Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
“The whole Russian Internet knew there was supposed to be an Rx-Promotion party in Moscow, and obviously everyone would expect logotypes of Rx-Promotion,” Vrublevsky tells me, chain-smoking Marlboros in his company’s cramped boardroom, which features an enormous, outdated map of the world flanked by swords and a giant red Soviet-era flag.
“And for some reason,” he continued, speaking about himself in the third person, “everyone expected Mr. Vrublevsky would show up there. Obviously, Mr. Vrublevsky would probably not be able to control every motherfucker with a cell-phone camera around. And for that reason, Mr. Vrublevsky decided not to be there. At the same time, someone else decided to remove all of the Rx-Promotion logos around.
“Mr. Vrublevsky flies to the Maldives to have a one-week vacation. He then gets a phone call that there are five buses of special forces from Russian DEA going to that party, closing down Golden Palace and two nearby cafes, just for the reason that there are too many special forces and dogs and cameras. Getting in there just to find out some very stupid shit: there is no Mr. Vrublevsky, no logotype, absolutely nothing to shoot on their video.”
The story about how police raided the Rx-Promotion party to dig up dirt on its founders and affiliates was certainly amusing, but it appears to have simply been one of nine such casino raids and nearly one hundred “gambling den” raids that were conducted in 2011 by a new antigambling sheriff of Moscow, Anatoly Andreev.
After relating this seemingly random anecdote to me, Vrublevsky asks Vera to bring us some coffee and we make some small talk about the Moscow traffic and about the man stomping above us, shoveling huge mounds of snow off the building’s roof. I ask Vrublevsky a bit about his family, and he says with a knowing smile and a sardonic laugh that his father worked for many years as a researcher at Nycomed, a large European pharmaceutical company.
I ask him about the origin of the sword that flanks the Soviet flag
standing behind my chair. Vrublevsky tells me a long story about how it was presented to him by the leader of the capital of Dagestan, whom he describes as a close personal friend. He doesn’t tell me the guy’s name, only that he was—at least at one time—mayor of Makhachkala. According to the
Moscow
Times
, that person is likely Said Amirov, a four-time mayor who is said to have survived more than fifteen assassination attempts and is paralyzed from the waist down. Also, according to a February 2014 story in the
Moscow
Times
, Amirov is currently on trial after being charged in 2013 with illegal arms trafficking, so it’s pretty funny that he gave Vrublevsky a sword.
“It turns out that the main dude I was with there, his uncle was the mayor of [Dagestan’s capital city] Makhachkala,” Vrublevsky recalled. “This mayor guy is the most blown-up guy in the world. This mayor dude has been blown up like thirteen fucking times. They didn’t kill him—he’s in a wheelchair. But once the local terrorist groups blew up a whole neighborhood just to try to kill him. Not just one building, but the whole neighborhood.”
Vrublevsky dodges direct questions about why he was in the turbulent mountainous Russian republic, a mostly Muslim region that borders Georgia and the breakaway regions of Chechnya. But it is likely that Vrublevsky passed through the region on a side trip from Baku, Azerbaijan. The leaked ChronoPay emails show that executives visited Baku on several occasions to keep up relations with Bank Standard, an Azerbaijani financial institution that processed huge volumes of payments for ChronoPay’s rogue antivirus programs and Rx-Promotion’s pharmacy sites.
I change the subject and ask Vrublevsky if he’d discovered who was responsible for leaking ChronoPay’s internal documents.
He responds, “The leak was done from within the company, from within the IT department. They realized they were going to get caught stealing money. So, first they disrupted [the] internal accounting system, which made this compromat useless for law enforcement, because we
simply don’t have any accounting database. It was destroyed before [the] compromat went out.”
I push a manila folder full of printed emails across the table toward Vrublevsky. “Well, whoever it was also sent about 30,000 internal ChronoPay emails. This was part of the original package they had sent me of ChronoPay email from the beginning of 2009 through the middle of 2010.”
Vrublevsky lazily leafs through a few of the pages, shrugs, and then shoves the folder back across the table. “I’m not surprised at all.”
I’m not deterred by his vagueness. “It’s a pretty rich collection of documents. You might find it interesting. There is a lot of damning stuff in there, and none of it too flattering about you or ChronoPay. But I guess you’ve already seen most of those emails.”
“Could be. There are a lot of ‘buts’ there.”
I persist. “Buts or no, the documents show me that you haven’t been truthful with me at all, Pavel.”
“Oh? On what?” he asks vaguely.
“On a lot of things. For starters, remember the first story I wrote about ChronoPay? The rogue antivirus piece back in 2009? You said you didn’t have anything to do with that industry.”
“Yeah, so what’s the story?”
“You tell me! As far as I can tell, the story is that you guys set up an entire cybercrime industry and paid for the domains and processing for it.”
“Yeah, so what? I’ve told you about this before: this is what all processors do, and nobody is able to disclose this to you for a very simple reason. It violates Visa and MasterCard rules. Visa and MasterCard know everyone is doing this, but by rules it’s illegal. When you register merchant IDs, this is part of the service you provide. Plus you do customer support which is related to that.”
Finishing his coffee and lighting another cigarette, Vrublevsky refers to my 2009
Washington
Post
story that drew multiple connections between him and ChronoPay and the rogue antivirus industry.
I couldn’t believe my ears; Vrublevsky had admitted that many of the companies which ChronoPay claimed to represent as clients were in fact set up and run by ChronoPay employees.
“Here’s your mistake. By the time which correlates with your story, we did not know too much about spyware. But that company which you tracked was not used for spyware only. It was used for a bunch of shit. You can go and dig into Wirecard and Visa Iceland and you’ll find the same shit. The reason is when you open a merchant ID, you need to register it to a company, and that company should have a rock-solid look from [the] outside, like a legitimate website, et cetera. So most payment service providers, you basically register the companies yourself and monitor it from the inside.”
I counter, “You also never told me that ChronoPay was the processor for Rx-Promotion…”
“No, you’re right. I didn’t.”
“But it’s true, isn’t it?”
“Yes. Well, it used to be, anyway.”
16
I was floored. “What do you mean? Not anymore? As of when?”
“My friend, if I was able to tell you that, I would be fucking happy to.”
“That’s it? What’s the deal there, Pavel? You know I’ve come a long way at great personal risk to interview you here in person. It’s really not nice to be like this.” I knew I was running a risk in challenging him but I needed answers.
Laughing again, he answers, “We dropped them as a client. It’s quite simple.”
“Rx-Promotion? When?”
“September of 2010. So I have had…a half-fucking-year to do nice legitimate business decisions.”
Vrublevsky makes a call and, speaking in Russian to Vera, asks her to bring us some more coffee.
I press on. “The people who released the documents about your company have a lot of information about your operations.”
“They used to steal money from within here, obviously they do. But they’re not going to get anywhere with this.”
“Why not?”
“You see, compromat is not enough to fuck someone. You also need to have the possibility to prove something, and to do that, you need to know how it works. The people who released this information made a lot of mistakes. I spread information around quite carefully. You can see basically who was the one spreading the information, not from the information itself, but the information that surrounds it. You know what they don’t know. You can figure out quite simply who was doing this based on what he knows and what he doesn’t.”
Beautiful Vera, nervously smiling at us both and somehow sensing the conversation has turned more intense, steps gingerly into the conference room, sets cups of coffee before us both, and quickly leaves. I’m baffled by Vrublevsky’s response, but I don’t want to interrupt him. “Okay,” I said. “Go on.”
“Brian, there is one other thing not related to this exactly, a thing that surprises me.”
“What’s that, Pavel?”
“When it comes to me…why is it again that you expect me to be truthful? Please remind me.”
I was a bit taken aback by how he cleverly turned the conversation back on me. “Call me old-fashioned. I guess when I ask a direct question, I expect an honest answer.”
“Ahahaha. A lot of people expect that. But coming back to the subject, I don’t see Rx-Promotion or much of this other shit in the compromat
to be much of a problem. And I’ll tell you why: I really don’t violate too many laws.”
At this comment, I laugh so hard and so involuntarily that the coffee I just sipped almost comes spraying out my nose. It is all I can do to keep the coffee from spilling all over my suit and the boardroom table. We both share a nice laugh that helps defuse the tension.
