One year after thieves infiltrated Target's cash registers, a website openly sells millions of credit and debit card numbers stolen in that data breach and many others.
Foreign gangs top list of Target data breach suspects
Investigators stymied so far by cybermystery follow an elusive trail of digital crumbs.
Anyone can log on to the site, rescator.cc, and shop for cards by ZIP code. This illegal marketplace is the most glaring reminder that no one has been brought to justice in the massive theft of Target customer data.
Federal authorities declined to say anything about their investigation, which is being led by the U.S. Secret Service. Yet cybersecurity professionals have named one person they believe is linked to the stolen card website: a Ukrainian hacker named Andrey Hodirevski.
Brian Krebs is the blogger who broke the Target breach story and first named Hodirevski a year ago. "He may not be rescator, but it's pretty clear that he knows the people who are and probably is in touch with them," Krebs said.
Two other security pros say Hodirevski almost certainly has a hand in running the site. Dmitry Volkov, head of investigations at Russian computer security company Group-IB, said in an interview that Hodirevski goes by the nickname "rescator" and has for several years been on his company's radar as a carder, or dealer in stolen payment card info. He said Hodirevski was a main member of DarkLife, a defunct Russian-language hack team.
"He has a high reputation and credibility among other carders and hackers," Volkov told the Star Tribune. "He is not just another carder."
Mark Lanterman, a former member of the Secret Service Electronic Crimes Task Force and now chief technology officer at Computer Forensic Services in Minnetonka, said the evidence points to Hodirevski.
"It's circumstantial, but there's a lot of it," Lanterman said. "His website is up and active and going stronger than ever, which is disappointing."
Someone at rescator's instant messenger address responded to Star Tribune inquiries, saying that nobody on his team has heard of Hodirevski and that he's just "some slim poor guy" that Krebs named. Authorities are looking in a "very different direction," the person said, declining to specify.
But all the publicity around the rescator site has made it the No. 1 destination for card thieves, the person boasted.
Hodirevski has not spoken out publicly, despite his name and photos having been publicized in cyber security reports and magazines such as Bloomberg Businessweek.
One Ukrainian familiar with him said Hodirevski is living in a flat in Odessa with his grandmother following a previous hacking arrest, and he is being monitored by the Security Service of Ukraine.
An old school friend in Odessa said Hodirevski has disappeared and there's no point looking. He's probably in Russia, said the friend, Alex Zhimalov: "If he wants to be invisible — he will be."
Illicit marketplace
In a conference room at his Minnetonka offices, Lanterman logs in to rescator.cc. Over the past year, he's found information on the site from tens of thousands of cards stolen from Target stores linked to Minnesota ZIP codes. This fall, he found information from at least 12,000 cards stolen from Home Depot, all linked to Minnesota ZIP codes and selling for $9 to $52 each.
The shop operates in the open now, he said.
Lanterman believes that rescator sells the software that hackers have used to break into retailers' point-of-sale computers. Then buyers customize it for victims such as Target, and others install it and do the rest of the dirty work, and give rescator the stolen card information to sell.
Watching traffic on rescator.cc tests Lanterman's patience.
"I get American law enforcement can't just drive to Russia and pick him up and bring him back to the station. But he has an infrastructure, and I don't know that enough has been done to disrupt it."
Tracking a hacker
From his house in Annandale, Va., his shotgun nearby, blogger Krebs tracks organized cybercrime groups, particularly those in Eastern Europe.
Krebs became a minor celebrity after breaking the news of Target's breach last year and then following a trail of digital bread crumbs, such as usernames from rescator, to Hodirevski.
Krebs blogged on Krebsonsecurity.com that rescator is a leading member of Lampeduza, a ring of card thieves organized in a hierarchy modeled on ancient Rome, using aliases such as Flavius and Octavius.
(The name rescator, however, likely refers to the pirate character by that name in the 1967 French adventure film "Untamable Angelique.")
Krebs linked rescator to the online alias Helkern or "hel." The domain Helkern was first registered to Andrey Hodirevski from Illichivsk, a seaport just down the Black Sea coast from Odessa.
In an interview, Krebs said that Hodirevski "may not be rescator, but it's pretty clear that he knows the people who are and probably is in touch with them."
Krebs said the cybergangs that hit Target and Home Depot are "a diverse group of folks probably across several time zones in Russia and Eastern Europe."
Whoever is running the rescator website is not just selling cards but appears to play an active role in stealing them because the information continues to show up in their online stores first, Krebs said. Plus, the word "rescator" appears in a text string used with the malicious software used in the Target attack.
