FBI takes down hacker platform Deer.io

The FBI on Tuesday shut down Deer.io, a Russia-based platform catering to cybercrooks that offered turnkey online storefront design and hosting and a place where they could sell and advertise their wares, including ripped-off credentials, hacked servers, hacking services, gamer accounts and more.

Earlier this month, the bureau nabbed the guy they think was running the show: 28-year-old Kirill Victorovich Firsov, whom the FBI arrested on 7 March 2020 in New York City. He’s been federally charged with unauthorized solicitation of access devices, which carries a maximum penalty of 10 years in prison, though maximum sentences are rarely handed out.

Deer.io was a top market for stolen accounts: a place where crooks could buy and sell credentials for hacked accounts siphoned off of malware-infected computers, PII, and financial and corporate data.

The unsealed indictment claims that Deer.io started up around October 2013 and claims to host over 24,000 active shops. Up until the FBI jammed a stick in its spokes, the platform was doing brisk business, with sales exceeding $17 million, selling hacked accounts for video streaming services like Netflix and Hulu and social media platforms such as Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook). It was also selling phony social media accounts, which are popular for crooks running online dating scams.

Court documents claim that Firsov is a Russian hacker and allegedly the administrator of Deer.io. He not only managed the platform, the indictment alleges; he also advertised it on other forums that catered to hackers.

A federal complaint says that the criminally inclined could order a variety of things on Deer.io virtual stores, which offered hacked and/or compromised financial and corporate data from US and international victims and PII such as usernames, passwords, taxpayer IDs, dates of birth and victims’ addresses. It was as easy as ordering from Amazon: you could get to the Deer.io platform with a web browser, and from there you could get to storefronts running under the Deer.io domain.

Visitors could search for hacked accounts from specific companies or PII from specific countries. Users could also navigate through the platform, scanning stores advertising an array of hacked accounts or cybercriminal services for sale, the Department of Justice (DOJ) says.

Purchases were also conducted using cryptocurrency, such as Bitcoin, or through Russian-based money transfer systems. The Deer.io platform removed any friction involved in setting up shop: it gave shop owners an easy-to-use interface that enabled automated purchase and delivery of criminal goods and services.

After a client purchased access, the site held their hand to guide the newly minted shopkeeper through an automated set-up to upload their products and services and to configure cryptocurrency wallets to collect payments for purchases. All that, for bargain basement prices: the DOJ says that as of 2019, cybercriminals could buy a storefront directly from the Deer.io website for 800 Rubles per month (the DOJ says that was about USD $12.50, though at current rates, it’s even cheaper: it’s down to about USD $10 or £8.50). The monthly fee was payable by Bitcoin or a variety of online payment methods such as WebMoney, a Russian version of PayPal.

The FBI’s investigation included a Deer.io shopping spree. Earlier this month, agents made these buys:

  • About 1,100 gamer accounts, including usernames and passwords, for under $20 in Bitcoin. Those accounts often have linked payment methods that hackers can use to make purchases on the real owners’ dime.
  • About 999 individual PII accounts for about $170 in Bitcoin.
  • On the same day, it bought another 2,650 accounts for about $522 in Bitcoin. That bought them names, dates of birth and US Social Security numbers: all the data you need to do identity theft and pull off financial fraud.

These purchases confirmed that Deer.io shops were selling the real deal: it was all authentic information, as opposed to fake data.

Firsov is scheduled to make a 16 April appearance before the Southern District of California Court, which issued the order to seize Deer.io.


Latest Naked Security podcast

go top