Group-IB: market volume of illegal online sales of alcohol exceeded 30 million USD in 2018 in Russia

Group-IB, an international company that specializes in preventing cyberattacks, has estimated that the market volume of illegal online sales of alcohol in Russia exceeded 30 million USD in 2018, i.e. almost 5.8 million USD (+23%) more than in 2017. Group-IB Digital Risk Protection team discovered a total of around 4,000 websites illegally selling alcohol. Criminals create entire networks from the «mirror—websites» of their online alcohol stores; if one site is blocked, they swiftly migrate to a backup resource.

The intoxicating Internet

Active regulatory measures taken in 2018 and aimed at blocking websites that illegally sell alcohol online meant that the «alcohol kingpins» of the black market were forced to find new ways of doing business. In 2018, Group-IB Brand Protection experts discovered more than 4,000 websites selling counterfeit alcohol and bypassing the ban on sales of alcohol online, as well as around 3,000 web resources connected to them. Such schemes make it possible not only to create several «mirrors» of the main alcohol store, thereby attracting more customers, but also to swiftly migrate from one domain to another if a website is blocked. For example, until recently, the resource included 45 connected websites, however most of the network has now been blocked.

During the research, the largest group discovered by Brand Protection specialists included 86 connected domains. Such schemes are used by both resellers who sell alcohol online bought from major retailers as well as fraudsters who sell counterfeit products.

Group-IB Brand Protection team analysed the illegal online sales of alcohol and concluded that, on average, 190 users per day visit websites that sell and deliver alcohol, i.e. 5,700 people per month. With a conversion rate of 0.7% and an average order amount of 16 USD, 4,000 online shops earn revenues starting at 2.5 million USD per month. As a result, criminals earned around 30 million USD in 2018, i.e. 23% more than the year before.

Advertising and promotions of online stores via Telegram channels (just one channel can have up to 3,000 subscribers) and dedicated groups on social networks play a significant role in this illegal business. According to Group-IB, in 2018 interest in online shopping of alcohol increased by more than 35%, as can be seen with the higher numbers of search queries for «buy alcohol». Around 30% more people searched for alcohol including delivery (search queries for «alcohol delivery») compared to the previous year.

During pre-holiday periods, the number of search queries for online sales of alcohol increases by 28%. It is no coincidence that the first large-scale «wave» of domains registration for alcohol sales took place in the spring of 2018, on the eve of the May holidays, and continued throughout the summer during the FIFA World Cup. The second «wave» was detected in October, with a peak in registrations in December.

The blocking of resources by the regulator undoubtedly had a positive effect, and some of the major illegal alcohol networks were shut down; nevertheless, administrators of banned resources began actively fighting against website blocking not only by registering new websites and constantly moving from one domain to another, but also thanks to various loopholes in legislation. A widely used scheme is selling “souvenirs«—keychains, magnets, tobacco accessories—that include alcohol as a «free gift». Criminals resort to more complex schemes as well, such as closed resources that use QR codes that then redirect users to hidden websites, which are not indexed by search engines and as a result cannot be automatically detected and blocked.

Андрей Бусаргин
Andrey Busargin

Director of Digital Risk Protection and Anti-Piracy at Group-IB

Do it yourself: from bottle to factory

When purchasing alcohol online, buyers often buy a «pig in a poke». This makes the job considerably easier for criminals, who produce relatively crude fakes, the appearance of which sometimes has almost no resemblance to the original product: seal, cork (or illustrations thereon), label, excise stamp, brand colors on the packaging… not to mention the quality of the alcohol itself.

Group-IB Brand Protection team discovered dozens of websites and online bulletin boards used to sell the essential components of so-called «alcohol do-it-yourself kits» for illegal production of strong spirits—fakes of famous brands. One such kit, which includes the bottle, the label, the cork, and the branded box, is available for just 0.5 USD. This means that the cost of producing one 0.5-litre bottle of whisky is a little more than 1 USD = 0.5 USD + 0.05 USD (excise stamp) + 0.3 USD (spirit) + 0 USD (water) + 0.17 USD (essence).

Criminals can assemble not only a bottle of a famous spirit, but the entire production line. For example, on Aliexpress, fraudsters can acquire all the components of an automated bottling system for vodka, whisky, wine, or beer. The cost of such a mini-factory starts at 7,280 USD. According to the Russian Federal Service for the Regulation of the Alcohol Market (FSRAR), between 2015 and 2018 more than 450 illegal alcohol manufacturing and storage sites were shut down in Russia.

While investigating the manufacture of counterfeit alcohol, we reached a disappointing conclusion: namely that buying a bottling or production line is no more complicated than ordering a book or a smartphone. Although dozens of such clandestine mini-factories are closed down every year, there are always more daredevils willing to risk their freedom and other people’s health to make a quick buck.

Андрей Бусаргин
Andrey Busargin

Director of Digital Risk Protection and Anti-Piracy at Group-IB

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.