A recent report by Group-IB, the Russian cyberintelligence company, examined the Russian-language carding market. It said rescator not only runs his own shops but supplied information from more than 5 million cards stolen from Target to a popular online crime shop called Swiped1.su. Group-IB estimated that the 151,720 cards rescator sold there from December 2013 to February 2014 earned rescator about $1 million.
Haven for carders
Odessa is a popular tourist spot — Russians used to flock there for some beach sun before the recent political crisis. A city of about 1 million people, it's home to several universities offering IT programs and a cluster of tech companies, including the start-up app maker Readdle.
It's also known as a haven for carders, thieves who deal in pilfered credit and debit cards. It was at an Odessa restaurant in 2001 that a large group of hackers launched CarderPlanet.com, an early marketplace where thousands of cybercriminals hung out and, mostly in Russian, traded information, stolen goods and hacking tutorials.
Authorities eventually shut it down and arrested Roman Vega, CarderPlanet's Ukrainian co-founder, when Vega ventured out to Cyprus. He's serving an 18-year prison sentence in the United States.
The spelling of Hodirevski's name varies depending on the transcription from Cyrillic. Profiles for Andrey Hodirevski on LinkedIn, and for Andrew Hodyrevsky on Retratech, a Russian-language website for certifying IT professionals, appear to be for the same person. The Retratech profile gives a birth date that would make him 22 and says he attended International Humanitarian University with a specialty in "maintenance of electronic networks" and the STEP Academy, a popular computer school in Ukraine. It lists a range of experience with various operating systems, programming skills such as JavaScript, software and databases.
He also notes "extensive experience in research, and troubleshooting of web application vulnerabilities, server software and other aspects of network security."
Neither school responded to the Star Tribune's request to confirm Hodirevski's attendance.
An archived 2011 blog of an Odessa Internet marketing company, Netpeak, featured a group of employees. "Andrew Hodyrevsky aka hel" was described as a "strong programmer." A photo posted there shows the same young man in photos Krebs obtained.
Netpeak head Artyom Borodatiuk said that Andrew Hodyrevsky worked at Netpeak from November 2010 to March 2011. He was a junior programmer in the R&D department, Borodatiuk wrote in an e-mail. He was fired for disciplinary problems, Borodatiuk said, such as showing up late for work "and some other little things we don't accept." Borodatiuk said he has no idea where Hodireveski went.
"He was almost child — I thought that it will be corrected with time," Borodatiuk said.
Obsessed with security
Odessa entrepreneur Alex Zhimalov told the Star Tribune he and Hodirevski became friends at the computer academy several years ago. Zhimalov, whose company designs web, desktop and mobile interfaces, said that he shared many interests with Hodirevski but that his friend was something of a mystery: a "dark horse," secretive and obsessed with security, using encryption on all his devices and multiple fake accounts.
No one knew where he lived, Zhimalov said. You didn't contact him, he contacted you.
Zhimalov, who e-mailed the Star Tribune pictures of Hodirevski taken in Odessa in 2012, was unaware of the controversy around his friend. He said he knew Hodirevski was hiding, but didn't know why and was shocked when told that some people link him to the Target attack.
During their last year at the computer school, about two to three years ago, he said Hodirevski hacked "some government structure" and was arrested but didn't go to jail. Then he lost touch.
The structure Zhimalov referenced is likely the Forum of Odessa, a popular Internet site that offers a mix of Craigslist-type postings and news. It was hacked in 2011, and a 19-year-old Ukrainian was arrested for stealing personal information of more than 190,000 users, according to information issued by the Security Service of Ukraine (USB) that year.
Hodirevski was the 19-year-old hacker, and he was sentenced to three years' probation, said Dmitriy Kozin, the Forum's co-owner.
Kozin said Hodirevski gained entry by guessing the password of a system administrator and stole e-mails. He was caught, Kozin said, because his effort to hide the actual address of his computer did not work.
Kozin said his understanding is that Hodirevski remains in an Odessa flat where he lives with his grandmother. The USB is "monitoring" him, he said.
Kozin said he thinks Hodirevski is "too lame to organize and rule" an attack on the scale of Target's. It's possible, he speculated, that authorities are using him to bait larger fish.
Meanwhile, Hodirevski's carding reputation only grows. Sycophants on his bulletin boards think he's the "end all," Lanterman said.
"They seem to be singing his praises," Lanterman said. "He must be thrilled with that."
Jennifer Bjorhus • 612-673-4683
The governor said it may be 2027 or 2028 by the time the market catches up to demand.