FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts

FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Kirill V. Firsov was arrested Mar. 7 after arriving at New York’s John F. Kennedy Airport, according to court documents unsealed Monday. Prosecutors with the U.S. District Court for the Southern District of California allege Firsov was the administrator of deer.io, an online platform that hosted more than 24,000 shops for selling stolen and/or hacked usernames and passwords for a variety of top online destinations.

An example seller’s panel at deer.io. Click image to enlarge.

The indictment against Firsov says deer.io was responsible for $17 million worth of stolen credential sales since its inception in 2013.

“The FBI’s review of approximately 250 DEER.IO storefronts reveals thousands of compromised accounts posted for sale via this platform and its customers’ storefronts, including videogame accounts (gamer accounts) and PII files containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses,” the indictment states.

In addition to facilitating the sale of hacked accounts at video streaming services like Netflix and Hulu and social media platforms like Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook), deer.io also is a favored marketplace for people involved in selling phony social media accounts.

For example, one early adopter of deer.io was a now-defunct shop called “Dedushka” (“grandpa” in transliterated Russian), a service offering aged, fake Vkontakte accounts that was quite popular among crooks involved in various online dating scams.

The indictment doesn’t specify how prosecutors pegged Firsov as the mastermind behind deer.io, but there are certainly plenty of clues that suggest such a connection. 

Firsov’s identity on Twitter says he is a security researcher and developer who currently lives in Moscow. Previous tweets from that account indicate Firsov made a name for himself after discovering a number of serious security flaws in Telegram, a popular cross-platform messaging application.

Firsov also tweeted about competing in and winning several “capture the flag” hacking competitions, including the 2016 and 2017 CTF challenges at Positive Hack Days (PHDays), an annual security conference in Moscow.

Isis’ profile on antichat.

Deer.io was originally advertised on the public Russian-language hacking forum Antichat by a venerated user in that community who goes by the alias “Isis.” A Google Translate version of that advertisement is here (PDF).

In 2016, Isis would post to Antichat a detailed writeup on how he was able to win a PHDays hacking competition (translated thread here). In one section of the writeup Isis claims authorship of a specific file-dumping tool, and links to a Github directory under the username “Firsov.”

In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. The user asks why Isis’s site — a video and music search site called vpleer[.]ru — wasn’t working at the time. Isis responds that he hasn’t owned the site for 10 years.

According to historic WHOIS records maintained by DomainTools.com (an advertiser on this site), vpleer was originally registered in 2008 to someone using the email address hm@mail.ru.

That same email address was used to register the account “Isis” at several other top Russian-language cybercrime forums, including Damagelab, Zloy, Evilzone and Priv-8. It also was used in 2007 to register xeka[.]ru, a cybercrime forum in its own right that called itself “The Antichat Mafia.”

A cached copy of the entry page for xeka[.]ru. Image courtesy archive.org.

More importantly, that same hm@mail.ru email address was used to register accounts at Facebook, Foursquare, Skype and Twitter in the name of Kirill Firsov.

Russian hacking forums have taken note of Firsov’s arrest, as they do whenever an alleged cybercriminal in their midst gets apprehended by authorities; typically such a user’s accounts are then removed from the forum as a security precaution. An administrator of one popular crime forum posted today that Firsov is a 28-year-old from Krasnodar, Russia who studied at the Moscow Border Institute, a division of the Russian Federal Security Service (FSB).

Firsov is slated to be arraigned later this week, when he will face two felony counts, specifically aiding and abetting the unauthorized solicitation of access devices, and aiding and abetting trafficking in “false authentication features.” A copy of the indictment is available here (PDF).