Magecart-style hackers charged by Russia in theft of 160,000 credit cards

Russia has taken the rare step of publicly charging six people suspected of stealing the details of 160,000 credit cards as well as payment information from foreign online stores.

According to the statement published by Russia's Prosecutor General's Office earlier this week, the suspects used malware to bypass the websites' security measures and gain access to their databases. Then, using malicious code, they copied the necessary account details and stored them on their remote servers. The hackers later sold this information on darknet internet forums.

The suspects were identified as Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. If found guilty, they could face a fine or be sentenced to up to seven years in prison, according to Russian law.

According to the Russian archive of court decisions, the suspects were arrested about a year ago, said Ilya Volovik, the senior manager of the payment fraud intelligence team at Recorded Future, the parent company of The Record. It is not clear if they were part of a specific hacker gang, he added.

The indicted Russian hackers used a payment information stealing tactic known as Magecart, said Will Thomas, an instructor at the SANS Institute. This term came from the group responsible for the initial attacks, which specifically aimed at websites using the Magento e-commerce platform.

In a Magecart-style attack, hackers compromise vulnerable websites by injecting malicious code, often JavaScript, into their checkout pages or other parts of the site where payment information is entered. This code is designed to capture sensitive data such as credit card numbers, CVV codes, and personal information entered by users during the checkout process. That information is then often packaged and sold to “carding” operations that use it for fraud.

There are dozens of groups performing such operations, Thomas said. “Attributing them to a specific group is pretty difficult as there are often little artifacts to go on other than their web code and infrastructure,” he added.

In 2022 alone, nearly 60 million compromised payment card records were posted for sale on dark web platforms, according to Recorded Future's Insikt Group. These types of attacks are especially popular among Russian cybercriminals, researchers said. Western sanctions imposed on Russia following its invasion of Ukraine “may motivate Russian-based threat actors to compromise, sell, and monetize payment cards,” the report said.

The Russian government rarely impedes such operations, and cases where the Kremlin prosecutes its own criminals are rare.

In 2022, the Russian Federal Security Service (FSB) arrested the administrator of the UniCC forum, where threat actors gathered to buy or sell stolen payment card data. Since its launch in 2013, the site's staff has made at least $358 million in cryptocurrency from the sale of stolen cards, according to blockchain analysis company Elliptic.

Volovik suggested that the UniCC arrests and the recent charges against Russian hackers may be connected. “It is likely that the investigation into the operation of this shop revealed individuals that were supplying stolen payment cards that were later sold in the carding shop,” he said. 

“Russia is usually a safe haven for carders and hackers, so in the rare instances where they do arrest them, it's usually interconnected. UnicCC was one of those rare scenarios where Russia shut down a carding shop and made arrests,” Volovik said.

However, researchers don't have any evidence that the arrested criminals worked with UniCC, or if they exclusively supplied the cards to them. “Usually, carders that steal cards will work with one or more carding shops, where they sell their stolen data, and UniCC was a well-known shop,” Volovik added.