Affiliate Programs

Who is the Network Access Broker ‘Wazawaka?’ – Krebs on Security

Who is the Network Access Broker ‘Wazawaka?’ – Krebs on Security
Written by publishing team

In many ransomware attacks, the criminals looting the victim’s network are not the same as the scammers who gained the initial access to the victim organization. More commonly, the infected computer or the stolen VPN credentials that the gang used to break into were purchased from a cybercriminal intermediary known as the Primary Access Broker. This post examines some of the clues left by me.”wazawakaThe hacker’s handle chosen by a key access broker in the Russian-speaking cybercrime scene.

Wazawaka has been a very active member of many cybercrime forums over the past decade, but his favorite is the Russian language community. exploit. Wazawaka spent his early days at Exploit and other forums selling Distributed Denial of Service (DDoS) attacks that can take offline websites for $80 a day. But in recent years, Wazawaka has focused on promoting access to organizations and databases stolen from hacked companies.

A thread started by Wazawaka on Exploit in March of 2020, in which he sold access to a Chinese company with more than $10 billion in annual revenue, reads, “Come steal, get the dough!”. Show them who the boss is.

According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit paid him nearly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said that he collaborated with him The dark side, the ransomware group responsible for a six-day outage in colonial pipeline Last year it caused nationwide fuel shortages and soaring prices. the US Department of State It has since offered a $5 million reward for information leading to the arrest and conviction of any of DarkSide’s affiliates.

Wazawaka seems to take a uniquely societal view that when ransom-held organizations refuse to cooperate or pay, any data stolen from the victim should be posted on Russian cybercrime forums for everyone to loot — not privately sold to the highest bidder. In a thread by thread in the crime forum XSS, alias of Wazawaka”Uhodiransomwar“The publication of download links to databases can be seen from companies that refused to negotiate after five days.

Uhodiransomwar wrote in August 2020: “The one and basic principle of ransomware is: the information you steal should never be sold.” This information was stolen from.

Wazawaka has not always been very friendly with other hackers. Over the past 10 years, his contact information has been used to register several phishing domains that aim to steal credentials from people trying to transact in many dark web marketplaces. In 2018, Wazawaka registered a large number of domains impersonating the real domain of hydra Dark web market. In 2014, Wazawaka confided to another crime forum member via a private message that he had made good money stealing accounts from drug dealers in these markets.

“I was stealing their QIWI accounts for up to $500,000,” Wazawaka recalls. “The dealer would never go to the cops and tell them he’s selling things online and someone stole his money.”

Who is Wazawaka?

Wazawaka has used numerous email addresses and aliases on various Russian crime forums, but data collected by cybersecurity firm Constella Intelligence shows that Wazawaka’s alter ego always uses one of three somewhat unique passwords: 2k3x8x57And 2k3X8X57, And 00 default.

These three passwords have been used by one or all of Wazawaka’s email addresses on crime forums over the years, including wazawaka@yandex.ruAnd mixseo@mail.ruAnd mixseo@yandex.ruAnd mixfb@yandex.ru.

An email address was last used nearly a decade ago to register a file VKontakte (Russian version of Facebook) account under the name Mikhail “Mix” Matveyev. The phone number associated with this VKontakte account – 7617467845 – It is set by the Russian telephony provider Megaphone for a resident of KhakassiaIt is located in the southwestern part of eastern Siberia.

DomainTools.com [an advertiser on this site] Report mixfb@yandex.ru was used to register three domains between 2008 and 2010: ddosis.ruAnd best-stalker.com, And cs-arena.org. This latter domain was originally registered in 2009 to Michael b. Matveyev, in Abakan, Khakassia.

Mikhail Matveev is not the most unusual name in Russia, but there are other clues that help narrow things down a little. For example, early in his Exploit posts, Wazawaka can be seen telling members that he can be contacted via an ICQ instant messaging account. 902228.

