Pavel Vrublevsky

'Be Careful Who You Bite': An Interview With the Businessman at the Center of One of Russia’s Biggest Treason Scandals

Editor’s Note: In 2013, Pavel Vrublevsky’s life turned upside down. After ten years of running a successful payments firm called ChronoPay, the Russian internet entrepreneur was convicted of orchestrating a distributed denial-of-service attack against a competing payments system used by Russian airline Aeroflot.

Vrublevsky was sentenced to 2.5 years in prison, and was subsequently made the subject of a book by cybersecurity journalist Brian Krebs, who described how Vrublevsky ran one of the world’s largest spam networks and profited from online pharmacy and fake antivirus operations. Krebs also uncovered leaked ChronoPay emails that suggested Vrublevsky bribed Russian political leaders to investigate rivals.

In recent years, Vrublevsky emerged as a central figure in one of Russia’s most notable treason scandals. Sergei Mikhailov, a former chief of the cybercrime department at Russia’s Federal Security Service who testified against Vrublevsky during his trial, was convicted of treason in 2019 and sentenced to 22 years in prison for reportedly passing along classified information about Vrublevsky to the FBI. Ruslan Stoyanov, a former Russian cyber intelligence official and senior employee at Kaspersky Lab, was sentenced to 14 years in prison during the same trial, which was held behind closed doors and rumored to be linked to the hacking of the 2016 U.S. presidential election.

Vrublevsky talked extensively with Recorded Future expert threat intelligence analyst Dmitry Smilyanets about these events and others in a recent interview. The conversation was conducted in Russian, and was translated to English with the help of a professional translator. The interview below has been lightly edited for length and clarity.

Dmitry Smilyanets: What’s the story behind your business ChronoPay, and what’s the state of the company now?

Pavel Vrublevsky: ChronoPay was created ad hoc. We, as a team, had our own entertainment projects online—we do not discuss what kind of projects they were for various reasons, but they were legal. We created a payment gateway, but we ourselves could not be its clients and we had to do something to get the business going. 

The first client came to us by accident, through an acquaintance. Templatemonster.com fell into our lap—the world's largest project for the sale of ready-made web designs, which was under constant attack by carders. In order to card some money, you need to make a fake store, but where do you get the design? Card the design. Therefore, templatemonster failed chargebacks. They had a second problem that was relevant back then: They tried their best to make it look like they were not citizens of Ukraine. That created a problem with the banks, because the banks wanted to see the ultimate beneficiaries. These are the problems we solved for them. We resolved them and figured out how to make a business out of it... And ChronoPay began to grow. 

Then it suffered for a long time during the showdown with Mikhailov… All this continued until Mikhailov was convicted. The whole process organically fell under the general story around the [2016 U.S.] elections. Coincidentally, he was convicted after Mueller's report on election interference... Then we quickly began to recover and turned into a very good working mechanism again, until the onset of COVID-19. We turned out to be better prepared than other companies because for a year now we experimented with modern remote work options. Our positions have improved... 

Now I would say that we are on a very positive wave. Banks in Russia come to us en masse and everyone wants to work with us. Everyone understands perfectly well that if I hadn't gotten into these disputes to find out who is spying for whom, then everything would probably be much better now financially than it actually is. There is a certain feeling of betrayal, if I may put it that way, because we had discussed this topic with state representatives and they had promised me a medal back then. I never got that medal.

DS: You’re upset you didn’t get a medal? The most important thing is to not get a whack in the head.

PV: My friends always tell me: “Be careful about what you post Pasha. Be careful who you bite. Are you really not afraid of what they might do to you?” To be honest, I am not suicidal and I have experience of getting whacked in the head hard. 

The situation is a little different here. It’s unfair and it would be wrong to stay silent. I understand that there is a concept of a state machine and that it is cruel. And I have no doubt that the state machine is cruel in all countries, no less than in our wonderful country. If I had done something like that in the U.S., I don't think that Donald Trump would have given me a kiss me on the forehead. And I would be sitting there just as upset and angry for being too righteous.

DS: From the outside, it looks like you have a lot of enemies. Is that so?

PV: I do not have many enemies, but many partisans—at some point we started calling them partisans. I have no enemies, and those who had been my enemies in the full sense of the word ceased to be a long time ago. This is what happened: Mikhailov, as a prominent representative of his organization, was responsible for large segments of the counterintelligence business in a country that tacitly intersects with a whole school of thought abroad. And his fall, associated with treason, led to the fact that a lot of people immediately found themselves on the outside... Some of these people realized it and understood it and continued to live on. 

But there was a circle of stubborn people, both here and abroad, who refused to accept the reality. I saw two publications—two leading media outlets on the same day—one was The New York Times, the second was The Washington Post. In one of them I was called a young Russian entrepreneur, and in the second I was called a big cybercriminal and a villain. The same position is expressed by Mr. [Brian] Krebs, and it is not going to change. He stated it in his book, but he is not the only representative of this position, he is the voice. Krebs has a lot of support in the information security community. That is an example of some of the partisan activity... There is also a circle of people in Moscow—dissatisfied—who takes the same position…

Image-from-iOS-3-1-1-1024x683.jpg

At the same time, there are many supporters of what I brought out into the open. In Russia, there are a lot of people in the system... and I have many acquaintances in the United States who, despite the difficult political situation between the two countries, support me quite openly. It got to the point where I spoke with two four-star NATO generals at a virtual cybersecurity conference. I cannot say that I have enemies, but rather that I am a representative of a certain ideology in cybersecurity, the point of which is that you cannot be flippant when it comes to attribution. 

Essentially, attribution is fundamental in determining guilt. Some people think that attribution is a game from cybercrime all the way up to the grander political level. But part of the community thinks that attribution is not something to be taken lightly. If you take the archives of the Aeroflot case and look at them, you get a snapshot of what happens ten years later in terms of hacking the elections. When Mr. Trump stepped onto the stage asking: “Where is the server?” we keeled over laughing, because that was also the key question in the investigation of the Aeroflot case... I am a supporter of realism in attribution, and of course, my constant opponent is Krebs, because Krebs is the best attribution expert associated with international cybercrime. However, he takes the opposite approach…

DS: Brian Krebs accused you of all sorts of sins, including bribing officials in order to persecute your local enemies. Is it true?

PV: This isn’t just untrue, this is one of 74 cases of outright lies... We did not spend a dime on the Russian law enforcement machine in order to fight someone. This is obvious for the simple reason that we were pursued by the FSB. Krebs accused us of buying the police. During Mikhailov's arrest, he accused me of bribing the FSB's own security department. I laughed a lot at that, because I don't have enough money to pay for the laces of these respected people. If it were true, that we were paying someone money, then, by God, everyone would have been in prison a long time ago... It would have been a gift for the FSB at that moment, if we were bribing someone. Quite the opposite, we did not bribe anyone, anywhere, anyhow.

DS: Do you think that Mikhailov actually shared secret information with the West? Do you believe his work with the West was sanctioned by the Russian government? What was on the disc that he gave to the Western intelligence services?

PV: Even if I knew what was on that disc, I would not have had the right to say because it is a state secret... As for his legitimate work with the West, it is a lie. He could not have had any work with the West. We tried to understand whether this person was working legally, and everything we found out indicates that this was not true. There are no particularly secret agreements with the West according to which the Center's operative could transfer operational information directly abroad. And it doesn't matter whether it was to America or not to America. Any interaction with the Russian Federation is carried out through the Prosecutor General's Office. 

Moreover, there is a cybercrime convention within the framework... and Russia refused to sign it precisely because it involves this kind of cooperation. Two times Putin refused to sign it. One of the reasons for not signing was specifically the sharing of operational information. 

There was a fairy tale that Mikhailov was convicted for, let's say, working with foreigners. The fact is that there couldn’t have been any work with foreigners. Of course, the special services maintain informal contacts and informal games among themselves. But don’t disclose webmoney wallets abroad like you would at home. I gave an example which, as far as I know, has nothing to do with this case. He was convicted for working for foreigners. How it was managed and who was the initiator, I do not know. If I did know I wouldn’t say, but I really don’t know. At one point I considered the wildest versions—that Mikhailov was the very first illegal [intelligence officer] from the United States in Russia... I asked directly and received an answer from the state that this was not true, that I was mistaken. But in this case, I also have no reason to believe the state... 

Sergey was very different from other FSB officers... His behavior was different from his colleagues and there was always a feeling that you were watching an actor who was playing an FSB officer... There was this joke, it made the rounds even before his sentencing: How did you figure out that Mikhailov was a spy? Because he did not take bribes.

DS: Stoyanov described the cooperation between the state and hackers in an open letter. ""The essence of the deal: the state gets access to technologies and information of cyber criminals in exchange for permission to steal abroad with impunity."" Is this the case in 2020?

PV: I think this has never really been the case. Russia historically has a high level of corruption in law enforcement agencies. At the same time, according to the law, an employee of the authorities can often take full responsibility and act on behalf of the state. Naturally, employees, especially young ones or those who have simply completely lost all sense of limits, go to such lengths as to make promises on behalf of the state of protection to certain criminals or even suspects that no one has ever really authorized them to. But this easily allows, if desired, one to find alleged government support in someone's actions. Unfortunately, state control is often weak in this respect. With me personally, there were many comical situations for this reason. It's just a feature of how the system works. 

In 2011, when I was in the Lefortovo prison and it was even somewhat of an honor the FSB checked if I was an employee of another agency—which I never was—I wonder if in some other agency anyone got a medal for this? Nowadays, in 2019, I had to file a statement with the administration of the special services, when I accidentally found myself almost an informant for the anti-organized crime branch, about which of course I had no clue. Stoyanov, as a former police officer, could not fail to know and understand this feature of our state administration and, in my opinion, made an incorrect statement, possibly trying to find support abroad with such populism.

DS: What motivates hackers who help the state? Are they forced, hired, or do it for patriotic reasons?

PV: As I said, I honestly don't see any government policy to support hackers. Sometimes I even see the opposite. Take the case of Konstantin Kozlovsky and Lurk. Apparently, the man was indeed an informant, but they do not believe him. At least formally. Morally, he really should have been supported.

DS: Is there a fight among intelligence agencies for talent in the same way they fight over statistics?

PV: I think yes and no. This is a very controversial issue. The fact is that on the one hand it certainly exists—but only when talent can really help not only the service, but also specific people in the service. There have been no world wars for a long time. This is certainly good. But this also gives rise to the principle that “paper will endure everything.” In other words, without real military necessity there is a lot of talent on paper, but in practice it is debatable. 

But here you have to understand—ultimately, the talent working for the special services, this is also a thing, it is the talent of destruction or protection from destruction. Is that really a talent?

DS: Do you think there should be more cooperation between Western intelligence services and Russia on computer crimes? Who will benefit from this collaboration? Who will lose?

PV: Of course I believe. The pandemic is a witness to this. I believe that it is absolutely necessary. However, I have maintained a rather unusual approach in this regard for a long time now. I personally think this cooperation should happen through the police, not special services. The point is the same as what I said above—special services are essentially military units, but without a war.

All over the world, they have one thing in common: They are always right. Politically, they have no margin for error. At the same time, cybercrime is an eternal issue of complex attribution, in which a mistake can occur in the most elementary way, and I have seen more than once when even the most eminent experts make mistakes. The story of election hacking is an excellent example of this. And we get the situation from the Guns N’ Roses song “Civil War”—what we’ve got here is failure to communicate. The police all over the world have the right to make mistakes. The police have had this right to “stupidity” since the Sherlock Holmes books. Cybercrime needs to be stopped. But cybercrime really needs a normal fair trial in which a judge, prosecutor, and defense attorney find out the truth. Not the kind of court that we get in any country, when politics and special services are behind it in the shadows. Only the truth in every case makes it possible to improve the system. I believe that the issue will be resolved by the cooperation specifically of the police.

DS: You’re pushing for a “Vrublevsky amendment” that would require cross-border internet transactions to go through Russian processors—can you tell me more about that?

PV: This is a good initiative. Important for Russia and I think, oddly enough important for other economies. Now, when Russians pay to sites abroad, they pay through foreign service providers. Visa and Mastercard regulations and developed country personal data laws deploy these transactions through local payment companies. This is correct both economically and in general. In Russia, the law on the national payment system, which is subject to the rules of payment systems, contradicts the law on personal data in this respect. It seemed to me reasonable to bring this to world standards.

DS: What else are you working on now?

PV: Oh, I have at least three breakthrough products for the market that are not related to ChronoPay, some of which were invented ten years ago. The first is a system of instant bonuses for companies—the name of the product is “Tyrant.” So funny. The family version is “Despot.” Very soon we will be able to show it and I think it will be in great demand on the market. 

We have huge blockchain-related projects. It is a completely crazy topic, but very interesting. Both products—the first is the simplest, and the second, on the contrary, is quite complex—can have a strong impact on the economy and are a development of the idea of ​​the economy of demand. At the same time, we help our colleagues to launch a product for payments for affiliate programs in Russia, which traditionally work outside the legal field on a legal basis. All my projects and ideas are mainly related to the economy of demand. I think the economy of demand is the future of the global economy. It is a sales conversion economy. Affiliate programs are practical cases of the very same economic model. I like these kinds of things.

DS: What is the biggest mistake you've made?

PV: I hope I haven't made any big ones. Probably the consistency with which I stood my ground and did not concede not taking into account how much the people around me could lose.

DS: Tell me a secret.
PV: In 2010, Aeroflot was attacked to show the senselessness and falsity of Mikhailov's actions.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Dmitry Smilyanets

Mission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of experience and expertise in cybercrime activity that includes being a former member of an elite Russian-based hacking organization.