19 June 2018

Popelysh twins jailed the second time around

Court finds members of the criminal group guilty of the theft of 12.5 million rubles ($437,000 at then exchange rate) from 7000 Russian bank accounts

Yesterday, on June 18, the Savelovsky District Court of Moscow convicted members of the hacker group headed by twin brothers from St. Petersburg Dmitry and Evgeny Popelysh. From March 2013 to May 2015, the Popelysh brothers’ group gained access to more than 7000 customer accounts at leading Russian banks and stole more than 12.5 million rubles. The Popelysh twins committed these crimes with unspent convictions: they received suspended sentences in 2012 for theft against bank customers. Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the Popelysh case to its logical conclusion — a court sentence.

The 23-year-old Popelysh twins made their first attacks on bank customers in 2010, in collaboration with Alexander Sarbin, a 19-year-old hacker from Kaliningrad. The criminals infected users’ computers with the Trojan.Win32.VKhost virus, which, when opening the official online banking services of a major Russian bank, redirected the customer to a phishing page. On this page, under the pretext of a change in the security policy, the user was asked to enter a login, password and confirmation code from the bank’s scratch card. Using this data, the criminals withdrew money via an authentic remote banking site.

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. In September 2012, the Chertanovsky District Court of Moscow sentenced them to 6 years’ imprisonment with 5 years’ probation. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware — QHost and Patched.IB, automated the theft process, and continually updated the viruses themselves in order to avoid being detected by anti-virus systems.

The Popelysh twins headed a group which included «programmers», «traffers» — people who spread the malware, «crypters» — specialists who regularly updated (modified) the malware codes, «money mules» — people who cashed the stolen money, and «callers». The latter posed as bank employees and rang up customers who had left their card and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing (voice phishing) — a type of phishing where voice communication is used to obtain confidential data.

From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles. Each month, the brothers earned an average of 500,000 to 1.5 million rubles. They spent the money on purchasing property and foreign cars, such as a Porsche Cayenne and a BMW X5.

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. Group-IB’s cyber forensic specialists and representatives from the Group’s Investigation Department were called in as experts during the search. When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet. In case of a police raid, the brothers had even made an electromagnetic device to erase computer drives.

The Popelysh twins and their accomplices were charged with the creation and use of malicious computer programs (Article 273 of the Criminal Code of the Russian Federation), illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation) and fraud (Article 159 of the Criminal Code of the Russian Federation).

Due to the significant number of victims and the extensive amount of evidence gathered, the investigation and criminal proceedings in the „Popelysh case“ lasted for almost three years. It was only a few days ago, in 2018, that a trial took place, enabling the case to be brought to a logical end and a sentence to be passed. The first time around, the Popelysh twins received too mild a sentence — they were released on probation and resumed their old criminal ways. This time, the members of the group were given real sentences, 10 years’ imprisonment. The Popelysh case is a clear example that shows that cybercrime needs to be punished as severely as possible.

Sergey Lupanin

Sergey Lupanin

Head of Group-IB’s Investigation Department

On Monday June 18, the Savelovsky District Court of Moscow found all defendants guilty — Evgeny and Dmitry Popelysh were sentenced to 8 years’ imprisonment, Sarbin — 6 years, Sharychev — 5 years, Vyukov — 4 years, and Belsky received a suspended sentence.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident