This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security
Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.
According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.
Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.
The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.
I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.
While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.
The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.
“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”
The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”
Gusev: It looks like I am in deep shit. Red gave our database to Americans.
Stupin: To which Americans?
Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?
Stupin: Maybe you return back to Russia?
Gusev: I am planning to do that. I am really worried now
Stupin: What about Red? For that money. May be let’s close down everything?
Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.
Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.
Stupin: I think yes, we will receive lower priority.
Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.
Stupin: In reality if everything is going to proceed, the publicity is going to happen in a year, if we are not functioning for a year, there is no reason for publicity. And in 3 years everyone will forget about us. If we continue operations, it’s going to be undeniably worse, and if we stop — hopefully, it’s going to be better. There is no ultimate decision here, there is probability, and we can either increase or decrease it.
Stupin: I believe, you now understand that the money is not the main thing in life.
Gusev: You do not know how justice in USA works. They have no “statute of limitation”. They absolutely love big cases about hackers, carders, and spammer. Young prosecutors make careers out of such cases and do everything possible to find prooves for such processes. Here is the latest example: arrest of Badb (carder) in airport in Nice: http://www.nytimes.com/2010/08/24/business/global/24cyber.html He was investigated since Cardplanet collapse. He got sentenced in 2009 and they received OK to extradict him, and that’s it, after that it was only a matter of time till his arrest.
Gusev: I also think we need to shut the operations down, because it’s an absolute disaster
Stupin: I am not talking about “statue of limitation”, I am talking about publicity; the more noise, the more motivation they have and the larger sentence. Just imagine, if we have not functioned for 1/2 year or 1 year, would your life be easier?
Gusev: There was another case, where FBI broke into DDoS (denial of service) server to collect evidence and judge admitted that evidence in court — it’s an absolute precedent in their law proceedings. Our FSB [former KGB] made a case out of it later ) One moment… I will find info about it.
Gusev: My life is much easier already for the past year. I have only one desire – run to Taiga [remote forests in Siberia] and do not have access to the Internet for a year.
Stupin: Do not bother to look for the info (regarding the DOS case). You are correct in your desire [about running to woods]. Buy a lake in Altaj Republic and build a resort there.
Gusev: I tend to think about Irkutsk and Baikal. I have very good friends in local government there
Stupin: Very well. I can do a project on wakeboarding, which will almost positively be profitable.
Gusev: Great! Did it get started for you?
Stupin: No, but I know how NOT do do it.
Gusev: Regarding closing down — I think we need to shut down SpamIt first. In a month or 1/2 month — GlavMed. I am planning to fly back now and fabricate a case against us to get sentenced in Russia with publicity. We need to accurately give top positions of our [search engine optimization] to Lesha (Aleksey); at least it will bring some money.
Stupin: Let’s not do it, let Lesha go up on his own.
Gusev: Has Andrey told you about it? email@example.com. I have a gravely important question. Theoretically, I can add several hours to “work day”, plus increase productivity. Is there hope for me in 2-3-4 years to make enough money for Dima’s house in Turkey? I cannot save money. This is gravely important question. You are right. Dima and I will think about it.
Stupin: He told me that same thing 1/2 a year ago.
Gusev: Maybe offer him an affiliate program? Give him 1/3 and let him transfer our SEO onto himself, but only based on new companies and accounts. I already have one new company; I found an acceptable nominal price. It is painful to just give our SEO to Drugrevenue and Rx-partners. Look it’s been holding its position for a year. Such a margin of stability.
Stupin: Well, it has dropped 2-3 times for the last 1/2 a year, and it is very unstable. If Shaman closes down tomorrow, we’ll have a lot of money sunk there and a lot of debts to advertisers. And we will have to pay them out of our own money, if we accurately close down, we might avoid the risks.
Gusev: Am I looking at wrong data? https://mtw8.srvz.net/shop/statistics/stat_orders.jsp. It’s for this August and August of 2009. The difference is 400k of monthly turn-around. Taking in consideration absence of “master” — IMHO it is great. Why Shaman has to close down tomorrow?
Stupin: Yes, but I am considering the profits we are taking, and stability of revenue.
Gusev: I talked to him: the political decision of “Raif” [?] is to keep the pharmacy as long as possible.
Stupin: And amount of money on the account and our debts to advertisers and suppliers.
Gusev: Yes, the stability got decreased after our departure from Latvia. They worked [like a] Swiss watch.
Stupin: The same “political” decision can be turned 180 degrees tomorrow.
Gusev: Maybe, maybe, what a pity. I also talked to Max and Mark – they will take new pharmacy of Lesha.
Stupin: Looks like money is still your priority.
