Blog

Russia Seizes Ferum, Sky-Fraud, UAS, and Trump’s Dumps—and Signals More Takedowns to Come [Updated]

February 8, 2022

Update as of 5:06 PM EST:

Flashpoint analysts have identified the individuals that were arrested by Russian LE. One of the individuals, Artem Alexeyevich Zaytsev is listed as the CEO of Get-Net LLC, which is the registrar of the domains of Sky-Fraud, Trump’s Dumps, UAS and Ferum, as well as several other domains, some of which look like legitimate businesses.

Get-Net’s majority shareholder is Alexandra Kovaleva. Get-Net also owns the company “Red-Code”, which is based in Perm, Russia, similarly to Zaytsev himself.

Based on information available about Get-Net, Flashpoint analysts assess with moderate to high confidence that Zaytsev has been active since at least 2008 when a complaint was made against him on the Russian “Searchengines[.]guru” forum for defrauding a user.

Original post:

On February 7, 2022, domains of two well-known Russian-language illicit communities, Ferum Shop and Sky-Fraud, were seized by the Department “K,” a division of the Ministry of Internal Affairs of the Russian Federation that focuses primarily on information technology-related crimes. The official message displayed on the homepages of both sources reads:

Department “K” of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!

Article 187 of the Criminal Code of the Russian Federation: Production, acquisition, storage, transportation for the purpose of use or sale, as well as the sale of counterfeit payment cards, money transfer orders, documents or means of payment, as well as electronic means, electronic media, technical devices, computer programs, intended for illegal acceptance, issuance, transfer of funds.

Punishable by imprisonment for up to seven years.

At this time Flashpoint analysts have not confirmed whether these sources were targeting Russian banks.

Additionally, there is a message embedded into the source code of both Ferum and Sky-Fraud, which allegedly came from law enforcement. The message reads: “Which one of you is next?” The message implies that there are likely be more arrests in the near future. A similar message accompanied the takedown of UniCC.

Trump’s Dumps and UAS Also Seized

A third card shop, called Trump’s Dumps, shows the same message (below).

UAS (Ultimate Anonymity Services), an RDP shop, has also been seized.

Flashpoint has confirmed the takedowns of both. Flashpoint analysts also note that all four sources were hosted on .ru domains. Flashpoint analysts assess with moderate confidence that the Department “K” will continue targeting similar sources that host their domains at .ru.

“This Source Has Been Blocked.” (Image: Flashpoint)

Ferum Shop was currently one of the most prominent carding shops and was active for approximately 5 years. Following the closure of Joker’s Stash, Ferum became the longest-standing illicit online card shop and was considered one of the major successors of Joker’s Stash.

Related reading: ‘Ultimate Anonymity Services’ Shop Offers Cybercriminals International RDPs

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

“Ultimate Anonymity Services” (UAS) is a popular Dark Web marketplace that sells access to compromised Remote Desktop Protocol (RDP) servers.

Sky-Fraud was another carding source that was active for approximately 4 years. Sky-Fraud was never considered to be a high or even mid-tier forum, but Sky-Fraud was a major source for beginner carders and cybercriminals.

Arrests

Flashpoint analysts note that this is the second major arrest that is explicitly targeting the carding community and a third major arrest of cybercriminals in Russia since the beginning of 2022. In January 2022 “UniCC,” a major carding shop, abruptly shut down. It then emerged that the Russian Federal Security Service (FSB) arrested four members of the Infraud Organization, among them Andrey Novak, who has previously been identified as the administrator of UniCC.

Furthermore, Flashpoint analysts note that the recent arrests of members of REvil, UniCC, as well as Ferum and Sky-Fraud represent the first major arrests of Russia-based cybercriminals since March 2020, when The Russian Federal Security Service (FSB) detained more than thirty members of an illicit carding operation, charging twenty-five of them with “illegal circulation of means of payment.”

“Which of you is next?” (Image: Flashpoint)

Flashpoint analysts will continue to monitor the aftermath of the takedowns and arrests in Russian-speaking illicit communities. As we have reported earlier, the arrests of REvil operators and the Infraud Organization members have recently led to speculation on top-tier forums that Russian security agencies may cooperate with Western law enforcement on certain arrests. This potential cooperation could change the cybercrime landscape, and limit the available venues where threat actors can communicate, or buy or sell illicit goods.

The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling

From shutdowns to resignations, some of the most significant illicit marketplaces, communities, threat actors and forums operating on the deep and dark web will cease to function in 2022. Flashpoint’s intelligence analysts examine this trend.

Detect, prioritize, and mitigate cyber risks with Flashpoint

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.

Begin your free trial today.