Popelysh twins jailed the second time around

Court finds members of the criminal group guilty of the theft of 12.5 million rubles ($437,000 at then exchange rate) from 7000 Russian bank accounts

Yesterday, on June 18, the Savelovsky District Court of Moscow convicted members of the hacker group headed by twin brothers from St. Petersburg Dmitry and Evgeny Popelysh. From March 2013 to May 2015, the Popelysh brothers’ group gained access to more than 7000 customer accounts at leading Russian banks and stole more than 12.5 million rubles. The Popelysh twins committed these crimes with unspent convictions: they received suspended sentences in 2012 for theft against bank customers. Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the Popelysh case to its logical conclusion a court sentence.

The 23-year-old Popelysh twins made their first attacks on bank customers in 2010, in collaboration with Alexander Sarbin, a 19-year-old hacker from Kaliningrad. The criminals infected users’ computers with the Trojan.Win32.VKhost virus, which, when opening the official online banking services of a major Russian bank, redirected the customer to a phishing page. On this page, under the pretext of a change in the security policy, the user was asked to enter a login, password and confirmation code from the bank’s scratch card. Using this data, the criminals withdrew money via an authentic remote banking site.

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. In September 2012, the Chertanovsky District Court of Moscow sentenced them to 6 years’ imprisonment with 5 years’ probation. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware QHost and Patched.IB, automated the theft process, and continually updated the viruses themselves in order to avoid being detected by anti-virus systems.

The Popelysh twins headed a group which included «programmers», «traffers» people who spread the malware, «crypters» specialists who regularly updated (modified) the malware codes, «money mules» people who cashed the stolen money, and «callers». The latter posed as bank employees and rang up customers who had left their card and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing (voice phishing) a type of phishing where voice communication is used to obtain confidential data.

From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles. Each month, the brothers earned an average of 500,000 to 1.5 million rubles. They spent the money on purchasing property and foreign cars, such as a Porsche Cayenne and a BMW X5.

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. Group-IB’s cyber forensic specialists and representatives from the Group’s Investigation Department were called in as experts during the search. When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet. In case of a police raid, the brothers had even made an electromagnetic device to erase computer drives.

The Popelysh twins and their accomplices were charged with the creation and use of malicious computer programs (Article 273 of the Criminal Code of the Russian Federation), illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation) and fraud (Article 159 of the Criminal Code of the Russian Federation).

Due to the significant number of victims and the extensive amount of evidence gathered, the investigation and criminal proceedings in the „Popelysh case“ lasted for almost three years. It was only a few days ago, in 2018, that a trial took place, enabling the case to be brought to a logical end and a sentence to be passed. The first time around, the Popelysh twins received too mild a sentence they were released on probation and resumed their old criminal ways. This time, the members of the group were given real sentences, 10 years’ imprisonment. The Popelysh case is a clear example that shows that cybercrime needs to be punished as severely as possible.

Sergey Lupanin

Head of Group-IB’s Investigation Department

On Monday June 18, the Savelovsky District Court of Moscow found all defendants guilty Evgeny and Dmitry Popelysh were sentenced to 8 years’ imprisonment, Sarbin 6 years, Sharychev 5 years, Vyukov 4 years, and Belsky received a suspended sentence.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.