "Although functionality varies, malware is often used to harvest personally identifying information and financial data, to gather intelligence for later use in a fraud scheme, or to electronically and unlawfully monitor victims." (See Cybercrime as a Service: Tools + Knowledge = Profit ).

Malicious software for compromising PCs, mobile devices and point-of-sale terminals. "Although functionality varies, malware is often used to harvest personally identifying information and financial data, to gather intelligence for later use in a fraud scheme, or to electronically and unlawfully monitor victims." (See ). Ripper: "A vendor of illicit goods of poor quality, or one who did not deliver the goods promised in a transaction." According to the indictment, "Infraud leadership routinely policed the forum for rippers, disciplining them to protect the general membership."

For Sale: POS Malware, Holograms and More

The indictment ties some of the 36 suspects to the above services.

The Infraud organization online site now resolves to this takedown notice. (Source: Department of Justice)

Alabama-based Frederick Thomas, 37, aka "Mosto," "1stunna" and "Bestssn," 37, is charged with joining Infraud in 2011 and serving as the "vendor of a Social Security number and date of birth lookup service."

One alleged member, 25-year old Besart Hoxha - aka "Pizza" - of Kosovo has been accused of joining Infraud the same year and advertising himself as a vendor of "High Quality Plastics & Holos VISA, MasterCard, Amex, Discover" who "sells plastic card stock and holograms to Infraud Organization members and associates."

Another suspect, 28-year-old Valerian Chiochiu - aka "Onassis," "Flagler," "Socrate" and "Eclessiastes" - of Moldova joined the organization in 2012 and "provides guidance to other members on the development, deployment, and use of random access memory ('RAM') point-of-sale ('POS') malware as a means of harvesting stolen data," according to the indictment.