Nevertheless, I could see that this was not going to be a fruitful line of inquiry. So I tried changing tack and pulled some printed ChronoPay emails out of my briefcase.
“I want to get your reaction to this ChronoPay internal email sent by ChronoPay’s chief of security, Vladimir Stepkov, dated March 16, 2010 with the subject, ‘Rx-promotion2 total earnings.’ It appears to describe your co-ownership of Rx-Promotion with Yuri ‘Hellman’ Kabayenkov. It reads: ‘Men, our beloved Kisilev gave the data on the cost of tech support. Pavel and Hellman divide all in half, and…’”
Interrupting my recitation, Vrublevsky is clearly annoyed and no longer smiling. “Whoa, whoa, Brian, whoa, wait! I have no fucking idea what’s going on here! I can’t really get too much into discussions between other people and me. So if you drop the scary questions shit, please, perhaps it’s better to move into normal talk.”
I remain silent for a few minutes. Vrublevsky continues, smirking again and lighting another Marlboro before the one he was just smoking has been extinguished. I decide an awkward silence may prompt him to divulge more. But he isn’t having any of it.
“I’m not going to get deep into this Rx-Promotion shit, and you’re not going to figure out much of this for yourself. Same goes for spyware. I’m doing much better research when it comes to Gusev. Like the cops say, the best way to find out is when a person says it himself. This is not something I want to talk about. But I made you promises before to give you truthful answers to some questions. Not of course on all of them, but some.”
“I see. Well, just do me a favor, will you? Just let me know when you want to start doing that.”
We talked for more than three hours, and my additional direct questions elicited equally evasive and nonsensical responses from Vrublevsky. Exhausted, I finally packed up my things and thanked him for making time for me. On the way out, Vrublevsky showed me around the building that ChronoPay’s offices were housed in, which according to him was an edifice of historic value.
As we descended the stairs to the parking garage, he pointed out a door directly one floor below the entrance to ChronoPay’s office. On the door was a sign that read, “Russian Association of Electronic Communications.” RAEC is a lobbying firm whose principal organizer, according to leaked ChronoPay documents, was being paid a monthly salary by ChronoPay. This was the same RAEC that had taken the lead in the campaign to organize Western media coverage of the criminal charges against Gusev as the “#1 spammer in Russia.”
I left Russia two days later, after declining two more invitations from Vrublevsky to meet. Our meeting had annoyed and unnerved me. I had spent the previous eight months listening to him lie to me over the phone about various topics, but to see him do it so flagrantly and openly to my face was aggravating and left me extremely uneasy around him.
I didn’t expect much from Vrublevsky, so I wasn’t terribly surprised when he stonewalled me at our interview. He did, however, confirm several important pieces of information. ChronoPay was deeply involved in not only processing payments for fake antivirus companies and the pharmacy affiliate partnerka Rx-Promotion, but it was primarily responsible for creating and fostering these enterprises.
Vrublevsky’s overconfidence in his claim that he really doesn’t break too many laws turned out to be misplaced. Four months after our visit, Russian federal investigators issued an arrest warrant for him in connection with a massive cyberattack on ChronoPay’s top competitor, a Russian payment processing company called Assist. Vrublevsky was later arrested, tried, found guilty, and sentenced to a two-and-a-half-year
stint in a Russian penal colony. In May 2014, barely a year into his sentence, he was inexplicably released from prison.
Despite my disappointment over my visit with Vrublevsky, it did help me piece together a more complete picture of this fraud ecosystem—and that had always been my goal. At this point, I’d interviewed dozens of buyers who helped to perpetuate the spam problem, and I’d tracked down some of the world’s most notorious spammers. It was time to press forward and dive into the trenches with the spam fighters on the front lines of this incessant, borderless war.
16.
Finally, we were getting somewhere. Vrublevsky’s admission that his company was in fact closely involved in working with Rx-Promotion confirmed what was obvious from looking at several years’ worth of leaked ChronoPay emails and spreadsheets. In one of our marathon phone conversations prior to my visiting him in Moscow, Vrublevsky effectively acknowledged that the leaked documents and emails were legitimate when he grudgingly admitted to me that it would have been hard for even the Russian FSB to have faked as many documents as were leaked in the ChronoPay breach.