Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
Meanwhile, consumers all over the world were enjoying a brief reprieve from the barrage of spam email and the malware it carried with it that threatened to infect their computers and steal their identities. The spam email empire teetered on the brink of collapse. When asked whether he was worried that his efforts to embarrass and inconvenience Vrublevsky might further damage an industry that he’d helped to build and that had made him quite wealthy, Gusev told me it was a risk he had to take.
“At least we will both lose lots of time, power, and money, and no one will be a winner here,” Gusev said, speaking by phone from an undisclosed location abroad. “I am still making some reports to continue this conflict with only one reason. Because if I stop now, in one or two years Pavel will find the possibility to hit me again on something else, and I don’t want to [allow] him that.”
I believed Gusev when he told me facts about his life, his business, and his conflict with Pavel. He may not have always told me the whole truth, but I had little reason to doubt his version of events. In contrast, Vrublevsky often lied to me or stretched the truth well beyond
believability in our interviews. Even so, he’d promised to be more forthcoming if I met him on his own turf, and I was anxious to hear his side of the story. It was time to renew my passport.
13.
Note that Vrublevsky denies being RedEye, and speaks of RedEye always as “Mr. RedEye,” which is a bit of a joke. Gusev’s blog about Pavel is called redeye-blog.com.
14.
Vrublevsky denies even being associated with the parent company that owns all these sites, even though incorporation records put it at the same address in the Netherlands that ChronoPay used in its registration documents. What’s more, the Red & Partners website was for many months hosted on Internet address space assigned to ChronoPay by European Internet address authorities.
15.
Tsastsin dismissed as “rubbish” claims that EstDomains was courting spammers and malware purveyors. Nevertheless, his company’s business would later be stripped of its ability to issue new domain names by Internet regulators, after a report in the
Washington Post
exposed that he had been convicted in Estonia of conspiracy to commit credit-card fraud, money laundering, and forgery, among other offenses. EstDomains ceased to exist after that incident, but Tsastsin and six other associates allegedly continued their illegal schemes. In 2011, he was arrested by Estonian authorities in an international law-enforcement operation aimed at dismantling the DNSChanger Trojan. This huge botnet had infected more than four million PCs worldwide with malware that hijacked search results, shut down security software, and earned Tsastsin and his business partners more than $14 million. Tsastsin and his colleagues were charged with wire fraud and money laundering, but in late 2013, they were acquitted by an Estonian court. As of this writing, the men are awaiting extradition from Estonia to stand trial in the United States on cyberfraud charges.
Chapter 9
The frozen Moscow River crunched and groaned as it churned beneath the twin engines propelling our sleek, modern icebreaker cruise ship at a steady clip. On the far shore, the formidable and beautiful edifice of the Kremlin towered over the frosted black water. An open door behind me flooded the bracing night air with the cacophony of pulsing Russian pop music, clinking glasses, and the din of flatware on plates.
February is hardly the warmest month for a trip to Russia, but a press tour invitation in 2011 from Russian security firm Kaspersky Lab proved too timely to pass up. I wanted to surprise Vrublevsky—and I wasn’t sure he’d be a free man much longer—so I jumped at the invitation.
I’d been studying the Russian language and culture—and its seedy underbelly of cybercrime—for more than five years, and visiting the country had long been a dream of mine. But I let few people know that I was going to visit and told no one my real reason for making the trip: to meet Pavel Vrublevsky in Moscow, and tentatively Igor Gusev on a side trip to Europe (which I never followed through with). I had an idea at the time that their feud would make an interesting story, and I was anxious to meet each man face to face.
I had wanted to meet the infamous cybercrooks then because I believed this might be my one chance to interview them in person without prison guards present. I was preparing to run a series of articles documenting the Pharma Wars between Gusev and Vrublevsky, because between the two of them, they were responsible for probably 75 percent of the spam on the planet. I was certain neither man would want to talk to me much after that series started.
“Brian! Come, the performance is starting,” bellowed a broadly grinning and waving Eugene Kaspersky, barely audible over the ship’s powerful turbines and the crackling river ice. Following him through the door leading from the stern of the boat into the main hall, I nearly crashed into a troupe of young men in baby blue jumpsuits turning cartwheels and performing a traditional Russian folk dance on the wooden dance floor between the bar and the dinner tables.
