Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:25 PM
Connect Directly

Russian Cybercriminal Behind CardPlanet Sentenced to 9 Years

Aleksei Burkov will go to federal prison for operating two websites built to facilitate payment card fraud, hacking, and other crimes.

Russian national Alexei Yurievich Burkov has been sentenced to nine years in federal prison for his operation of two websites, CardPlanet and Direct Connection, dedicated to payment card fraud, computer hacking, and other crimes, the Department of Justice said late last week.

CardPlanet was a so-called "carding" website built to sell credit and debit card numbers stolen through computer hacking. Many of the card numbers sold belonged to US citizens, and more than 150,000 stolen payment card numbers were sold on CardPlanet, resulting in at least $20 million in fraudulent purchases made with US payment card accounts.

The price of stolen payment cards ranged from $2.50 to $60 on CardPlanet depending on the card type, country of origin, and availability of cardholder data like name and address. To encourage purchases, Burkov offered a fee-based "checker" service that enabled customers to verify stolen payment card numbers. If a card was invalid, Burkov promised to replace it. He advertised his shop as the only one that would refund the price of invalid payment card data. 

Some customers who bought stolen data from CardPlanet encoded the numbers on counterfeit payment cards embossed with the card company's logo, without the company's knowledge or consent, the indictment states. These counterfeit cards were used to buy goods and services across the United States, both in-person and online.

In addition to CardPlanet, the indictment alleges Burkov and his co-conspirators ran an online forum where elite cybercriminals could meet in a secure place to plan crimes, help one another commit crimes and avoid law enforcement, and buy and sell stolen goods and services: payment card numbers, personally identifiable information, botnets, and other malware. While the indictment does not specify the forum's name, some reports call it Direct Connection.

The forum was divided into several subsections so members could comment on different topics including news, online shopping, buying and selling payment card data, carding documents and equipment, bank account cashouts and bank transfers, and information security topics like databases, botnets, Trojans, scripts, and exploits. Burkov was active on the forum several times per week and used it to drive traffic back to CardPlanet and further his illicit operations there.

Burkov also used this forum to advertise his illegal services and find others selling illicit goods and services he wanted to buy, officials explain in the indictment. He and his co-conspirators controlled access to the forum so as to avoid infiltration. Applicants were required to have three members vouch for them to verify their reputation for, and history of, cybercrime. They had to put up a sum of money – usually around $5,000 – as insurance in case they failed to pay for services on the forum, and all members of the forum had to vote on their acceptance.

"These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum," officials explain in a statement.

Burkov was arrested at the Ben-Gurion Airport near Tel Aviv, Israel in December 2015; an Israeli district court approved his extradition in 2017. He was extradited to the US in November 2019. In January 2020 he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

A Long Road to Sentencing

It's rare to see a Russian cybercriminal extradited and sentenced. This sentencing did not arrive without pushback from Moscow, which fought for four years to keep Burkov from being extradited to the United States. As KrebsOnSecurity notes, Israel turned down requests to send the cybercriminal back to Russia, where he allegedly faced other hacking charges. When that didn't work as planned, Russia imprisoned an Israeli woman in an attempt to trade prisoners.

The FBI and Homeland Security Investigation (HSI) unit, US authorities for bringing cybercrime to justice, are often challenged to bring cybercriminals to the US for prosecution despite help from Interpol and other agencies. Even if the US has an extradition treaty in place with a country, the government can choose not to extradite individuals on a case-by-case basis.

More than 76 countries do not have an extradition treaty with the US, meaning even known criminals have a low chance of being brought to justice. This is the case with Russia and China, whose citizens are not extradited to the United States. Because of this, US authorities typically monitor the criminals' activity and try to learn when they plan to travel to another country.

Burkov isn't the first Russian cybercriminal to be extradited to the United States. Peter Yuryevich Levasho, operator of the Kelihos botnet, was arrested in Barcelona in April 2017 and extradited to the US, where he pleaded guilty in federal court to charges related to criminal activities. Russian national Yevgeniy Nikulin, accused of breaking into Dropbox and the 2012 cyberattack on LinkedIn, was extradited to the US after being detained in the Czech Republic.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 11:03:32 PM
9 Years
Its good to see that criminal cyber activity is having enforced consequences. We've seen a change in sentencing now that cybercrime is becoming more understood.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...