Estonia’s IT talents sold international services to cybercriminals

Andres Einmann
Photo: Sander Ilvest

An international investigation brought to court found IT talents residing in Estonia and Lithuania, who had provided services to an international network of cybercriminals. The US federal Bureau of Investigation (FBI) in cooperation with German, British and Estonian criminal investigation institutions caught up with four men who helped cybercriminals attack the networks of US financial institutions and private computers over years and had caused millions of dollars in losses.

In March and April, the US East Michigan district court found Aleksandr Grichishkin (34), Andrei Skvortsov (34), Pavel Stassi (30) and Aleksandr Skorodumov (33) guilty of providing services to cyber-criminals. The former three operated in Estonia and the latter in Lithuania. Grichishkin and Skvortsov are citizens of the Russian federation and had Estonian residence permits, while Stassi is a citizen of Estonia. The fourth member of the gang, Skorodumov, has Lithuanian citizenship.

Remarkable even in the USA

According to the US legal practice, the court will first decide whether or not the defendant is guilty; if found guilty, the judge will pronounce the sentence later. The sentences of the Estonian-Lithuanian IT talents will be pronounced individually. The court has already announced the dates from June until September when each defendant will hear his sentence. They all might have to spend up to 20 years in prison.

The US law enforcement institutions considered the arresting and sentencing of the gang of service providers to cyber-criminals important enough to send a press statement to the US media.

Timothy Waters, Special Agent in Charge of the FBI’s Detroit Field Office, remarked in the statement that “Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe-haven to anonymize their criminal activity.”

“This resulted in millions of dollars of losses to U.S. victims. Today’s guilty plea sends a message to cybercriminals across the globe that they are not beyond the reach of the FBI and its international partners, and that anyone who facilitates or profits from criminal cyber activity will be brought to justice” Special Agent Waters said.

According to the charges, the fur men provided so-called bulletproof hosting, i.e. rented Internet Protocol (IP) addresses, servers, and domains to cybercriminal clients, who used this technical infrastructure to disseminate malware used to gain access to victims’ computers, form botnets, and steal banking credentials for use in frauds. A botnet is a network of computers taken over by cybercriminals, which is used to break into systems. The four men monitored constantly the cyberspace under their control and whenever law enforcement agencies were closing up with the criminals, they moved the entire network to new safe infrastructure. To disguise their activities they registered all such servers or domains under false or stolen identities.

The quartet offered their clients notorious automatic programs like Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which constantly attacked U.S. companies and financial institutions between 2009 and 2015 and caused or attempted to cause millions of dollars in losses to U.S. victims.

The criminal talents from Estonia and Lithuania could operate for years before the FBI caught up with them. The investigation revealed that they had launched their activities back in 2009 when they were in their early twenties and Stassi even younger. The service providers to cybercriminals operated until 2015 when the law enforcement finally caught them and closed down their business.

Division of tasks like in a regular company

The statements of the defendants showed that the Estonia-based Russian citizens Grichishkin and Skvortsov were founding members of the organization and its proprietors. The four had a clear division of tasks like I a regular business. Skvortsov was responsible for marketing the organization’s criminal business and handled disgruntled clients.

Grichishkin was the organization’s manager, handed out tasks to its members and oversaw their activities.

Skorodumov was the organization’s lead systems administrator who configured and managed the clients’ domains and IP addresses. If necessary, he provided technical assistance to help clients optimize their malware and botnets. He also monitored and responded to abuse notices.

Stassi conducted online marketing to the organization’s criminal clientele and used stolen and/or false personal information to register webhosting and financial accounts used by the organization.

The four men were convicted according to the RICO (Racketeer Influenced Corrupt Organization) act. RICO was introduced in the USA in 1970 in order to facilitate combating organized crime. The law enables bringing criminal organization members to justice for crimes they did not directly commit. For example, the pre-RICO law permitted declaring a person not guilty for ordering an assassination, since the defendant had not personally committed the murder.