Popelysh twins jailed the second time around

Court finds members of the criminal group guilty of the theft of 12.5 million rubles ($437,000 at then exchange rate) from 7000 Russian bank accounts

Yesterday, on June 18, the Savelovsky District Court of Moscow convicted members of the hacker group headed by twin brothers from St. Petersburg Dmitry and Evgeny Popelysh. From March 2013 to May 2015, the Popelysh brothers’ group gained access to more than 7000 customer accounts at leading Russian banks and stole more than 12.5 million rubles. The Popelysh twins committed these crimes with unspent convictions: they received suspended sentences in 2012 for theft against bank customers. Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the Popelysh case to its logical conclusion a court sentence.

The 23-year-old Popelysh twins made their first attacks on bank customers in 2010, in collaboration with Alexander Sarbin, a 19-year-old hacker from Kaliningrad. The criminals infected users’ computers with the Trojan.Win32.VKhost virus, which, when opening the official online banking services of a major Russian bank, redirected the customer to a phishing page. On this page, under the pretext of a change in the security policy, the user was asked to enter a login, password and confirmation code from the bank’s scratch card. Using this data, the criminals withdrew money via an authentic remote banking site.

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. In September 2012, the Chertanovsky District Court of Moscow sentenced them to 6 years’ imprisonment with 5 years’ probation. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware QHost and Patched.IB, automated the theft process, and continually updated the viruses themselves in order to avoid being detected by anti-virus systems.

The Popelysh twins headed a group which included «programmers», «traffers» people who spread the malware, «crypters» specialists who regularly updated (modified) the malware codes, «money mules» people who cashed the stolen money, and «callers». The latter posed as bank employees and rang up customers who had left their card and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing (voice phishing) a type of phishing where voice communication is used to obtain confidential data.

From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles. Each month, the brothers earned an average of 500,000 to 1.5 million rubles. They spent the money on purchasing property and foreign cars, such as a Porsche Cayenne and a BMW X5.

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. Group-IB’s cyber forensic specialists and representatives from the Group’s Investigation Department were called in as experts during the search. When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet. In case of a police raid, the brothers had even made an electromagnetic device to erase computer drives.

The Popelysh twins and their accomplices were charged with the creation and use of malicious computer programs (Article 273 of the Criminal Code of the Russian Federation), illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation) and fraud (Article 159 of the Criminal Code of the Russian Federation).

Due to the significant number of victims and the extensive amount of evidence gathered, the investigation and criminal proceedings in the „Popelysh case“ lasted for almost three years. It was only a few days ago, in 2018, that a trial took place, enabling the case to be brought to a logical end and a sentence to be passed. The first time around, the Popelysh twins received too mild a sentence they were released on probation and resumed their old criminal ways. This time, the members of the group were given real sentences, 10 years’ imprisonment. The Popelysh case is a clear example that shows that cybercrime needs to be punished as severely as possible.

Sergey Lupanin
Sergey Lupanin

Head of Group-IB’s Investigation Department

On Monday June 18, the Savelovsky District Court of Moscow found all defendants guilty Evgeny and Dmitry Popelysh were sentenced to 8 years’ imprisonment, Sarbin 6 years, Sharychev 5 years, Vyukov 4 years, and Belsky received a suspended sentence.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.