Twin brothers in crime

Background

In the 2010s the number of attacks on Russian banks and their clients soared. At the time, cybercrime groups were keen to focus on Russia due to the relatively low risks and the weak security at Russian banks. Hackers were developing various hardware, malware, and automation tools that would help them to break into banking systems, ATMs, and customer accounts.

Internet banking was one of the key targets. To gain access to bank accounts, threat actors often used PC Trojans, which redirected victims to phishing resources. Computer infections were streamlined and thefts were carried out automatically. By early 2013, Group-IB was aware of eight criminal groups in Russia specialized in stealing via Internet banking. According to Group-IB’s estimates, between June 2013 and June 2014 the entire cybercrime market in Russia amounted to $2.5 billion, with about $290 million stolen from Internet banking.

One of the most dangerous groups, greatly ahead of its time when it came to attacks on Internet banking, was PhishEye. Group-IB, which was only a small cybersecurity company at the time, put a huge amount of effort into helping law enforcement to hold the group accountable for many crimes.

PhishEye gained access to bank accounts using PC Trojans and social engineering. The threat actors posed as bank staff to deceive victims into providing SMS verification codes, which were then used to steal money. The investigation into the crimes revealed that the masterminds were two twin brothers living in St Petersburg.

Impact

As a result of the investigation, threat actors have almost completely stopped using Windows Trojans to steal from individuals. The group members being arrested and given harsh sentences has shown other perpetrators that punishment will inevitably follow the crime. Unfortunately, cybercriminals then shifted their focus from PC Trojans to mobile malware and continued to attack banking clients.

Behind the scenes

In May 2015, the Popelysh twins and their accomplices were arrested as part of a special law enforcement operation. Group-IB’s digital forensics and investigation experts took part in the search and seizure. The criminals were well-prepared for a police raid: they had an armored door, they set up coded SMS alerts to inform the group members to destroy data, and they even held a specialized electromagnetic device to erase computer drives.

When officers cut through the metal door to the apartment where the Popelysh brothers were living, the criminals panicked and attempted to flush over 500,000 rubles ($8,000), flash drives, and SIM cards down the toilet. Their efforts were to no avail, however, as the necessary evidence (including computers involved in the thefts) was collected for further forensic analysis at Group-IB.

Storyline

The Popelysh brothers became interested in hacking in the 2000s, visiting underground forums, learning about phishing and Trojans, and building relationships with virus developers. By studying the forums, they figured out how to make money by targeting online banking systems.

The 23-year-old Popelysh twins carried out their first attacks on banking customers in 2010, together with Alexander Sarbin, a 19-year-old hacker. The criminals infected computers with a virus called Trojan.Win32.VKhost, which redirected customers from the official online banking services of a major Russian bank to a phishing page. On the phishing page, the user was asked — under the pretext of a change in the security policy — to enter a login, password and confirmation code. After obtaining this data, the criminals were able to withdraw money by logging into authentic online banking websites.

Between September and December 2010, Sarbin and the Popelysh twins stole approximately $67,000 from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of money stolen to $448,000.

The hackers were arrested in the spring of 2011, after which Group-IB’s digital forensics experts joined the investigation and helped conduct a forensic examination of the computers and storage devices seized in the apartment of the Popelysh brothers. By comparing malware samples found on computers belonging to the victims and suspects, Group-IB established that the brothers had used the malware to gain unauthorized access to confidential information.

In addition, Group-IB found many traces of other illegal activity on one of the seized laptops. Despite the brothers taking precautions, our experts found proof of visits to phishing pages in the browser log of a virtual machine and concluded that they had tested the functionality of the pages and of VKhost malware. Our findings provided solid evidence that supported the case against the fraudsters. Nevertheless, the hackers received only mild sentences. In September 2012, the court sentenced them to six years’ suspended sentences with five years’ probation. They were also given fines to pay.

As soon as they were released, the brothers reverted to their old habits. They equipped themselves with new malware (QHost and Patched.IB), automated the theft process, and continually updated the viruses themselves, thereby managing to evade anti-virus systems.

The twins headed a group which included programmers, “traffers” (people who spread the malware), “crypters” (who regularly updated or modified the malware code), “money mules” (people who cashed the stolen money), and “callers”. Callers posed as bank employees and rang up customers who had left their banking card details and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing, a type of phishing where voice communication is used to obtain confidential data.

Between March 2013 and May 2015, the Popelysh twins gained access to more than 7,000 customer accounts at various Russian banks and stole more than $320,000. Each month, the brothers made an average of $13,000 to $38,000. They spent the money on property and luxury cars, including a Porsche Cayenne and a BMW X5.

In May 2015, the twin brothers were arrested during a police operation in St Petersburg. In addition to the leaders, a number of their accomplices were also detained. Group-IB experts worked with law enforcement to collect and analyze evidence from the devices seized during the search.

And justice for all

The Popelysh twins and their accomplices were charged with the creation and use of malware, illegal access to computer information, and fraud. The twins committed these crimes with unspent convictions: they had already received suspended sentences in 2012 for theft from banking customers. Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the case to its logical conclusion: a court sentence.

On June 18, 2018, the court found all defendants guilty. Evgeny and Dmitry Popelysh were sentenced to eight years in prison. Their accomplices also received prison and suspended sentences.

Conclusion

For a long time, cybercriminals in Russia felt almost untouchable. They usually received incredibly light sentences for large-scale thefts. The PhishEye case showed that unpunished crimes only escalate. Even when they were on trial for their previous crimes, the threat actors continued to steal money. Over three years, Group-IB’s High-Tech Crime Investigation Unit and Digital Forensics Lab meticulously collected and analyzed digital evidence, which was then presented in court. Ultimately, this evidence helped bring the criminals to justice.

The PhishEye case was one of the most high-profile and unprecedented in Russia at the time, despite the relatively low amount of money stolen in total compared to other thefts these days. For the first time in Russia, phishing masterminds were prosecuted: first with a suspended sentence, and then with a real sentence. The case was a turning point in investigating cybercrime and eventually contributed to toughening penalties for cybercriminals.