Alleged Operator of SSNDOB Identity Theft Service Identified

Infographic detailing the activities of the man allegedly behind SSNDOB (click for full)

Last year, Brian Krebs detailed the operations of an identity theft service called SSNDOB, which had offered all sorts of information needed to steal identities. Now, Symantec claims to have uncovered the identity of the man running the service.

The alleged operator of SSNDOB is a 24-year-old named Armand Arturovich Ayakimyan from Abkhazia, a disputed territory located between Russia and Georgia.

Armand, who is said to have moved to the Russian city of Sochi in 2010, has had some real jobs. He worked at a photo studio, as a sales manager at a cosmetics firm, and last year, he appeared to be working at a Russian church.

At one point, he had plans to create some legitimate websites, like an online dating service and a real estate website, but his plans didn’t materialize.

Until 2007, he took part in fraud schemes that abused the financial information of Australian citizens. In 2007, he signed up on a cybercrime forum and started learning about stealing information online. Towards the end of 2007, he was already selling stolen information on hacker forums.

The next year, he started using remote access Trojans to take over the computers of UK and US citizens. In 2009, he teamed up with at least three other people using the online monikers “Tojava,” “JoTalbot” and “DarkMessiah.” The four, and possibly others, formed the cybercrime group dubbed by Symantec “Cyclosa.”

Their first major target was a large FTP site that gave them access to the websites of several travel agencies. After breaching the server, they offered to sell a database of tens of thousands of expired Russian passports, FTP space, and “rights” to the compromised server.

Shortly after that, Armand and Tojava decided to start an online identity theft store and they registered the domain for SSNDOB (the name of the service stems from “Social Security number / date of birth”). Interestingly, the first domain was registered with Armand’s real name and phone number.

In the meantime, they continued to enhance the attack capabilities of the Cyclosa gang. They attacked a number of companies from which they stole personal data. Symantec says the list of targets includes a US credit union, a Georgian government agency, and a US bank. From most of the hacked organizations, they stole data, which they used to fuel their ID theft service.

After Brian Krebs exposed the activities of SSNDOB, Armand deleted his profile on the VK social network, but his gang’s activities continued. Check out Symantec’s infographic detailing Armand’s cybercrime journey.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s