The icebreaker cruise with Kaspersky took place the day before I was to depart from Moscow. After dinner was served, Kaspersky and I each enjoyed glasses of ice cold Russian vodka, and he began telling me about his cryptography work for a former Soviet institute in the 1980s that was sponsored by the Russian Ministry of Defense and the KGB (then the Russian equivalent of the U.S. Federal Bureau of Investigation).
It also emerged that we both got interested in computer security after getting hacked. Eugene became obsessed with viruses after finding malware on his computer in 1991. I started learning all I could about computers and Internet security a decade later, when my home network was overrun by the “li0n worm,” a contagion unleashed by a now-famous Chinese hacker that locked me out of my systems and trashed several servers.
As I watched the dancers careen from one corner of the ship to the other, my thoughts wandered back to the day I’d arrived in Moscow and immediately sought an audience with Vrublevsky. I hadn’t slept a wink since my meeting with the notorious cybercrime figure, and I kept replaying the day’s events in my head.
My flight to Moscow was routed through John F. Kennedy International Airport in New York, where I ran into Paul Roberts, a security journalist and analyst who had recently begun working for Kaspersky. Roberts was joining the press tour as well.
I had never been to Russia, but as we approached Sheremetyevo International Airport, I could see that Moscow was up to that point exactly how I’d pictured it: overcast, cold, snowy, and windy.
Waiting for the plane to touch down, I was suddenly struck by how little I had actually done to prepare for my trip, and for the first time, I was a bit scared. Prior to my departure, a family member who’d been in the foreign service had given me some unsolicited advice on ways to ensure my safety while in Moscow. Much of his wisdom was common sense, such as “arrange all meetings in public spaces,” “travel nowhere alone,” and “avoid getting into cars with unfamiliar people.” Nevertheless, I was stunned at how soon after arriving in Moscow I would be forced to ignore all of that advice.
Roberts and I were supposed to have a car waiting at the airport to take us to our hotel, but high winds had delayed the departure of our flight from New York. When we arrived in Russia, the hired car was nowhere to be found.
As we stepped out of the main terminal and onto the slushy sidewalk, we were immediately pegged as Americans and accosted by perhaps a half-dozen men offering us “cheap” cab rides from the airport. Unfortunately, our hotel was about thirty kilometers from the airport, and the trip would be anything but cheap.
Very soon after we walked out of the terminal, I began to feel queasy, enough so that I thought for sure I was going to lose my breakfast all over the cabbies who were constantly in my face and having trouble taking “no” for an answer. I retreated to a snow-covered metal bench to catch my breath and steady myself. The cabbies seemed to sense that they might regret getting too close and mercifully left me alone for a couple of minutes. Presently, Roberts ambled in my direction
after scouting the length of the airport curb for any signs of our prearranged pickup.
“I’m not really crazy about the idea either, but it looks like we may have to hire one of these guys,” he said, squinting through the driving snowfall.
Five minutes later, we were crammed into the back of a black, compact Russian-made automobile, racing through the soggy streets and swerving around the slower traffic crowding onto Leningradskoye Shosse, the main highway from the airport into central Moscow. I took this opportunity to try out my prepaid wireless Internet service. Because I rarely use unsecured public Wi-Fi and was even less interested in doing so in Moscow, I wanted to avoid being at the mercy of coffee shop or hotel wireless services while in Moscow. So I had arranged to purchase Internet access in advance via a company called XCom Global. The company’s service will ship you a USB dongle just prior to your departure, which in theory should allow you to have 3G wireless Internet access more or less anywhere in the city of your choosing.
As I plugged the dongle into my Macbook in the back of the cab, however, I was dismayed to find that it was impossible to keep a signal for more than a few seconds at a time. I thought perhaps this was because we were hurtling down the highway at 120 kilometers per hour, but I later found the service was just as unreliable when seated at a coffee shop near our hotel smack in the middle of downtown Moscow. What few plans I had made in advance of my trip were rapidly falling apart.
