Russian Cybercrime Operation Leads to 25 Arrests and the Closure of BuyBest Marketplace

Russian law enforcement have apprehended 25 people as part of an investigation to wipe out a network of illegal online platforms that supported the illicit buying and selling of payment cards and stolen personal information.

The Federal Security Service (FSB) arrested the more than two dozen persons, among them Russian nationals and foreigners, who have allegedly been masterminding a digital identity theft racket via dark web.

It is reported that the cybercriminals operated a dark web marketplace called BuyBest/GoldenShop, and several other mirror websites that facilitated the illicit trade.

According to a Russian court file document, a threat intelligence firm had issued an alert on the cybercriminal ring that implicated the accused hacker Alexey Stroganovto (alias Flint24) be among the arrested individuals.

Apart from running dark web sites, it is alleged that Flint24 and his counterparts operated online shops that existed in the surface web, including wuzzup[.]com and dumpsmania24[.com].

In highlight of how big a role the 25 people played in sustaining a cybercriminal underworld, investigators discovered that the arrests had become a hot topic across Russian-language cybercriminal platforms.

Among the defendants arrested by Russian authorities included Ukranian and Lithuanian nationals spread around 11 Russian regions. In material terms, the arrests led to searches that yielded about $1 million in cash, 3 million rubles, gold bars, devices such as computers and servers, guns, fake IDs including Russian and government identification documents.

The Dark Web Marketplace

According to the FSB, the arrested persons ran about 90 mirror sites associated with BuyBest – pages that served to keep the platforms operational in the event that the main website was taken down by authorities of hackers. Specifically, a host of sites with names such as “BuyBestCC” and “BuyBestBiz” became conduits for the movement of stolen personal data. Detectives also found out that the criminals promoted their services on another platform called CarderBazar.

Reflecting on the FSB’s takedown of the BuyBest platform along with its mirror sites, Gemini Advisory (a New York-based fraud intelligence company) confirmed that BuyBest/GoldenShop had gone offline. At this point, cached pages can still be accessed online – which promote databases of payment cards, including debit PIN numbers that most cybercriminals struggle to acquire.

In terms of market activity, Gemini Advisory wrote that the BuyBest/GoldenShop platform was created in 2013 and had so far been a highly profitable venture for its operators. The firm estimates that 7 years since its creation, the entire enterprise garnered $70 million – about $18 million being remitted to the platform’s owners, and about $52 million earned by the market’s suppliers of stolen data.

Overtime, BuyBest/GoldenShop became a leader is the trade of phished data, including Social Security Numbers (SSNs), dates of birth (DOBs) and people’s IP addresses. By the time the Russian authorities descended on the platform, BuyBest had managed to sell millions of stolen card information – with some of the stolen records being tied to breaches like the 2018 data security case that hit Caribou Coffee.

About chainsoff.

Intelligence Media Service, Monitors and Analyzes Extremists’ activities, including and not limited to: The Muslim Brotherhood, Kurdish Terrorism, Syrian Politics, Jabhet Al-Nusra, Hezbollah, Cyber Crime, and Taliban activities in Syria. Well known for her deep knowledge on Terrorism. Open Source Exploitation expert in the discovery, collection, and assessment of foreign-based publicly available information, also known as Open Source Intelligence (OSINT), HIMNT
This entry was posted in CYBER CRIME. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s