An online search for Wazawaka’s ICQ number brings up the 2009 account of Wazawaka in a discussion forum that no longer exists about Kopyovo-, a city of about 4,400 inhabitants in the Russian Republic of Khakassia:

michael mix

Also around 2009, someone using the alias Wazawaka and the address 902228 ICQ started posting on Russian social networks in an attempt to convince locals to duplicate the website”fureha.ru,” which has been described as another website serving the residents of Khakassia.

According to Russia Domain Monitor 1stat.ru, fureha.ru was registered in January 2009 at the e-mail address mix@devilart.net Phone number +79617467845, which is the same number associated with Mikhail “Mix” Matveyev Vkontakte account.

DomainTools.com says mix@devilart.net was used to register two domains: one called badamania[.]ru, and a finished porn site called tvporka[.]ru. The phone number associated with the registration of this porn site in 2010 was 79235810401, also released by MegaFon in Khakassia.

search in Skype This number signifies that it has been associated for more than a decade with the username “matveevatanya1”. Registered now, he is 29 years old Tatiana Matveeva Darabina, Her VKontakte profile says that she currently resides in Krasnoyarsk, the largest city and closest to Abakan and Abaza.

It seems likely that Tatiana is a relative of Mikhail Matveyev, and possibly his sister. Neither of them responded to requests for comment. In 2009, Mikhail Matveyev from Abaza, Khakassia registered the username Wazawaka weblancer.net, which is an independent job exchange for Russian IT professionals. The Weblancer account says that Wazawaka is currently 33 years old.

In March 2019, Wazawaka explained his prolonged absence from the exploit by saying that he had given birth to a child. “I will answer everyone in a week or two,” the crime actor wrote. “Becoming a father – he went on vacation for two weeks.”

One of the many email addresses that Wazawaka used was devdelphi@yandex.ru, which is linked to the newer but since deleted VKontakte account of Mikhail Matveyev and used the password 2k3X8X57. As usual, I’ve put together a mind map showing the links referenced in this story:

An approximate mind map of the links mentioned in this story.

Analysts at electronic intelligence firm Flashpoint say Wazawaka’s posts on various Russian crime forums show he’s adept in many disciplines, including bot operations, keylogger malware, spam networks, credential harvesting, Google Analytics manipulation, and database selling for operations. Spam and DDoS attacks.

Flashpoint says it’s possible that Wazawaka/Mix/M1x shared the identities and accounts of the cybercriminals with several other forum members, most of whom appear to have been partners in their DDoS rental business a decade ago. For example, Flashpoint refers to a file antichat Forum thread from 2009 where members said that M1x worked on their DDoS service with a hacker with the nickname “Vedd”, who is also notorious for being a resident of Abakan.

Stay right, Mother Russia will help you

All of this is of course academic, provided Mr. Wazawaka chooses a) never to leave Russia and b) avoids cybercrime activities targeting Russian citizens. In a January 2021 thread on Exploit regarding the arrest and subsequent removal of a NetWalker ransomware affiliate, Wazawaka appears to have already resigned from these restrictions.

“Don’t be troubled where you live, travel local, and don’t travel abroad,” Wazawaka said of his personal motto.

Which may explain why Wazawaka largely lacks a commitment to conceal and protect the identities of cybercriminals: Incredibly, Wazawaka’s alter ego on XSS Forum – Uhodiransomware – He still uses the same forum password he used for the VKontakte account 10 years ago. Fortunately for him, XSS also requests a one-time-use code from its mobile authentication app.

The second step is to login to your Wazawaka account on XSS (Uhodiransomwar).

Wazawaka said the shutdown of NetWalker was the result of the greed of its manager (also known as “Bugatti”), and then proceeded to preach about the need to periodically rebrand the identity of cybercriminals.

“I have some business with Bugatti,” Wazawaka said. “The guy got really rich and started recruiting Americans as affiliate partners. What happened now is the result. That’s fine, though. I wish Bugatti would do some rebranding and start from the beginning 🙂 For the taken over servers, they should have hosted their own admin panels them in Russia to avoid having their servers taken over by Interpol, the FBI or something else.”

“Mother Russia will help you,” Wazaka concluded. “Love your country, and you will always get away with it.”

If you like this post, you can also enjoy Who is the network access broker “Babam”?

About the author

publishing team