Russia arrests third hacking group, reportedly seizes carding forums

Russia Flag

Russia arrested six people today, allegedly part of a hacking group involved in the theft and selling of stolen credit cards.

Russian media reports that the arrests come at the request of investigators from the Ministry of Internal Affairs of the Russian Federation.

“The Tverskoy Court of Moscow received petitions from the investigation to select a measure of restraint in the form of detention against six people suspected of committing a crime under part 2 of article 187 of the Criminal Code of the Russian Federation (“Illegal circulation of means of payment”),” said press court clerk Ksenia Rozina in a statement to TASS Russian News Agency.

Article 187 of the “The Criminal Code Of The Russian Federation” relates to “The making of counterfeit credit or debit cards, and also of other payment documents, which are not securities, with the purpose of their utterance or their sale”.

Russian law enforcement has not specified what hacking groups the arrested individuals were allegedly affiliated with. 

However, in possibly related news, three carding forums/marketplaces devoted to the theft and selling of stolen credit cards suddenly displayed seizure notices today claiming to be from the Russian government.

BleepingComputer has confirmed that the websites for SkyFraud, Ferum, and Trump’s Dumps now show notices saying the sites were seized by Management “K” of the BSTM of the Ministry of Internal Affairs of Russia.

Sky-Fraud seizure message by Russian law enforcement
Sky-Fraud seizure message by Russian law enforcement

The seizure message translated by Google Translate reads in English as:

THIS RESOURCE IS BLOCKED

The SKYFRAUD resource was closed forever during a special law enforcement operation.

Management “K” of the BSTM of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!

Art. 187 of the Criminal Code of the Russian Federation: Production, acquisition, storage, transportation for the purpose of use or sale, as well as the sale of counterfeit payment cards, money transfer orders, documents or means of payment, as well as electronic means, electronic media, technical devices, computer programs, intended for illegal acceptance, issuance, transfer of funds.

Punishable by imprisonment for up to seven years.

While these seizure notices cite the same Russian Criminal Code offense as today’s arrests of the six individuals, it has not been confirmed if the notices are legitimate or even related.

Security researcher Soufiane Tahiri also discovered that the source code for the sky-fraud.ru seizure notice includes a hidden message for other Russian hackers, saying “КТО ИЗ ВАС СЛЕДУЮЩИЙ?”

Translated into English, this warning says, “WHICH OF YOU IS NEXT?”

Hidden warning message left by Russian law enforcement
Hidden warning message left by Russian law enforcement
Source: BleepingComputer

These arrests mark the third hacking group arrested by Russian authorities since the beginning of 2022.

In January, Russia seized $6 million and arrested fourteen individuals associated with REvil, a notorious ransomware operation responsible for numerous cyberattacks worldwide.

At the end of the month, Russia also arrested the leader of the Infraud Organization, a hacking group that caused more than $560 million in losses to businesses worldwide.

This stream of arrests by Russia is unusual as the country does not have a history of cooperating in the crackdown on cybercrime operating within its borders.

However, after DarkSide’s ransomware attack on Colonial Pipeline and REvil’s attack on Kaseya, the White House and Russian representatives have been working to increase cooperation to stem the rising tide of hacking activities originating from Russia.

H/T Dmitry Smilyanets

Update 2/7/22: Added Trump’s Dumps to the list of stolen credit card forums/marketplaces seized today. While likely related, we updated the story to indicate that the seizure messages have not been confirmed by Russian law enforcement.