FBI Takes Down a Russian-Based Hacker Platform; Arrests Suspected Russian Site Administrator
NEWS RELEASE SUMMARY – March 24, 2020
San Diego – A Russian-based cyber platform known as DEER.IO was shut down by the FBI today, and its suspected administrator – alleged Russian hacker Kirill Victorovich Firsov - was arrested and charged with crimes related to the hacking of U.S. companies for customers’ personal information.
DEER.IO was a Russian-based cyber platform that allowed criminals to purchase access to cyber storefronts on the platform and sell their criminal products or services. DEER.IO started operations as of at least October 2013, and claimed to have over 24,000 active shops with sales exceeding $17 million. The platform was shut down pursuant to a seizure order issued by the Southern District of California Court.
FBI agents arrested Firsov, a Russian cyber hacker, on March 7 in New York City. Firsov not only managed the DEER.IO platform, he also advertised it on other cyber forums, which catered to hackers. Firsov is next scheduled to appear on April 16, 2020, before U.S. Magistrate Judge Allison H. Goddard.
According to a federal complaint, DEER.IO virtual stores offered for sale a variety of hacked and/or compromised U.S. and international financial and corporate data, Personally Identifiable Information (PII), and compromised user accounts from many U.S. companies. Individuals could also buy computer files, financial information, PII, and usernames and passwords taken from computers infected with malicious software (malware) located both in the U.S. and abroad. Law enforcement found no legitimate business advertising its services and/or products through a DEER.IO storefront. Store operators and customers accessed the storefront via the Internet. Specifically, in this case, the FBI made purchases from DEER.IO storefronts hosted on Russian servers.
The DEER.IO platform offered a turnkey online storefront design and hosting platform, from which cybercriminals could advertise and sell their products (such as harvested credentials and hacked servers) and services (such as assistance performing a panoply of cyber hacking activities). The DEER.IO online stores were maintained on Russian-controlled infrastructure. The DEER.IO platform provided shop owners with an easy-to-use interface that allowed for the automated purchase and delivery of criminal goods and services.
Once shop access was purchased via the DEER.IO platform, the site then guided the newly-minted shop owner through an automated set-up to upload the products and services offered through the shop and configure crypto-currency wallets to collect payments for the purchased products and/or services.
As of 2019, a cybercriminal who wanted to sell contraband or offer criminal services through DEER.IO could purchase a storefront directly from the DEER.IO website for 800 Rubles (approximately $12.50) per month. The monthly fee was payable by Bitcoin or a variety of online payment methods such as WebMoney, a Russian based money transfer system similar to PayPal.
A cybercriminal who wanted to purchase from storefronts on the DEER.IO platform could use a web browser to navigate to the DEER.IO domain, which resolved to DEER.IO storefronts. DEER.IO contained a search function, so individuals could search for hacked accounts from specific companies or PII from specific countries, or the user could navigate through the platform, scanning stores advertising a wide array of hacked accounts or cyber criminal services for sale. Purchases were also conducted using cryptocurrency, such as Bitcoin, or through the Russian-based money transfer systems.
On or about March 4, 2020, the FBI purchased approximately 1,100 gamer accounts from the DEER.IO store ACCOUNTS-MARKET.DEER.IS for under $20 in Bitcoin. Once payment was complete, the FBI obtained the gamer accounts, including the user name and password for each account. Out of the 1,100 gamer accounts, 249 accounts were h