The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

An alleged ransomware affiliate has reached a plea deal in the United States for collaborating with a ransomware-as-a-service (RaaS) gang.

The U.S. Department of Justice has identified the threat actor as a former employee of Public Services and Procurement Canada, the Canadian government’s department for the federal government’s real estate activity. According to a recent report, the defendant pleaded guilty to hacking-related charges as a member of the NetWalker threat group. This particular threat group offers ransomware-as-a-service to target law enforcement, schools, higher education institutions, and hospitals based in the United States.

Since its first sighting in 2020, security experts believe that the threat actors behind NetWalker have collected over $46 million in ransoms. But in March 2022, the Department of Justice announced that the U.S. government had extradited the defendant from Canada to Florida, seizing approximately $28 million USD of Bitcoin in the process.

This is a major victory for both victims of the NetWalker ransomware gang and international law enforcement. Many threat actors operate in areas that are difficult for U.S. law enforcement to reach, and as a result, often escape the trial process and accountability for their actions. Moreover, the defendant’s plea deal also contains an agreement to cooperate with prosecutors on related investigations, potentially giving international law enforcement the leads they need to eliminate other major threats in the cybersecurity landscape.

The Bad

The Black Basta ransomware group has struck again. Recently, New Peoples Bank, a community bank serving Virginia, West Virginia, Tennessee, and North Carolina, notified their customers of an “interruption” to their services that they discovered on June 15th, 2022.

Since its first sighting in April 2022, Black Basta has gained notoriety for launching double extortion attacks by leveraging older malware to establish a foothold in infected systems.

In their statement, New Peoples Bank detailed their investigation and response efforts, which includes involving law enforcement, regulators and a third-party cybersecurity firm in the investigation. According to the latest findings, a threat actor gained access to the bank’s systems on June 9th and managed to evade existing security controls to access personally identifiable information, including customers’ Social Security numbers, driver’s license numbers, financial account information, and electronic signatures.

Despite their system outages, New Peoples Bank has confirmed that at the time of publication, all of the bank’s systems have been restored, and all transactions from June 15th onwards have been processed. However, the bank has cautioned people to keep an eye on their account statements and credit reports for suspicious activity, and are offering a one-year membership to an identity protection and monitoring program to provide extra visibility.

Incidents like these show how emerging threats can impact organizations and enterprises, even when they have a security framework in place, and how vital it is to ensure that your cybersecurity program can stay ahead of new vulnerabilities and sophisticated threats.

The Ugly

This week, the FBI and the Western District of Oklahoma uncovered a group running a piracy scheme involving millions of dollars worth of stolen software licenses.

According to a press release from the U.S. Department of Justice, authorities have indicted three individuals for violating wire fraud and money laundering statutes while running an operation to sell over $88 million USD worth of licenses stolen from Avaya Holdings Corporation. These licenses were affiliated with Avaya’s IP Office phone system, and allowed customers to unlock premium features, including an expansion of a small or medium-sized business’ phone network or the addition of voicemail.

While these software licenses can only be generated by Avaya and sold by authorized distributors and resellers, one defendant used his system administrator privileges to not only generate software license keys to sell but also hijack accounts that belong to former Avaya employees to generate even more keys, and conceal his activity from the corporation for years.

While detailing the evidence surrounding the defendants’ money laundering, the indictment also discussed the unseen consequences of this piracy scheme. According to the press release, the $88 million in revenue these actors brought in allowed them to “undercut the global market” for Avaya’s software by selling software licenses for significantly below the company’s wholesale price. One defendant was even quoted as saying their collaboration could “corner” Avaya’s market.

This scheme offers a sobering reminder of how internal actors can pose a serious threat by leveraging lateral movement and privilege escalation. Although many design their cybersecurity programs to keep pace with outside threats, it’s important to have measures in place to detect and prevent suspicious activity from the inside. Without this preparation, companies stand to lose much more in the long run.

The Link Between AWM Proxy & the Glupteba Botnet

On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image:

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.


Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (UA-3816536).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers techplast[.]ru and — also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the domain “starovikov[.]ru.”

The name on the WHOIS registration records for the plastics domains is an “Alexander I. Ukraincki,” whose personal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “uai@” followed by a domain from one of the many Russian email providers (e.g.,, [Full disclosure: Constella is currently an advertiser on this website].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “2222den” and “2222DEN.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “dennstr.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site[.]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address A search in Constella on that email address says it was used to register nearly two dozen domains, including and starovikov[.]com.

A cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information for a Dmitry Starovikov, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005 to two men, one of whom was named Dmitry Sergeevich Starovikov.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

This week saw good news as cops in Europe busted a gang said to be behind several million euros worth of fraud. In a joint operation run by Belgian and Dutch police, an organised crime group involved in phishing, fraud, scams and money laundering was dismantled.

As a result of the operation, police made nine arrests and seized electronic devices, designer jewelry, firearms, cryptocurrency and tens of thousands of euros in cash. The arrested individuals were men between the ages of 25 and 36 and a 25-year-old woman.

europol cyber crime

The gang’s MO involved sending victims phishing links via email, text messages and chat apps including WhatsApp. The links led to fake banking websites, where victims were lured into entering their banking credentials, which the gang subsequently harvested.

It is believed the gang stole several million euros and used money mules to cash out the proceeds. Investigators believe that the group may also have been involved in drugs and firearms trafficking.

While the victims appear to have largely been located in Belgium, the suspects were all arrested in the Netherlands. This is another good example of how important collaboration between different law enforcement agencies is in tackling the cross-border nature of cyber crime.

The Bad

Last month we reported on a new zero-click remote code execution vulnerability affecting the Microsoft Windows Support Diagnostic Tool (ms-msdt) popularly known as Follina and more formerly tracked as CVE-2022-30190. This week, Ukrainian cyber defense outift CERT-UA spotted exploitation of Follina via a lure document titled “Nuclear Terrorism A Very Real Threat.rtf”.

It seems that the Russian intelligence GRU-linked threat actor APT28 is using fear of nuclear war to distribute malware via a poisoned Word document.

APT28 Follina exploitation

According to other researchers, the document is weaponized with Follina and downloads and executes a .Net executable that steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The stolen data is then exfiltrated via email to an attacker-controlled email account.

Several other attacks leveraging CVE-2022-30190 have been attributed to various APTs since Follina was first discovered four weeks ago, including Chinese-linked hackers and another Russian APT threat actor widely known as Sandworm. APT28 is just the latest jumping on the bandwagon.

While browser theft isn’t the most heinous of cyber crimes that organizations have to worry about, it’s worth remembering that credentials stored in browsers can provide threat actors with the kind of initial access they crave for long-tail hacks that are difficult to attribute or trace. It’s also a timely reminder for organizations to revisit their coverage for the Follina vulnerability. Microsoft finally got around to patching the flaw in its June 14th update and security teams are urged to ensure they take appropriate mitigation measures.

The Ugly

240 million users of cloud storage service MEGA received unwelcome news this week when researchers showed the company’s privacy claims fell somewhat short of the truth. MEGA advertises itself as offering “secure cloud storage and communication privacy by design”, boasting that “MEGA has a robust cryptographic process…no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA’s entire infrastructure is seized!”

Mega bug

Unfortunately, it turns out that it is precisely the “robust cryptographic process” that is insecure. The research says that MEGA–or some entity with control over MEGA’s infrastructure–can decrypt user data and that a malicious service provider could insert files into a user’s cloud storage.

In an advisory, MEGA admitted that the research identified flaws that could be exploited “either by MEGA acting maliciously or by an external party acting similarly”. Presumably, that includes MEGA complying with any confidential law enforcement or government order it might be served with.

The problem lies in the way MEGA “rolled its own” cryptographic architecture, a double-whammy which means that while the company has patched the initial attack vector used by the researchers, it has not resolved the underlying weaknesses due to the complexity of its own architecture. The company did reward the research team from ETH Zurich with a “significant payment”, but whether MEGA users will be satisfied that their data remains unreadable by the company, law enforcement, or “bad actors” remains to be seen.

From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

In the first half of 2022, there has been no let up in the number of attacks on businesses by ransomware operators. Conti, LockBit, BlackCat and the LAPSUS$ group may have been generating most of the prime-time cyber headlines, but there are a number of smaller players that have emerged or developed over recent months that are quietly infiltrating companies, stealing their data and demanding high-dollar sums for file decryption and a promise not to leak sensitive company data.

In this post, we provide a high-level overview of three new ransomware threats that have recently emerged–Zeon, HelloXD, and Dark Angels–and provide technical indicators for each to aid threat hunting and intrusion detection teams.

1. Zeon Ransomware

Zeon ransomware was first observed in late January 2022. The group does not currently advertise its victims or data via a known public blog, although the dropped ransom note makes the usual threat of such public exposure for non-compliant victims, stating “We’ve downloaded a pack of your internal data and are ready to publish it on out [sic] news website if you do not respond”.

