Russia's stolen-data industry New ‘BBC’ report explores the black market for ‘data penetrations’

Last year, investigative journalists at Bellingcat and The Insider made international headlines by identifying the two Russian “tourists” suspected of carrying out a nerve-agent attack in Salisbury, England, as Russian military intelligence operatives. Part of that sleuth work relied on private data grabbed from government records in the “Rossisskii Passport” database. According to the website Rosbalt, the discovery prompted Russia’s intelligence community to launch a manhunt to track down the source of the leak. The journalists deny buying this information (Bellingcat says the spies’ passport data was provided by someone with access to the records), but there is an entire black market in Russia where scammers, private detectives, and even jealous spouses can pay hard money for anyone’s personal records. In a new report for the BBC Russian Service, Andrey Zakharov managed to buy his own phone and bank information, learning how this illegal industry operates in Russia. Meduza summarizes what he discovered.

Unlike various leaked databases floating around on the Internet, “online penetrations” target specific individuals, stealing their latest personal data. How is this possible? The people selling the information are ordinary staff at banks, telecommunications companies, and even government agencies. Every year, dozens in Russia are convicted of privacy invasion, violating private correspondence, and illegally disclosing commercial, tax, and banking secrets, but most “online penetration” crimes go unpunished, experts told the BBC.

What’s a typical “penetration” transaction?

In August 2017, a month after starting a job at “MTS” in Ryazan, a young man named Mikhail Kudukhov visits an online forum and offers to sell customer data. An anonymous Internet user soon agrees to pay 2,000 rubles (about $30) for a single client’s call records. Kudukhov posts the data in a cloud-hosted spreadsheet, and sends hyperlinks through an instant messenger. Repeating the same process, he sells the call records for another seven customers who live in cities across Russia (deleting and reinstalling his instant messenger after every transaction), before quitting the “penetration” business in November, afraid that he’ll be discovered. But it’s too late: MTS corporate security soon realizes what Kudukhov has done and reports him to the police. The following year, he’s sentenced to community service.

To see what’s possible in Russia’s “penetration” market, BBC correspondent Andrey Zakharov hired someone to steal his own phone records, as well as the records of a family member. He found an intermediary on an illegal online forum who arranged to get the data from staff at two different phone companies. For about 10,000 rubles ($155), transferred through Yandex.Dengi, Zakharov got accurate mobile-phone location data within a few hours.

There’s a market in Russia for bank records, as well. The BBC report describes one case from two years ago at a Sberbank call center, where a 21-year-old employee named Ilya Klimenko started advertising “penetrations” in an illegal forum, selling account passwords, balance information, and passport records for about 20,000 rubles ($310) per account. Klimenko sold about 20 customers’ data, collecting payments through “Qiwi,” before he was caught.

Clients at Russian banks aren’t the only ones at risk, based on court records and what the BBC found on illegal forums. There’s also a black market for data from foreign institutions’ Russian subsidiaries. Late last year, for example, a clerk at Raiffeisenbank was prosecuted for photographing customers’ account information and selling it online. The stolen data included clients’ mailing addresses, number of children, marital status, email addresses, telephone numbers, and account passwords.

There are also state employees willing to abuse their access to private data. In 2016, for example, a court outside Moscow convicted the deputy head of a Federal Tax Service field inspection department of selling people’s income and property records for 7,000 rubles ($110). More recently, in April 2019, a court in Nizhny Novgorod convicted two police officers of selling Interior Ministry data (mainly car-ownership records). The two brothers apparently earned at least 800,000 rubles ($12,375) in a single year.

According to Ashot Oganesyan, the chief technology officer at the data-leak-prevention company DeviceLock, Bellingcat’s use in 2018 of the “Rossisskii Passport” database led to a government crackdown that temporarily disrupted Russia’s “penetration” market, but it’s since rebounded. For instance, the BBC’s Andrey Zakharov was able to buy his own passport records from a vendor describing himself as “a detective agency.”

Why are civil servants and staff at banks and phone companies doing this?

Using court records, the BBC was able to contact two former telecom employees convicted of “online penetrations” who said, essentially, that they didn’t really care about their jobs and hoped to earn a little extra money on the side. The disrespect appears to be mutual: the BBC spoke to one intermediary in an illegal online forum who said low salaries in Russia guarantee a supply of illicit information, even if companies and police sometimes catch the data thieves.

Most “online penetrators” who are caught by corporate security, the police, or even the Federal Security Service are usually active for just a couple of months before they’re discovered. Reluctant to go into much detail, companies told the BBC that they use “trackers” that send alerts the moment employees wander into system records they shouldn’t be seeing. At call centers, video surveillance cameras monitor staff for anyone photographing their computer screens. Some businesses also monitor the illegal forums where “penetration” offers are posted, making controlled purchases and monitoring their networks to see who accesses the targeted data internally.

Though dozens of people are convicted every year for offenses related to “online penetrations,” these cases rarely lead to prison sentences, and critics say the state doesn’t take this activity seriously, unless it affects Russia’s intelligence community. As a result, state investigators have little incentive to pursue these matters fully, and the clients paying for the stolen data usually go unidentified and unprosecuted. For example, a man in Kirov was recently notified that a Beeline employee in Nizhny Novgorod was charged with stealing and selling his phone records. The man told the BBC that he suspects his former employer was buying the data to track his contacts with former colleagues and customers, but the case ended there.

Who’s paying for all this stolen information?

According to the BBC, most of the buyers are scammers, private detectives, and businesses collecting data about suspicious employees and competitors. Sometimes the clients are also jealous husbands who want phone data about cheating wives, or family members seeking bank records from relatives with suspicious spending habits. Scammers can be the most dangerous: a clerk at Raiffeisenbank in Yaroslavl recently sold data that allowed scammers to steal almost 7 million rubles ($108,150) from two people’s accounts.