Russian operator of stolen credential marketplace sentenced to 30 months

A Russian computer security researcher was sentenced by a federal judge in California to two-and-a-half years in prison Monday for his role in administering deer.io, a sprawling online marketplace for selling stolen account credentials, credit card information, and hacked accounts.

Kirill Firsov, the 30-year-old operator of the now-defunct site, was arrested last March upon his arrival at New York City’s JFK Airport from Moscow. At the time of his arrest, the site hosted about 3,000 active shops with sales exceeding $17 million, according to Justice Department officials. Although Firsov argued that most of the sales on the site were of Russian accounts, at least $1.2 million of exchanges were tied to U.S. stolen data, including  names, current addresses, telephone numbers and Social Security numbers.

Deer.io operated like a Shopify for cybercrime, according to charging documents. It offered cybercriminals “a turnkey online storefront design and hosting platform,” which they used to advertise and sell a variety of products, such as hacked servers. The site claimed to have over 24,000 active shops.

The crime that Firsov pled guilty to—unauthorized solicitation of access devices—carries with it a maximum penalty of 10 years in prison and up to a $250,000 fine. But in the sentencing trial, U.S. District Judge Cynthia Bashant said he had been incarcerated for more than a year during the COVID-19 pandemic, and would likely spend additional time behind bars as he goes through deportation proceedings back to Russia. However, Bashant “noted that without Firsov’s involvement, there would be no deer.io, and that facilitated the sale of stolen property on a large scale,” the Department of Justice said.

The site was in operation since at least October 2013 and was maintained on Russian servers, which made it difficult for the FBI to investigate it, prosecutors said.

Although it’s unclear how the FBI tied deer.io to Firsov, he maintained a Twitter account where he posted about vulnerabilities and exploits. In court documents, the FBI described how agents in San Diego were able to purchase approximately 1,100 gamer accounts for under $20 in bitcoin, and the personally identifiable information of about 3,650 individuals for a few hundred dollars in bitcoin from the marketplace. From those accounts, the FBI identified names, dates of birth, and Social Security numbers of multiple people who resided in San Diego.

“This platform provided cybercriminals with easy access to the personal accounts and information of people around the world, including Americans,” said Acting U.S. Attorney Randy Grossman. “Stopping that flow of stolen information to criminals is critical to addressing the cybercrime threats facing our country, and we will prosecute those who are responsible.”