Estonian Ransomware Operator Gets 66-Month SentenceDefendant Specialized in 'Cashouts' and 'Drops,' Department of Justice Says
An Estonian national has been sentenced to 66 months in U.S. federal prison for his yearslong role in furthering and facilitating computer intrusions, the movement of fraudulently obtained goods and funds, and the monetization of stolen financial account information. Officials say he was ordered to pay more than $36 million in restitution.
Maksim Berezan, 37, of Estonia, was sentenced after pleading guilty in April 2021 to conspiracy to commit wire fraud affecting a financial institution and conspiracy to commit access device fraud and computer intrusions, according to a news release from the U.S. Department of Justice.
"This case is a prime example of how the Department of Justice can leverage its traditional tools - criminal investigations and prosecutions - to combat ransomware," says Kenneth A. Polite Jr., assistant attorney general for the Justice Department's criminal division, adding: "Many of the world's ransomware players began as fraudsters engaged in other types of online crimes, and this case demonstrates that their crimes will catch up to them."
Berezan was apprehended in Latvia and extradited to the United States. He is also accused of being an active member of an exclusive online forum called DirectConnection, used by Russian-speaking cybercriminals to safely gather and exchange their criminal knowledge, tools and services.
"From 2009 through 2015, Berezan not only furthered the criminal aims of the forum, but he also worked closely with forum members and other cybercriminals for purposes of obtaining and exploiting stolen financial account information," the DOJ says.
He specialized in "cashouts" and "drops," the DOJ says. The prosecutors refer to cashouts as using dump data and PINs to make fraudulent purchases or withdrawing money from bank accounts without authorization.
"Cashouts are achieved by encoding dump data onto the magnetic stripe of a physical card and then inserting or swiping the counterfeit physical card at a point-of-sale terminal or ATM," the court documents say.
"Drops" refer to locations or individuals who secure/receive and forward funds or goods obtained through cashouts, making it harder for law enforcement agencies to track the fraudulent transactions.
Involvement in Ransomware Activities
Berezan is also accused of participating in ransomware attacks causing more than $53 million in losses. Following his arrest, investigators uncovered electronic devices providing evidence of his involvement in ransomware activities.
"The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, seven of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled," according to the DOJ.
Berezan also used his stolen money to buy two Porsches, a Ducati motorcycle and an assortment of jewelry. Authorities recovered currency worth more than $200,000 and electronic devices storing passphrases to bitcoin wallets that contained bitcoin worth approximately $1.7 million, which has been forfeited.
"While we have long been in the business of protecting money, from the earliest days of coins and paper, to plastic, and today's more accessible and commonplace digital currencies, we also remain in parallel footprint to the evolution of criminal behavior into cyberspace," says special agent in charge Matthew Stohler of the U.S. Secret Service. "Ransomware thieves are not safe in any dark corner of the internet in which they may think they can hide from our highly trained investigators and law enforcement partners worldwide."
Russian Cyber Action
Last month, prior to Russia’s invasion of Ukraine, Russian authorities arrested the alleged administrators of multiple Russian-language cybercrime markets and communities. It's not clear, however, if the arrests were being made as part of any Moscow-ordered crackdown in response to demands by the White House that Russia better disrupt cybercriminals hitting foreign targets from inside the country's borders (see: Russia Shutters 3 Carding Markets, Including Trump's Dumps).
In January, Ferum Shop and Sky-Fraud went dark, and their homepages were replaced by takedown notices posted by the Russian government's Ministry of Internal Affairs' Department K, which focuses on technology crime, according to the threat intelligence firm Flashpoint.
Another shop for stolen payment card data, called Trump's Dumps, aka TDStore, has also recently been shuttered, as has Ultimate Anonymity Services, or UAS, which specialized in selling remote desktop credentials, Flashpoint says. So-called carder or carding markets, among other activities, sell "dumps," by which they mean the data stored on payment card magnetic stripes, which is typically stolen via point-of-sale devices.
Demand for carding sites has long remained robust, and established players and newcomers alike continue to compete for market share. For example, after the world's biggest carding site, Joker's Stash, closed up shop in January 2021, UniCC seized its mantle (see: Darknet Markets Compete to Replace Joker's Stash).
The carding market is not the only type of cybercrime to have been recently targeted by Russian authorities. Last month, the Russian FSB arrested 14 individuals suspected of working with the REvil - aka Sodinokibi - ransomware operation.
Russian takedowns prior to the Ukraine conflict had "led to speculation on top-tier forums that Russian security agencies may cooperate with Western law enforcement on certain arrests," Flashpoint says. "This potential cooperation could change the cybercrime landscape and limit the available venues where threat actors can communicate, or buy or sell illicit goods."
In January, a 29-year-old Canadian man was sentenced to three years in prison for trading in stolen personal information, including transactions with an aggressive hacking and extortion group known as The Dark Overlord.
Slava Dmitriev, of Vaughn, Ontario, pleaded guilty on Aug. 30, 2021, to a charge of fraud and related activity. He was arrested in September 2020 while traveling in Greece.
Dmitriev was accused of buying and selling stolen identity information - including Social Security numbers, names and birthdates - on the AlphaBay marketplace. AlphaBay was shut down by law enforcement authorities in July 2017. Prosecutors accused Dmitriev, who went by the nickname GoldenAce, of netting $100,000 from the sale of 1,764 items on the market from May 2016 through July 2017 (see: Dark Overlord Collaborator Sentenced to Three Years).