An Interview With the Target & Home Depot Hacker – Krebs on Security
In December 2023, KrebsOnSecurity revealed his true identity rescuerthe nickname used by a Russian cybercriminal who sold more than 100 million stolen payment cards Target and home depot From 2013 to 2014. Mikhail SheffieldConfirming his use of the Rescator identity in a recent interview, he also admitted to reaching out because he was broke and seeking publicity for several new money-making schemes.
Mr. Schaefer, who recently changed his legal surname to Leninthe star of last year’s story, Ten years later, new clues to target breakthrough. The investigation detailed how Sheffield, 38, used the nickname “Rescator” while serving as vice president of payments. Time paymenta Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement pills, and counterfeit pharmaceuticals.
Mr. Schaefer did not respond to a request for comment before the December 2023 profile was published. He also did not respond to reports here in January 2024 that he ran an IT company with a 34-year-old Russian man. Alexander Yermakovwho was sanctioned by Australian, British and U.S. authorities Data stolen from nearly 10 million customers of Australian health insurance giant Medibank.
But shortly after KrebsOnSecurity reported in April that Shefel/Rescator was also lagging behind Social Security and tax information stolen In 2012, Mr. Schaefer began contacting the author, pretending to clarify his alleged criminal hacking activities.
In a series of live video chats and text messages, Mr. Shefel confirmed that he had indeed used the Rescator identity for many years and that between 2013 and 2015 he did operate a series of websites that sold items ranging from Target to Home Depot. Home Depot) and many other national retail chains.
Sheffield claims the real mastermind behind Target and other retail breaches Dmitry GolubovHe is a notorious Ukrainian hacker and co-founder of Carderplanet, one of the first Russian-language cybercrime forums focused on payment card fraud. Golubov could not be reached for comment, and Schaefer said he no longer has the laptop containing evidence supporting the claim.
Schaefer claims that he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals while he was the technical director of a long-running Russian cybercrime community that The community is called Lampedusa.
“My nickname is MikeMike, and I work with and develop technology for Dmitri Golubov,” Schaefer said. “I am also the godfather of his second son.”
A week after breaking the 2013 Target data breach, KrebsOnSecurity published Who is selling Target cards?which identified a Ukrainian man nicknamed “Ukrainian” Herken As Rescato’s original identity. But Schaefer claimed that Herken was a subordinate of Golubov and that he was responsible for introducing the two men more than a decade ago.
“Herken is my friend, I [set up a] Meeting with Golubov and him in 2013,” Schaefer said. “It was in Odessa, Ukraine. I often go to that city, and [it’s where] I met my second wife.
Schaefer claimed he made hundreds of thousands of dollars selling cards stolen by Golubov’s team of Ukraine-based hackers, but Golubov removed him from the business shortly after Russia annexed Crimea in 2014 and replaced Sheffield’s malware coding team with Ukrainian programmers.
Golubov was arrested in Ukraine in 2005 as part of a joint investigation with multiple U.S. federal law enforcement agencies, but his political connections in the country ensured that his case went nowhere. Golubov later gained immunity from prosecution by becoming an elected politician Ukrainian Internet Party establishedwhich calls for free internet for all, the establishment of “hacker schools” across the country and the “computerization of the entire economy.”
After being kicked out of the industry, Mr. Sheffield said he stopped selling stolen payment cards and invested the proceeds in a now-shuttered search engine called Russia. tf[.]organize. He apparently ran away too A company called click2dad[.]net Pay people to click on ads for Russian government job opportunities.
When those ventures failed, Sheffield began selling malware coding services on a “nickname-for-hire” basis.Gesund“;This claim is corroborated because Getsend has been promoting the same Telegram handle that Shefel used in our recent chats and video calls for years.
Schaefer admits his outreach was motivated by a desire to spread the word about several new businesses. They will not be mentioned here, as Shefel is already using my December 2023 profile to promote what appears to be a pyramid scheme and to alert others in the Russian hacking community to his skills and achievements.
Schaefer said he is now broke and has little to show for his current hacking career. The Muscovite native said he recently received a letter from his ex-wife, who read a story about him last year and suddenly wondered where he hid all his earnings.
More urgently, Scheifele needed money to stay out of jail. In February this year, he and Ermakov were accused of running a 2021 website called ” sugar (also known as Sugar Locker), which targets individual computers and end users rather than companies. Scheifele will face the charges on Friday, November 15, 2024, in a Moscow court.
Shefel claims that his Sugar ransomware affiliate program failed and never generated any profits. Russia is known for not prosecuting criminal hackers within its borders, who carefully avoid attacking Russian businesses and consumers. Asked why he was now facing indictment regarding Sugar, Schaefer said he was convinced the investigation was Peter “Peter” Vrublevsky —Son of former owner of ChronoPay.
Founder and CEO of ChronoPay Pavel Vrublevski was the subject of my 2014 book spam nationwhich describes his role as the head of one of Russia’s most notorious criminal spam operations.
Vrublevsky Sr. recently declared bankruptcy and is currently in jail on fraud charges. Russian authorities accused Vrublevsky of running multiple fraudulent SMS-based payment schemes. They also accuse Vrublevskiy of facilitating money laundering hydrathe largest Russian darknet market at the time. Hydra trafficked illegal drugs and financial services, including cryptocurrency plunges for money laundering, exchange services between cryptocurrencies and Russian rubles, and the sale of forged documents and hacking services.
However, in 2022 KrebsOnSecurity reported More likely reasons for Vrublevskiy’s latest criminal charges: He has extensively documented the nicknames, real names and criminal activities of Russian hackers who work to protect corrupt officials in Russia’s Federal Security Service (FSB) and run a Telegram channel that threatens to expose Russia’s alleged nefarious dealings.
Sheffield believes Vrublevsky’s son Peter reported the young man to Moscow police for allegedly walking in public with a loaded gun and later paid corrupt police officers to bring criminal charges against him . Schaefer said Russian authorities told the younger Vrublevsky that he had filed a gun complaint.
July 2024, Russian news media Izvestia publish The long-term investigation into Pyotr Vrublevskyaccusing the younger son of inheriting his father’s mantle and taking charge of advertising splasha Russian-language drug bazaar that quickly emerged after the emergence of the Hydra darknet market. Closed by international law enforcement agencies in 2022.
According to Izvestia, Pyotr Vrublevskiy currently lives in Switzerland, where he reportedly fled in 2022 after being “arrested in absentia” in Russia on charges of running a violent organization that can be accessed through Telegram hired to carry out a series of real-life physical attacks, including firebombings and robberies.
Schaefer claims his former partner Golubov was involved in the development and spread of early ransomware strains, including Password lockand Golubov remains active in the cybercriminal community.
Mr. Schaefer, meanwhile, portrayed himself as a man scraping by with a few odd programming jobs a month. Incredibly, the day after our initial interview via Telegram, Sheffield proposed starting a business together.
For example, he suggested it might be a company focused on recovering passwords for lost cryptocurrency accounts, or it might be a series of online retail stores selling cheap Chinese goods in the United States at inflated prices.
“How are you?” he asked. “Maybe we can open for business?”
2024-11-15 04:45:32