Zeon ransom note

The ransom note further prompts victims to visit a TOR-based payment portal to proceed with the payment. According to one source, victims must pay in XMR or BTC, with a fee of 25% in case of the latter.

Observed Zeon payloads are Python-based executables packaged via pyInstaller and further obfuscated via pyArmor.

On execution, Zeon ransomware payloads attempt to stop any services or processes that could inhibit the encryption process. These include common backup processes and utilities as well as well known security products. For example, Zeon will attempt to stop known processes from McAfee, Sophos and Kaspersky.

The ransomware uses both taskkill.exe and net.exe to terminate the prescribed processes. The following table provides a full list of affected processes.

mfevtp backup EPUpdate acronis
MBAM vmcomp W3S MsDts
Back IISAdmin Monitor EsgShKernel
Smcinst vmwp RESvc Endpoint
bedbg swi_ Veeam PDVF
CCSF TrueKey task xchange
IMAP4 Afee mfemms ESHASRV
mms vss SmcService FA_Scheduler
DCAgent NetMsmq ntrt sql
VeeamTransportSvc Report Sophos UIODetect
veeam VeeamNFSSvc EPSecurity wbengine
Backup ekrn Eraser Enterprise
POP3 KAVF klnagent WRSVC
AcrSch Exchange EhttpSrv tmlisten
mfefire McShield

Zeon achieves persistence via Scheduled Task. The ransomware generates and executes its scheduled task via cmd.exe.

The following command output can be observed upon execution:

cmd.exe /c schtasks.exe /Run /TN zE0xO6us
schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
Zeon execution chain

Once encrypted, the .zeon extension will be added to all affected files and the ransom note is dropped as “re_ad_me.html” on the Desktop.

The ransomware also changes the victim’s desktop wallpaper.

Zeon Desktop Wallpaper

2. HelloXD Ransomware

HelloXD is a new ransomware family that first appeared towards the end of 2021. It is another in a long line of families derived from the various Babuk source code leaks. As such, both Windows and Linux variants of HelloXD have been observed.

Like Zeon, HelloXD does not currently host a public blog or victim shaming site. The ransom note instructs victims to engage the attackers via TOX chat as opposed to a direct chat link, .onion TOR website or standard email.

HelloXD ransom note

HelloXD is under rapid development, and many versions have been observed in the wild, with the author making continuous efforts to improve upon the malware’s obfuscation and file encryption routines. Initial samples of HelloXD were encrypted with a version of UPX, and some early versions also used a combination of HC-128 and Curve25519-Donna. Later examples of HelloXD ransomware have built additional layers onto the modified UPX packing, as well as updated the file encryption routine, swapping out HC128 for Rabbit Cipher.

We have observed that HelloXD payloads attempt to inhibit recovery via deletion of shadow copies:

vssadmin.exe delete shadows /all /quiet

Analyzed payloads have a rather noisy way of incorporating delays into the execution of the malware using the following:

PING.EXE -n 1 -w 3000

Upon encryption, files are given the .HELLO extension.

Recent examples of HelloXD also install copies of MicroBackdoor, which provides the threat actors with additional RAT-level access to breached systems.

HelloXD has, for a time, been openly discussed and sold in darknet crime forums. Alongside that, the actor behind HelloXD has been receiving some unwanted attention around the exposure of HelloXD as well and mocked for being exposed by security researchers.

Threat actors learn from x4k’s exposure
Threat actors learn from x4k’s exposure

3. Dark Angels Ransomware

In May 2022, researchers found another Babuk-derivative that behaves very similarly to HelloXD called ‘Dark Angels’ (aka DarkAngels). Early reports on Dark Angels suggest that each ransomware sample is targeted specifically for a given organization, not unlike Mindware and SFile, which we reported on previously.

Dark Angels’ victims are instructed to communicate with the threat actor via TOR-based chat portal and are given the (now) usual warning about not attempting to contact law enforcement, engage recovery teams or hire negotiators.

Dark Angels ransom note

The ransomware attempts to stop the following services upon execution:

memtas mepocs sophos
veeam backup GxVss
GxCIMgr DefWatch ccEvtMgr
ccSetMgr SavRoam RTVscan
QBFCService QBIDPService Intuit.QuickBooks.FCS
QBCFMonitorService YooBackup YooIT
zhudongfangyu sophos stc_raw_agent
VSNAPVSS VeeamTransportSvc VeeamDeploymentService
VeeamNFSSvc veeam PDVFSService
BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser
BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService
BackupExecRPCService AcrSch2Svc AcronisAgent

Dark Angels payloads have the ability to spread to available network shares and can accept associated parameters. The ‘paths’ and ‘shares’ command line parameters are both available. The method of share discovery can vary depending on the option provided.

