Menu

19 June

Popelysh twins jailed the second time around

Court finds members of the criminal group guilty of the theft of 12.5 million rubles ($437,000 at then exchange rate) from 7000 Russian bank accounts

Yesterday, on June 18, the Savelovsky District Court of Moscow convicted members of the hacker group headed by twin brothers from St. Petersburg Dmitry and Evgeny Popelysh. From March 2013 to May 2015, the Popelysh brothers’ group gained access to more than 7000 customer accounts at leading Russian banks and stole more than 12.5 million rubles. The Popelysh twins committed these crimes with unspent convictions: they received suspended sentences in 2012 for theft against bank customers. Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the Popelysh case to its logical conclusion — a court sentence.

The 23-year-old Popelysh twins made their first attacks on bank customers in 2010, in collaboration with Alexander Sarbin, a 19-year-old hacker from Kaliningrad. The criminals infected users’ computers with the Trojan.Win32.VKhost virus, which, when opening the official online banking services of a major Russian bank, redirected the customer to a phishing page. On this page, under the pretext of a change in the security policy, the user was asked to enter a login, password and confirmation code from the bank’s scratch card. Using this data, the criminals withdrew money via an authentic remote banking site.

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. In September 2012, the Chertanovsky District Court of Moscow sentenced them to 6 years’ imprisonment with 5 years’ probation. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware — QHost and Patched.IB, automated the theft process, and continually updated the viruses themselves in order to avoid being detected by anti-virus systems.

The Popelysh twins headed a group which included «programmers», «traffers» — people who spread the malware, «crypters» — specialists who regularly updated (modified) the malware codes, «money mules» — people who cashed the stolen money, and «callers». The latter posed as bank employees and rang up customers who had left their card and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing (voice phishing) — a type of phishing where voice communication is used to obtain confidential data.

From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles. Each month, the brothers earned an average of 500,000 to 1.5 million rubles. They spent the money on purchasing property and foreign cars, such as a Porsche Cayenne and a BMW X5.

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. Group-IB’s cyber forensic specialists and representatives from the Group’s Investigation Department were called in as experts during the search. When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet. In case of a police raid, the brothers had even made an electromagnetic device to erase computer drives.

The Popelysh twins and their accomplices were charged with the creation and use of malicious computer programs (Article 273 of the Criminal Code of the Russian Federation), illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation) and fraud (Article 159 of the Criminal Code of the Russian Federation).

Due to the significant number of victims and the extensive amount of evidence gathered, the investigation and criminal proceedings in the „Popelysh case“ lasted for almost three years. It was only a few days ago, in 2018, that a trial took place, enabling the case to be brought to a logical end and a sentence to be passed. The first time around, the Popelysh twins received too mild a sentence — they were released on probation and resumed their old criminal ways. This time, the members of the group were given real sentences, 10 years’ imprisonment. The Popelysh case is a clear example that shows that cybercrime needs to be punished as severely as possible.

Sergey Lupanin

Sergey Lupanin

Head of Group-IB’s Investigation Department

On Monday June 18, the Savelovsky District Court of Moscow found all defendants guilty — Evgeny and Dmitry Popelysh were sentenced to 8 years’ imprisonment, Sarbin — 6 years, Sharychev — 5 years, Vyukov — 4 years, and Belsky received a suspended sentence.

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

* Your data is protected by Privacy Policy
Thank you!
We will contact you soon.