Account Takeover Fraud , Card Not Present Fraud , Cybercrime

US Indicts Russian Behind Popular Carding Marketplace

FBI Puts Russian Carder on the Most Wanted List of Cybercriminals
US Indicts Russian Behind Popular Carding Marketplace
Customers at Dekhtyarchuk's web-based store could shop for stolen data. (Source: FBI)

The U.S. Department of Justice has indicted a 23-year-old Russian national named Igor Dekhtyarchuk for operating a cybercriminal marketplace that sold thousands of stolen login credentials, personally identifiable information and authentication tools, says U.S. Attorney Brit Featherston of the Eastern District of Texas in a statement issued on Tuesday.

See Also: OnDemand | What’s Old is New Again: Protecting Yourself From Check Fraud

Featherston says there is substantial proof that Dekhtyarchuk operated a marketplace that claimed to have sold access to more than 48,000 compromised email accounts and more than 39,000 compromised online accounts and averaged approximately 5,000 visitors daily.

FBI's Most Wanted

In response to the serious offenses stated by Featherston, the Federal Bureau of Investigation put Dekhtyarchuk on the FBI Cyber's Most Wanted List on counts of wire fraud, aiding and abetting, access device fraud - trafficking in unauthorized devices, possession of 15 or more counterfeit or unauthorized access devices, unauthorized solicitation, and aggravated identity theft.

The FBI Houston Cyber Task Force is investigating the crimes and whereabouts of Dekhtyarchuk, with assistance from the FBI's Dallas field office; the FBI Cyber Division; the National Cyber-Forensics & Training Alliance; the FBI legal attache office in Riga, Latvia; and the State Police of Latvia, according to Jim Smith, the special agent in charge at the FBI Houston.

Operating Since 2018

According to the indictment, the marketplace on the underground dark web, also known as a carding shop, was established by Dekhtyarchuk in 2018, although he had joined underground hacker forums in 2013 under the alias "floraby."

"Dekhtyarchuk began advertising the sale of compromised account data in Russian-language hacker forums in April 2018 and opened the [unnamed] Marketplace in May 2018," the indictment says. The carding shop established by Dekhtyarchuk had the feel of a legitimate web-based store where customers could shop for stolen data, such as access devices for compromised online payment platforms, retailers and credit card accounts, including the data associated with those accounts, such as names, home addresses, login credentials and payment card data for the victims, who are the actual owners of those accounts.

Although the DOJ did not mention the marketplace name, based on the timeline mentioned, the information on ads posted on various forums and the alias name published in the indictment, Information Security Media Group found that the carding shop or marketplace advertised by floraby on various forums was Bayacc[.]store.

eBay account details for sale ad by user "floraby" directing to bayacc[.]store (Source: Player Up)

In the ad above, posted in a forum in 2018, a user called "floraby" claims on an unsecure account marketplace to have access to eBay accounts with mail. The user was selling the access for 29 rubles to 35 rubles. The account was soon flagged as "high-risk" by the platform, which said, "This user has been flagged due to one or more reasons."

In another highly unsecure and sensitive forum, a user with the same name was selling access details to eBay, Walmart, American Express and many others.

Carding shop ad posted by user "floraby," directing users to bayacc[.]store (Source: Known underground forum)

The forum post above has a comment section, in which customers who used the carding shop/marketplace wrote of being happy, long-term customers. One user with the name "nxzz" says, "We have been working for 8 months. Excellent seller, simple, respect[able] and aggressive."

The review was posted on Dec. 29, 2018. In it, the user said they had been a customer of Bayacc[.]store since at least May 2018, which corresponds with the timeframe mentioned in the indictment.

The Whois entry for Bayacc[.]store confirms the date of registration to be April 30, 2018, which again matches the date mentioned in the indictment.

The Bayacc[.]store domain is currently not reachable and appears to be offline, but an archived record from Sept. 30, 2020, shows that the attacker set up a sophisticated carding shop that even had a Telegram account - "@bayacc" - and a corresponding Telegram bot service for its customers. The shop also had a separate support account where users who had already made purchases could remediate technical issues.

Archived bayacc[.]store website homepage (Source: web.archive.org)

The last archived record is from December 2021, and there have been no signs of the marketplace being active since then. Its Telegram channels, however, are still operational.

The Final Confirmation

The FBI had been tracking the movements of this marketplace for a long time and finally, in March 2021, an online covert employee, or OCE, posing as a legitimate buyer, made 13 purchases of access devices from Dekhtyarchuk through his marketplace. These FBI operations were carried out from the Eastern District of Texas.

To avoid raising suspicion, the OCE made purchases in different quantities. "Each purchase varied in number of accounts, ranging from three to twenty accounts, resulting in access devices purchased for a total of 131 accounts. The OCE received the purchased access devices via link or Telegram messenger service shortly after completing each purchase," the indictment says. it also confirms the unlawful activities of the marketplace.

A federal warrant under the name of Dekhtyarchuk was issued on Mar. 17, 2022, and if tried and convicted, he could serve up to 20 years in federal prison.

In June 2021, the DOJ shut down a similar carding shop called Slilpp in collaboration with law enforcement agencies in Germany, the Netherlands and Romania. At the time, the department identified and disrupted multiple Slilpp servers that hosted the marketplace's infrastructure and its various domain names (see: DOJ Shut Down Slilpp Marketplace for Stolen Credentials).


About the Author

Mihir Bagwe

Mihir Bagwe

Senior Correspondent, Global News Desk

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.