From Cybercrime Saul Goodman to the Russian GRU – Krebs on Security

In 2021, the exclusive Russian cybercrime forum Mazafaka hacked. The leaked user database shows that one of the founders of the forum is a lawyer who advises top hackers in Russia on the legal risks of their work, and what to do if they are caught. A review of this user’s hacker identities shows that during his time on the forums he served as a special forces officer in GRUthe foreign military intelligence agency of the Russian Federation.

Launched in 2001 under the tagline “Network terrorism,” Mazafaka may be one of the most watched Russian-language cybercrime communities. The forum’s member list includes a Who’s Who of top Russian cybercriminals, and it features sub-forums for a wide range of cybercrime specialties, including malware, spam, coding and identity theft. .

A representation of the leaked Mazafaka database.

In almost any database leak, the first accounts listed are usually administrators and first core members. But Mazafaka user information posted online is not a database file per se, and it is clearly edited, redacted and restructured by whoever releases it. As a result, it can be difficult to tell which members are the earliest users.

The original Mazafaka was known to have been launched by a hacker using the nickname “Stalker.” However, the lowest numbered (non-admin) user ID in the Mazafaka database belongs to another individual who used the handle “Djamix,” and the email address djamix@mazafaka(.)ru.

From the forum’s inception until 2008, Djamix was one of its most active and prolific contributors. Djamix told forum members that he is a lawyer, and almost all of his posts include legal analysis of various public cases involving hackers arrested and charged with cybercrimes in Russia and the outside the country.

“Hiding with purely technical parameters will not help in a serious matter,” Djamix advised Maza members in September 2007. “To escape the law, you need to KNOW the law. This is the most important technical capabilities cannot overcome intelligence and cunning.

Stalker himself credits Djamix with keeping Mazafaka online for years. on a retrospective post published in Livejournal in 2014 titled, “Mazafaka, from conception to the present,” Stalker said Djamix became a core member of the community.

“This guy is everywhere,” Stalker said of Djamix. “There is nothing about (Mazafaka) that he cannot be involved in. To me, he is a stimulus-irritant and thanks to him, Maza is still alive. Our rallying force!”

Djamix has told other forum denizens that he is a licensed attorney who can be hired for remote or in-person consultations, and his posts on Mazafaka and other Russian boards indicate that many hackers who -faced the legal risk that probably led him to this offer.

“I have the right to represent your interests in court,” said Djamix in the Russian-language cybercrime forum Verified in January 2011. “From a distance (in the form of constant support and consultations), or in person – it discussed separately. Also the cost of my services.”

WHO IS DJAMIX?

A search for djamix@mazafaka(.)ru at DomainTools.com reveals that this address has been used to register at least 10 domain names since 2008. This includes many websites about life in and around. SochiRussia, the site of the 2014 Winter Olympics, as well as a nearby coastal town called Adler. All sites say they are registered with a Alexey Safronov from Sochi who also lists Adler as his hometown.

Breach tracking service Constella Intelligence found that the phone number associated with the domains — +7.9676442212 — was tied to a Facebook account for a Aleksei Valerievich Safronov from Sochi. The profile of Mr. Safronov on Facebook, last updated in October 2022, says his ICQ instant messenger number is 53765. This is the same ICQ number provided by Djamix in the Mazafaka user database.

The Facebook account for Aleksey Safronov.

A “Djamix” account on the forum privetsochi(.)ru (“Hello Sochi”) says that this user was born on October 2, 1970, and that his website is uposter(.)ru. The tagline of this Russian-language news site is, “We Create Communication,” and it focuses heavily on news about Sochi, Adler, Russia and the war in Ukraine, with a strong pro-Kremlin bend

Safronov’s Facebook profile also gives his Skype username as “Djamixadler,” and it includes dozens of photos of him in military fatigues with a regiment of soldiers deployed in the relatively remote areas of Russia. Some of the photos are dated 2008.

In several pictures, we can see a patch on the arm of Safronov’s jacket with the logo of Spetsnaz GRU, a special forces unit of the Russian military. According to a 2020 report from Congressional Research Servicethe GRU operates as an intelligence agency – collecting human, cyber, and signals intelligence – and as a military organization responsible for battlefield reconnaissance and the operation of Russia’s Spetsnaz military commando units.

Mr. Safronov posted this picture of himself on Facebook in 2016. The insignia of the GRU can be seen on his arm.

“In recent years, reports have implicated the GRU in some of Russia’s most aggressive and public intelligence operations,” the CRS report explained. “Reportedly, the GRU played a key role in Russia’s occupation of Ukraine’s Crimea region and invasion of eastern Ukraine, the attempted assassination of former Russian intelligence officer Sergei Skripal in the United Kingdom, interference in the 2016 U.S. presidential elections, disinformation and propaganda operations, and some of the world’s most damaging cyberattacks.”

According to the investigative news outlet focused on Russia Jellyfishin 2014 the Russian Defense Ministry created its “information-operation troops” for action in “cyber-confrontations with potential enemies.”

“Later, Defense Ministry sources explained that these new troops are intended to ‘disrupt the information networks of a potential enemy,'” Meduza reported in 2018. “Recruits are reportedly looking for ‘hackers with problems with the law.'”

Mr. Safronov did not respond to multiple requests for comment. A 2018 scripture written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Military Intelligence” explains the significance of the bat in the GRU seal.

“In one way or another, the bat is a symbol that unites all active and retired intelligence officers; it is a symbol of unity and exclusivity,” wrote Safronov. “And, in general, it doesn’t matter who we are talking about – a secret GRU agent somewhere in the army or a sniper in any of the special forces brigades. They all do and do one you are a very important and responsible thing.”

It is unclear what role Mr. Safronov of the GRU, but the military intelligence agency likely took advantage of his extensive technical expertise, knowledge and connections in Russian cybercrime forums.

A search of Safronov’s domain uposter(.)ru by Constella Intelligence revealed that this domain was used in 2022 to register an account on a popular Spanish-language discussion forum dedicated to helping applicants prepare for a career in Civil Guard, one of the two national police forces in Spain. Pivoting that Russian IP to Constella showed that three other accounts were created on the same Spanish user forum on the same date.

Mark Raschformer cybercrime prosecutor for US Department of Justice, said there have always been close ties between the GRU and the Russian hacker community. Rasch noted that in the early 2000s, the GRU sought hackers with the skills needed to hack into US banks to obtain funds to help finance Russia’s war in Chechnya.

“The guy is very involved in the Russian cyber community, and that’s useful for the intelligence services,” Rasch said. “He could have infiltrated the community to monitor it for the GRU. Or he could be a man in a military uniform.

Leave a comment