No 'Invisible God': Fxmsp's Operational Security FailuresYet Another Alleged Hacker Unmasked After Making OPSEC Mistakes
To the long list of alleged hackers who failed to practice good operational security so they could remain anonymous, add another name: Andrey Turchin.
The 37-year-old Kazakhstan national is wanted by the U.S. Department of Justice after an FBI investigation identified him as allegedly being the hacker known as Fxmsp.
"This guy appears to have made a lot of money. He also appears to have been rather stupid in some ways."
A five-count felony indictment returned by a federal grand jury in December 2018, which was recently unsealed, accuses Turchin of running the Fxmsp organization, a "financially motivated cybercriminal group that hacks the computer networks of a broad array of corporate entities, educational institutions and governments throughout the world, including the United States, and thereafter advertises and sells such unauthorized access to its victims' protected systems to interested buyers."
Cybersecurity researchers say Fxmsp sold remote access to hacked networks, promising to help criminals become the "invisible god of networks." They add that based on the group's public pronouncements via cybercrime forums, where it advertised its remote access offerings, the group racked up sales of at least $1.5 million, and likely much more via private sales.
But following in the footsteps of numerous other hacking operations, Turchin allegedly experienced an OPSEC fail; he left tracks.
"This guy appears to have made a lot of money," says cybersecurity expert Alan Woodward, a visiting computer science professor at the University of Surrey who's previously worked with the U.K. government and the EU's law enforcement intelligence agency, Europol. "He also appears to have been rather stupid in some ways."
The Fxmsp organization did attempt to hide its tracks, prosecutors say.
"The conspirators took various steps to obfuscate their identity and location," according to the indictment against Turchin, which also references numerous, unnamed co-conspirators who the government also hopes to indict.
"For instance, cybercriminal group members typically used monikers and communicated with one another and with prospective customers through Jabber, a web-based instant messaging service that allows for person-to-person and group communication across multiple platforms and that supports end-to-end encryption," according to the indictment. "The group members further often used Tor and other tools and methods to obscure the web traffic and in turn their location and identity. The group members also made efforts to conceal the flow of funds through use of cryptocurrency, such as bitcoin, in various financial transactions."
So far, so typical. But maintaining anonymity requires creating a perfect firewall between one's criminal and non-criminal identities, and it's amazing how many times that appears to break down for hackers.
"They can be very clever technically but not very clever from an operational security point of view," Woodward tells me. "I mean, [think of] the number of people who have been caught by showing off their car with a number plate and instantly get tracked down to Moscow or wherever it happens to be ... especially the younger ones ... make a lot of money very quickly and they start to spend it. They're not thinking about their pension."
In Turchin's case, cybersecurity firm Group-IB named the suspect in a report issued last month, saying it had found email addresses, domains and Jabber and social media accounts tied to Turchin that were also connected to Fxmsp (see: Cybercrime Research: For the Greater Good, or Marketing?).
But Turchin's name had already appeared in a May 2019 Bleeping Computer story, which cited an unnamed source as saying that Fxmsp may have "assumed [the] stolen identity" of this real person. Of course, the FBI alleges that Fxmsp and Turchin are one and the same.
So far, however, his case has an outstanding OPSEC footnote: Turchin has yet to appear in a U.S. court room. He's believed to be in his home country of Kazakhstan, with which the U.S. shares no extradition treaty. Provided he never leaves, would he ever be extradited?
Hacker OPSEC Fails Abound
Beyond Fxmsp, examples of hackers experiencing OPSEC fails abound:
- AlphaBay: Alexandre Cazes, who earned an estimated $23 million from administering the notorious, now-shuttered darknet marketplace AlphaBay, starting in 2014 used the email address "Pimp_Alex_91@hotmail.com" on all of AlphaBay's welcome emails to new users. But Cazes, who was born in 1991, had already used the Hotmail address in 2008 to post to a French-language online technology forum under his real name.
- Limitless Logger: Security firm Trend Micro identified Zachary Shames as being Mephobia, the high-school-aged author of the Limitless Logger spyware, after Shames accidentally posted to Hack Forums using his real name while logged into the Mephobia account. After Trend Micro shared those details on the QT with the FBI, Shames was arrested and ultimately pleaded guilty.
- Guccifer 2.0: The self-described Romanian "lone hacker" who claimed credit for breaching the Democratic National Committee and dumping stolen data failed to activate his VPN at least once, revealing an IP address that allegedly resolved to the headquarters of Russia's GRU military intelligence agency.
- Sabu: Hector Xavier Monsegur, formerly the LulzSec leader known as Sabu, allegedly failed at least once to use the Tor anonymizing browser or a VPN to mask his activities online, thus revealing his real IP address, which investigators could use to unmask him via a court order. But researchers also found that a domain sometimes mentioned by Sabu - prvt.org - was registered using Monsegur's name and address. Even before that, Monsegur claimed that his true identity had been provided to the FBI long before then by opponents in an IRC network "war."
- Hushpuppi: The U.S. Justice Department last week accused Ramon Olorunwa Abbas, aka "Ray Hushpuppi," of funding his opulent lifestyle by laundering millions of dollars stolen in business email compromise scams. Abbas often flaunted his wealth - including a massive residence in Dubai, luxury cars and high-end shopping outings - via posts to Instagram, which were subsequently added to the indictment against him.
What many of those cases demonstrate is that alleged criminals only need to experience one OPSEC fail to potentially be unmasked. But in many cases, they experienced more than one.
Tools Can Fail
Tools remain another frequent point of failure. Criminals might trust a tool or service, only to find that their trust was misplaced - as at least one member of LulzSec found when using British VPN service HideMyAss.com, which requires users to agree with terms of service specifying that it will not be used for any illegal activity.
Sometimes, law enforcement officials go beyond subpoenaing a VPN service for its customers' names and activity. Take "cryptophone" services offering a supposedly secure communications network via encrypted smartphones. As some criminal users of Blackbox, Phantom Secure and very recently EncroChat have learned, cryptophones are a natural target for law enforcement. They're eager to capture criminals describing their activities via text messages, photographs and audio recordings, all of which are very admissible in court.
Patience is a Virtue
Even without such active government intervention, staying anonymous remains extremely difficult, so much so that one leading law enforcement tactic is simply to wait for OPSEC fumbles. "Sometimes the law is patient and it waits. They're waiting for the bad guys to sort of drop themselves in it - for ancillary information to show up, demonstrating that the bad guys have proceeds from crime, for example, so law enforcement can trace where that came from. It's the good old 'follow the money'," Woodward says.
As the aforementioned Limitless Logger case - among others - demonstrates, "sometimes researchers will find electronic reasons to point at them as well, and that can actually be useful," he adds.
Hence while staying anonymous might sound easy, criminals who operate online and want to keep their real identity completely hidden evidently have their work cut out for them.