Jack the malware dealer for two of Russia’s most notorious cybercriminal gangs poses next to a classic car in 2013, according to eSentire researchers. He was in his early 20s at the time, digital sleuths claim.
eSentire
Looking at online photos of his visits to the famous San Siro soccer stadium in Milan, or posing beside a classic car in Mexico, or arms around his high-fashion wife with London’s Tower Bridge in the background, nothing stands out about Jack. Average height and weight, white, the taupe hair of a mole, he looks as unremarkable as anyone else on the internet posing for selfies at a tourist hotspot.
In the corridors of cybercriminal underworld, however, “Jack” is as notorious as he is mysterious. That’s because he is the supplier of a malware dubbed Golden Chickens, which is wielded by some of the most notorious Russian cybercrime gangs in the world. These gangs are are suspected of causing over $1 billion in damages by hacking into large corporations across the U.S. and Europe, according to cyber sleuths who have been tracking their activity.
And while Jack’s life might appear influencer-worthy, it’s fraught with risk. He has a $200,000 bounty out for information on his identity, issued by someone who claimed he had been robbed of $1 million by the coder. And now, digital investigators Joe Stewart and Keegan Keplinger from cybersecurity company eSentire claim to have uncovered his real name and his location – Bucharest, Romania. They declined to give Jack’s name to Forbes, but say they’ve handed it to American law enforcement and are hopeful identification of the 30-year-old will scare off his customers.
Researchers dug up photos of the alleged cybercrime provider, including this snap in front of London’s iconic Tower Bridge.
eSentire
“We’d like to cut off the supply chain to the threat actors,” said Stewart. “They’re going to have to start all over, find a new supplier… and, who knows, that person may also be somebody that we can reach and cut off.”
The case shows how even those who have taken pains to hide their identity over years in cybercriminal circles can be undone by persistent researchers who have access to a wealth of data, thanks, ironically, to leaked databases from hacker forums.
The pair’s lucky break came when they found a forum post from a Canadian accomplice, previously identified by the researchers as “Chuck from Montreal,” that included an account name for Jabber, an encrypted chat service. This was a new thread for the researchers to pull, because it had not been shared in other posts by Chuck, who’d also previously indicated he had a mysterious partner. The same Jabber account, they found, had been used to sell cybercrime tools across multiple other sites. “It opened a flood of whole new accounts, and that’s where we started seeing more coding, more selling malware,” said Keplinger.
Crucially, inside leaked databases for the forums where that Jabber user was active, there were associated emails used during sign up. One address had been used to sign up to Gravatar, the Automattic-owned service for creating online avatars. Simply searching the email address on Gravatar revealed what appeared to be a real name. When the researchers Googled the real name alongside his pseudonyms, they found a post on a security blog from the mid-2010s that also claimed this was the coder’s true identity. “It would be an amazing coincidence if this wasn’t the guy,” added Stewart.
From Yahoo messages to multimillion-dollar heists
With his identity and online monikers, the researchers traced Jack’s life all the way back to his teenage years in the late 2000s, where he was already building basic spyware to steal Yahoo instant messages. They also traced later activity, such as developing software that built Microsoft Word documents laced with malware.
Between 2017 and 2019 he gained two major Russian customers, who helped him pay for designer clothing and his globetrotting. First was Cobalt Group, which is alleged to have hacked into 100 financial institutions in more than 40 countries, with single heists bringing in as much as $11 million, according to an eSentire report provided to Forbes ahead of publication. Second was Fin6, best known for its hacks of British Airways and Ticketmaster payment systems.
“Identifying cybercriminals is half the battle.”
The business today, dubbed the Golden Chickens malware-as-a-service, continues to support cybercriminals; eSentire said the malicious software had been used to target at least 11 companies since the start of 2022.
Despite his success, his freedom, and possibly his life, may be in danger. In 2018, a hacker using the name “babay” said they had been ripped off to the tune of $1 million, and offered $200,000 to anyone on cybercrime forum Exploit.in who could uncloak Jack’s identity. “The person scammed me, didn’t complete his job, talks total nonsense, I can’t contact him and he refuses to return the money back,” the user wrote. It’s unclear what they wanted to do once they’d acquired the coder’s name, or if their bounty remained active.
Though Stewart and Keplinger provided identifying information to Canadian law enforcement on the Chuck character, no charges have been announced yet, and the pair are unaware of authorities are actively investigating him based on their information.. The pair are more hopeful law enforcement will act on their information about Jack, however, given his close ties to Russian cybercrime.
“Identifying cybercriminals is half the battle,” says Adam Meyers, senior vice president of intelligence at cybersecurity company CrowdStrike, which refers to Jack as Venom Spider. He, too, has tied the hacker to various kinds of malware, including modules for ransomware and reconnaissance tools and adds, “Law enforcement will need to pursue an arrest in order to disrupt this adversary and put an end to their criminal activities.”