On March 24, 2020, Gemini Advisory wrote a report on the Russian Federal Security Service (FSB) arresting 30 members of a hacker ring. This marked an unusual turn of events since it is not common practice for Russian law enforcement to arrest notable Russian hackers, especially those who do not target large numbers of Russian victims. In addition, Gemini analysts were able to determine that one of the key figures of the arrest was the known cybercriminal Aleksei Stroganov (AKA “Flint24”). A June 17, 2020 news article from independent Russian-language newspaper Meduza provided some additional details on the possible reasons for such an arrest.
According to the article, Aleksei Stroganov operated multiple “legal” businesses in the Russian Federation, and additionally supported multiple charity causes. As such, according to the article, Stroganov was a well-known businessman in the Kaluga Region, and together with his younger brother, he owned a heating supply company, recycling factory, security services company, restaurant, security agency, a non-commercial “cybercrime-fighting” organization, and a tuning atelier for SUVs (Zhukoff Garage), among nearly a dozen others. The cybercrime-fighting organization, Kibalchish, is no longer operational; its official site indicated that it helps in fighting and educating about cybercrime, such as carding and phishing. Additionally, it appears that the company was involved in fighting the illegal sale of tickets during the 2018 World Cup that was hosted in Russia.
Using the notoriety of their SUV-tuning business, the two brothers became involved in charity related to children’s schools and family-oriented organizations and received positive exposure. Some criminals use legal businesses in order to launder their illicitly acquired funds, which appears to be the case for Stroganov. According to the article, all but one of the legal businesses showed no profits.
Additionally, the article points out that Stroganov had built ties with political figures and was working towards building additional connections. As such, the article highlights the close friendship between Stroganov and Vadim Dengin, a Russian politician who is deputy of the State Duma of the Russian Federation and a member of the Liberal Democratic Party of Russia. Additionally, Dengin is the First Deputy Chairman of the Committee on Informational Policy, Information Technology, and Communications, which oversees passing laws concerning RU-Net and cybercrime.
In Russia, it is widely known that acquiring political ties comes with a level of immunity. One of the key elements in making those connections is finding politicians willing to accept bribes, which requires either knowing someone in political circles or knowing the politician directly. Criminals can then bribe the members of the government directly or indirectly. Some of the indirect bribes involve free publicity or exposure for the politician, such as supporting causes of interest to the politicians. Additionally, criminals could provide extravagant vacations or provide the use of luxury items such as helicopters, yachts, and other vehicles. According to the article, Dengin attended the same school as Stroganov and was a classmate of his younger brother. Additionally, Stroganov’s Facebook page indicates that Dengin, Stroganov, and his younger brother vacationed together on a yacht. Stroganov’s SUV-tuning atelier has publicly supported various humanitarian projects led by Dengin. It appears that Kibalchish was created as a counterweight to another organization that was created by Dengin’s opposition, and if Kibalchish would have been able to achieve the desired results, it would have garnered Dengin another political point and would have provided Stroganov a stronger foothold in the Russian political and cyber sphere.
In November 2019, judo gym “Турбостроитель” (Turbostroitel – transliteration) celebrated its 50th anniversary. Russian President Vladimir Putin is an avid judo enthusiast and was formerly a member of this gym. In fact, the gym even had a documentary released on the Russian National TV channel in which Putin spoke about his training days there. Putin attended the ceremony in person and presented multiple awards to some of its key figures. On December 20, 2019, during the government awards ceremony for active community involvement, the governor of Saint Petersburg presented multiple awards for various social achievements. One such award went to one of the members of the board of trustees of Turbostroitel, Aleksei Stroganov, which indicates that Stroganov was involved with the club in some fashion. Three months after the awards, on Stroganov’s 48th birthday, the FSB made its arrests.
It is difficult to make a definitive case for the exact reasons for Stroganov’s arrest, however, there are additional reasons why such an arrest could have taken place. As noted above, Russian law enforcement agencies do not pursue hackers as long as they follow certain unwritten rules. One of the rules is to avoid targeting individuals who reside in the Former Soviet Union (FSU). One of the smaller marketplaces operated by this ring did, in fact, offer to sell some Russian citizens’ payment cards. Considering the multitude of marketplaces operated by this ring, it is possible that the sale of such cards went unnoticed by the main perpetrators, and could have been done by the individual running that marketplace’s daily operations. Then again, if the number of cards for sale was low, it is unlikely to be the cause for such a high-visibility arrest, especially for individuals with government connections.
