Known as Fxmsp, the hacker became famous in 2019 when he advertised access and source code for leading cybersecurity companies, amid claims that he could make a customer “the invisible god of networks.” His identity and techniques remained largely unknown, however.
But today an American court unsealed criminal charges that named a single Kazakh national, Andrey Turchin, as the man behind the attacks, and detailed five felony charges against him. The charges date back to 2018, when American investigators say they uncovered Turchin’s real identity, but had remained sealed–which is typical in cases involving foreign hackers. But a judge in the Western District of Washington ruled to unseal the charges in large part because a cybersecurity company, Group-IB, had publicly revealed Turchin’s identity in a report last month.
A “prolific” attacker
Fxmsp first emerged in 2016 as a hacker with plenty of technical capabilities and a string of data breaches under his belt, but little business expertise, according to Group-IB. Within a year, he was advertising access to the corporate networks of banks and hotels around the world, a sign of rapid success and a growing criminal business.
In 2019, Fxmsp made headlines by advertising access to data from three major cybersecurity companies, reported to be McAfee, Trend Micro, and Symantec. He offered network access and source code at prices ranging from $300,000 to $1 million. US officials say victims lost tens of millions of dollars to the malware, unauthorized access, and network damage.
The tactics used are described as “very simple, yet effective” by Group-IB. Fxmsp took advantage of mundane gaps in security that exist in major companies around the world, even organizations that purport to be well protected. He was active across some of the best-known cybercrime forums in the Russian-speaking world and, after joining forces with another hacker named Lampeduza, became one of the most prolific and effective marketers in the market.
“Fxmsp is one of the most prolific sellers of access to corporate networks in the history of the Russian-speaking cybercriminal underground,” Group-IB’s Dmitry Volkov said last month. “Despite rather simplistic methods he used, Fxmsp managed to gain access to energy companies, government organizations, and even some Fortune 500 firms.”
Officials said the case had involved the FBI, the UK’s National Crime Agency, and private-sector security companies.
“Prices typically ranged from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls,” the Department of Justice said in a statement. “Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access.”
But while he was successful, Fxmsp could also be inexperienced and brash. One of the long-standing rules of the Russian hacking underground is that you do not hack Russia itself–or, if you do, stay quiet about it. Fxmsp did the opposite, according to Group-IB’s report, when he tried to sell access to Russian government networks he had broken into. It got him quickly banned from cybercrime forums before he realized his mistake, which he never repeated. And mistakes made in his early days helped researchers establish his identity. Now Turchin faces a battery of charges, including conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.
American law enforcement says Turchin has likely known for some time that criminal charges awaited him in the United States. US, European, and Kazakh authorities are investigating this case together. Kazakhstan does not extradite nationals, and because Turchin is a Kazakh citizen, the case will likely be prosecuted in that country.
Fxmsp hasn’t been publicly active since last year, when the spotlight turned hot after those alleged $1 million breaches of cybersecurity firms. Recent reporting from the cybersecurity firm Advanced Intelligence, which followed Fxmsp closely for years, has raised other theories, including that the hacking crew is still active under different names and spaces.