Dark Angels ransomware team

In the absence of any command line options, the malware enumerates all local drives and encrypts all targeted files. Upon encryption, files are given the .crypt extension.


Ransomware is continuing to evolve and pivot in an ever-evolving race to gain illicit profits by attacking data on businesses’ computer systems. Threat actors know they must constantly work to stay ahead of both the legal system and the ongoing influx of inhibiting technical controls. Staying abreast of the latest developments in the evolving crimeware scene can help your security and IT teams keep your business secure.

SentinelOne Singularity detects and prevents attacks by Zeon, HelloXD and Dark Angels as well as all other known ransomware families.

Indicators of Compromise

Zeon SHA1

Zeon SHA256

HelloXD SHA1

HelloXD SHA256

Dark Angels SHA1

Dark Angels SHA256

Meet the Administrators of the RSOCKS Proxy Botnet

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address registered at the Russian freelancer job site with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, and

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Rsocks told the BlackHatWorld community they would be back soon under a new name.

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Why Paper Receipts are Money at the Drive-Thru

Check out this handmade sign posted to the front door of a shuttered Jimmy John’s sandwich chain shop in Missouri last week. See if you can tell from the store owner’s message what happened.

If you guessed that someone in the Jimmy John’s store might have fallen victim to a Business Email Compromise (BEC) or “CEO fraud” scheme — wherein the scammers impersonate company executives to steal money — you’d be in good company.

In fact, that was my initial assumption when a reader in Missouri shared this photo after being turned away from his favorite local sub shop. But a conversation with the store’s owner Steve Saladin brought home the truth that some of the best solutions to fighting fraud are even more low-tech than BEC scams.

Visit any random fast-casual dining establishment and there’s a good chance you’ll see a sign somewhere from the management telling customers their next meal is free if they don’t receive a receipt with their food. While it may not be obvious, such policies are meant to deter employee theft.

The idea is to force employees to finalize all sales and create a transaction that gets logged by the company’s systems. The offer also incentivizes customers to help keep employees honest by reporting when they don’t get a receipt with their food, because employees can often conceal transactions by canceling them before they’re completed. In that scenario, the employee gives the customer their food and any change, and then pockets the rest.

You can probably guess by now that this particular Jimmy John’s franchise — in Sunset Hills, Mo. — was among those that chose not to incentivize its customers to insist upon receiving receipts. Thanks to that oversight, Saladin was forced to close the store last week and fire the husband-and-wife managers for allegedly embezzling nearly $100,000 in cash payments from customers.

Saladin said he began to suspect something was amiss after he agreed to take over the Monday and Tuesday shifts for the couple so they could have two consecutive days off together. He said he noticed that cash receipts at the end of the nights on Mondays and Tuesdays were “substantially larger” than when he wasn’t manning the till, and that this was consistent over several weeks.

Then he had friends proceed through his restaurant’s drive-thru, to see if they received receipts for cash payments.

“One of [the managers] would take an order at the drive-thru, and when they determined the customer was going to pay with cash the other would make the customer’s change for it, but then delete the order before the system could complete it and print a receipt,” Saladin said.

Saladin said his attorneys and local law enforcement are now involved, and he estimates the former employees stole close to $100,000 in cash receipts. That was on top of the $115,000 in salaries he paid in total each year to both employees. Saladin also has to figure out a way to pay his franchisor a fee for each of the stolen transactions.

Now Saladin sees the wisdom of adding the receipt sign, and says all of his stores will soon carry a sign offering $10 in cash to any customers who report not receiving a receipt with their food.

Many business owners are reluctant to involve the authorities when they discover that a current or former employee has stolen from them. Too often, organizations victimized by employee theft shy away from reporting it because they’re worried that any resulting media coverage of the crime will do more harm than good.

But there are quiet ways to ensure embezzlers get their due. A few years back, I attended a presentation by an investigator with the criminal division of the U.S. Internal Revenue Service (IRS) who suggested that any embezzling victims seeking a discreet law enforcement response should simply contact the IRS.

The agent said the IRS is obligated to investigate all notifications it receives from employers about unreported income, but that embezzling victims often neglect to even notify the agency. That’s a shame, he said, because under U.S. federal law, anyone who willfully attempts to evade or defeat taxes can be charged with a felony, with penalties including up to $100,000 in fines, up to five years in prison, and the costs of prosecution.