One of the other unwritten rules that law enforcement has with hackers who operate within the FSU is that if confronted, the hackers must cooperate with law enforcement. This may have involved a bribe that Stroganov was unwilling to pay, instead attempting to leverage his political connections to avoid being extorted. Law enforcement may have also requested information on other hackers operating within this realm or otherwise requested a service that Stroganov was unwilling to perform, such as commanding the ring to perform a specific hack. Dark web forum discussions occasionally include cybercriminals accusing one another of collaborating with the “K” Department (the Russian Cyber Police Department), which lends credence to this possibility.
However, these alternative explanations are conjecture based on Russian norms, patterns, and cybercriminal discussions. While they may offer various reasons for Stroganov’s arrest unrelated to his political connections or link to Putin’s judo club, they are speculation and have not been substantiated by public statements or dark web intelligence.
According to the FSB, during the arrest, it confiscated over $1 million, 3 million rubles (as of this writing 1 USD = 68 rubles), weapons, counterfeit IDs, drugs, gold bars, precious coins, and IT infrastructure that enabled work on payment card marketplaces. In addition to this, according to the article, Stroganov was seen using a yacht and a helicopter that is registered to his SUV-tuning atelier on his last vacation. Considering the fact that most of his businesses do not turn a profit, it appears that the main source of Stroganov’s income was through operating payment card marketplaces, and the money subsequently laundered through those same businesses.
Stroganov has a very interesting origin story and is considered by many to be the eldest carder in all of Russia. His criminal past began in 2003 when he was arrested by Russian law enforcement due to his association with carding operations. Even at that time, according to this Russian news article, Stroganov was wanted by the police for nine years for unspecified fraudulent activity. Considering that Stroganov is 48 now, and in 2003 he was wanted for fraud for nine years, his criminal activity began in 1994, when he was 22. In the 2003 arrest of the criminal ring, Stroganov was one of three key players, along with the ringleader Artur Lyashenko (AKA “Bigbuyer”) and another Gerasim Selivanov (AKA “Gabrik”). It is noteworthy that Selivanov was active in running the YouTube channel for the SUV-tuning atelier owned by Stroganov, and was also one of the individuals detained in this recent arrest. Back in 2003, Selivanov was in charge of acquiring the card data and Stroganov was in charge of imprinting that information onto counterfeit cards. Stroganov made an appearance in a book by Belorusian hacker Sergey Pavlovich, How To Steal A Million: Memoirs of a Russian Hacker, who wrote that he met Flint24 a year prior to the arrest. At the time, Stroganov was a moderator of a top-tier Russian-language forum called carder[.]org, and was using Boa Factory cards, which were of subpar quality. Eventually, Stroganov, Selivanov, and Lyashenko established their own counterfeit card production. It is also important to note that, according to Pavlovich, Selivanov was a close friend of Vladimer Drinkman (AKA Scorpo), a dumps vendor arrested in the Netherlands in 2012. Pavlovich notes that Selivanov became one of the biggest dumps vendors during those times due to this friendship.
According to FSB records, in 2006, Stroganov and Salivanov were found guilty of the fabrication and distribution of counterfeit payment cards and were sentenced to six years in prison. They served two years of their sentence and were released in 2008. After his release, Stroganov (Flint24) continued to be a member of Russian-language dark web forums. His presence was far more discreet following his initial arrest and he did not reveal any of his personally identifiable information (PII) or contact details; his operational security (OPSEC) likely improved due to his arrest. On multiple occasions, Flint24 endorsed the payment card marketplaces BuyBest on the Russian-language dark web forum Omerta. Flint24 was also active on the Russian-language dark web forums Verified and DarkMoney. Considering that Stroganov was released in 2008, and Drinkman was arrested in 2012, it is fair to assume that the relationship between Stroganov, Selivanov, and Drinkman continued until that point. It is also noteworthy that the marketplaces operated by Stroganov, such as GoldenShop, started operations in early 2013, which could indicate that Stroganov and his accomplices had taken over the infrastructure left by Drinkman after his arrest.
There is a known level of corruption in the Russian Federation, which leads to criminals trying to acquire political ties in order to prevent the government from targeting them. These tactics and ties need to be carefully planned so that they do not cross unspoken boundaries that could lead to potentially damaging effects. Aleksei Stroganov (AKA Flint24) is a known cybercriminal with a questionable past, who in recent years not only continued his illegal activity but appears to have increased it while making significant efforts to present himself as a legitimate businessman.
However, it is also important not to overreach in these endeavors, as it could create unwanted associations for those in high power. While Stroganov appears to have maintained ties with Dengin for years without backlash, his public affiliation with President Putin’s judo gym likely crossed a line. The motives and decision-making process behind Stroganov’s arrest are not public, but the timing of his award as a Turbostroitel board member followed by the FSB’s unusual, high-profile cybercrime arrests on Stroganov’s birthday indicates that his political overreach triggered a severe backlash from those close to the Russian president, resulting in Stroganov’s arrest.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.