Forty-five minutes and the equivalent of $170 later, Roberts and I exited the cab and checked in to the Marriott Grand Hotel on Tverskaya Street, the broad commercial thoroughfare that runs from Red Square through central Moscow. At the front desk, an attractive young woman behind the counter requested my passport. When I produced the passport, she took it, curtly told me I could come by and pick it up later in the day, and then disappeared into a back office.
I didn’t much care for the idea of relinquishing my passport, but I
also didn’t have many other options. My unease soon turned to dread. I had been there all of five hours when I was alarmed by a Google news alert that I’d set up to monitor Internet postings that featured my name. The alert linked to a brief message posted to the Russian blogging service LiveJournal that broadcast my precise location. The posting read: “American cybersecurity blogger Brian Krebs is now in Russia, staying at the Moscow Marriott Grand.”
I ran upstairs and bolted the door to my spacious hotel room, immediately beginning to wonder if I had made a huge miscalculation in coming to Russia. Eventually, I convinced myself otherwise, reminding myself that this interview was crucial to wrap up all the work I had been doing to expose these spammers. Within a few hours I finally got up enough nerve to call Vrublevsky. When I tried the third cell phone number I had for him, Vrublevsky answered.
“Duuuuuuuudddde!” he bellowed into the phone. “It’s 7 a.m. where you are. Who died?”
I informed Vrublevsky that I was in fact in his time zone, and that we should meet as soon as possible. After another long “Duuuuuuuuddde!” Vrublevsky promised to send a car if I would wait in the hotel lobby. He told me he’d be sending along with the driver his receptionist, named Vera. He proceeded to describe Vera as this grossly overweight, unattractive older lady but, hey, she spoke English and knew how to deal with Westerners, so she was coming, he said.
Fifteen minutes later, I was seated in the lobby, nervously waiting for Vera and watching incoming guests as they stomped off snow and trudged through the hotel’s revolving door. Sitting there nursing a cup of hot tea, I found it difficult to avoid staring at a gorgeous, slender, dark-haired young woman standing nervously just beside the door, clad in skin-tight jeans and a puffy white coat. After a while of unsuccessfully trying not to look in her direction, I had trouble ignoring the fact that she was also trying not to stare at me.
After about five minutes of this dance, the young woman came over
and asked if my name was Brian. I was momentarily alarmed (I knew next to no one in Moscow at this point) until she told me her name was Vera, and I suddenly remembered with a smile why I could trust almost nothing of what comes out of Vrublevsky’s mouth.
The joke continued when, after enduring about twenty minutes of creeping Moscow rush-hour traffic to travel a couple of miles, we arrived at ChronoPay’s offices and I ran into the same girl clad in different clothes. It turns out that Vera has a twin sister who also works at the company.
Vrublevsky was feeling especially punchy that evening, and he was clearly excited by my surprise visit. True to form, almost immediately upon my arrival he launched into an elaborate tale. Apparently, someone had arranged a police raid on the Rx-Promotion Gold Party, a gathering held four nights earlier at Moscow’s Golden Palace. The normally boozy and bawdy event is thrown for all Rx-Promotion affiliates—those several hundred individuals who pimp Rx-Promotion pharmacy sites. The top affiliate was to win an actual one-kilogram bar of gold, while other leading pill-pushers would win iPads and iPhones.
Unfortunately for the Rx-Promotion affiliates, the party was broken up when several busloads of men in ski masks and machine guns stormed the party and began interrogating the revelers. Vrublevsky claims the men were sent on behalf of the drug enforcement authorities, but according to several of those in attendance who posted on various Russian forums about the experience, the police appear to have used the raid as a pretense to match Rx-Promotion affiliates’ online identities to real faces and names. I privately decide that Vrublevsky’s version of the story is unlikely, but I’m unwilling to interrupt his narration in case it offends him and he decides to show me the door—or worse.
Vrublevsky never showed at his own party. As he explains it, the day before the gathering his wife inexplicably pleaded with him to go on an emergency vacation to the Maldives. What’s more, someone had the presence of mind to take down all Rx-Promotion logos from the rented party space hours before the police arrived.