Gusev: Is it really okay for you to lose such an income? It’s extremely hard for me to take, since I have no idea how to earn even 1/5 of it offline.
Stupin: It is really okay for me. There is enough money, do you need more to pay lawyers against the competition? You will not be happier. It is such a moment now that we can close down the project earning a little more, however, in the future there is a risk that the project will collapse on it’s own with even more financial losses.
Gusev: You’re right, but it is hard for me to make such a decision. It’s not the matter of money, but in business, which makes money. Write me your ideas on how we should shut down. I do not know how much time is required to resolve all the issues. USA have complicated everything to resolve the issue with Pasha [Pavel Vrublevsky). If he somehow finds a lot of money, it might require up to 1 million. However, so far, whatever we already paid is enough.
Stupin: Debts to suppliers : $150,000. To advertisers $1,100,000. What we have on our account: $800,000. Therefore, the balance is: -$450,000. This is the real numbers of our business, whatever we have invested does not reflect the actual truth. As you remember, we have been withdrawing very little from the account recently. Therefore, we can say that the project is going down on its own. I will write you the strategy on what we need to do.
Gusev: Do not write it as additional points why we need to close down. I've already accepted that it cannot be avoided We have enough points already. I am interested in your ideas. For example, I want to make an official statement about us closing down, a little noise to calm down the Americans.
Gusev: To give a spot of "spammer number 1" to Pasha [Pavel Vrublevsky] and Yura [Yuriy Kabayenkov].
Stupin: Here is what we have now: Account balance is $800,000. We have to pay $1,100k to advertisers. We have to pay 150к to suppliers. Here is what we pay at liquidation in any case: Andrey’s compensation: $60к; Sasha’s (Alexander’s) compensation: ~$50к; Compensation to the staff ~$100. Resume: $660к of money, which we need to pay in any case, but cannot pay now. Shaman marked by 30.08 $450k in payments, therefore, we can balance everything to $0. Pessimistic outlook is if Shaman is going to be shut down. We will end up with debt of 500-1000k, which we will have to pay. The business perspective is not rainbow-like, especially, taking in consideration the risk we take all the time and the expenses linked to it.
Plan of action: In any case, whether we liquidate or not: set commissions to 40% maximum, lower it down for those whose commission is 45%. With participation of Latvia we could afford a lot of transactions with low profitability. However, we cannot afford the same with “shaman’s” unstable payments and with other small processing parties, which we cannot control and whether we are getting money from them or not. However, such a decision will deter “to pav”; the number of transactions will go down, we will not have a lot of losses, since we are on the brink of profitability. Turning off the affiliate (partnerka) is going to be easy.
Within two month: 20% of increase prices in shops, this will add profitability, but will decrease the number of advertisers. In case if revenue is going to rise sharply together with profits, we will have time to change our decision within 1.5 months inventory of personnel, servers to increase profitability and moral preparation of everyone to potential end two weeks before the liquidation. Tell the staff about shutting down the operation, promise them compensation in amount of their normal salary if they finish the job well. Andrey and Sasha will be notified separately. Notify advertisers about shutting down off operations, increase whatever is left on e-Passporte and WebMoney, begin to hold payments to suppliers not to overpay, since usually we do overpay.
Gusev: Let’s start with raising prices, minimum 30-40%. We need excessive profitability at this point. Do not lower commissions to GlavMed and SpamIt. Let’s kill conversions. The people will leave on their own. It is not a momentary process. It is going to be easier to pay everyone. Shut down all outside billing operations, although there is nothing left already. In 10-14 days after raising of the prices — let all SpamIt know that we are closing down. That will give us 2 weeks to transfer traffic. GlavMed should be kept 1.5 – 2 months from now to use its revenue to cover payments for SpamIt.
Stupin: OK, I will think of the exact course of actions.
Stupin: http://www.wake.ru/photo/album/show?id=2031469:Album:30595&xg_source=activity&xg_pw=&commentPage=&page=1. We did it on Saturday.
Gusev: Did you build this “wake” park?
Stupin: I have a suggestion, let’s tell Andrey about liquidation right away, tell him that at the end of the project we’ll pay him 3 times as much as his usual salary. If I ask him to raise the prices too much, he will not understand why we are doing such an inhumane thing. We have great database. Let’s ask Andrey and programmer/sysadmin to use it for spam with Eva Pharmacy. Let’s agree with Eva about larger commissions and pay Andrey the salary of $5,000, because we cannot pay more, and some percentage from the revenue generated by spam.
Gusev: Our database is already public. Other affiliates already used it, called and spammed people. There is a proof that at least 3 affiliates have the database.
Stupin: It’s tough. So what if they have it? [the SpamIt/GlavMed database]
Gusev: I need to go now, let’s discuss it later.