Criminal charges reveal the identity of the “invisible god” hacker

A notorious hacker who made an estimated $1.5 million by stealing information from more than 300 companies and governments in 44 countries has been identified as a 37-year-old man from Kazakhstan. 

Known as Fxmsp, the hacker became famous in 2019 when that he advertised access and source code for leading cybersecurity companies, amid claims he could make an individual “the invisible god of networks.” His identity and techniques remained largely not known, however.

But today an American court unsealed criminal charges that named a single Kazakh national, Andrey Turchin, as the man behind the attacks, and detailed five felony charges against him. The charges date back again to 2018, when American investigators say they uncovered Turchin’s real identity, but had remained sealed—which is typical in cases involving foreign hackers. But a judge in the Western District of Washington ruled to unseal the charges in large part because a cybersecurity company, Group-IB, had publicly revealed Turchin’s identity in a report last month. 

A “prolific” attacker

Fxmsp first emerged in 2016 as a hacker with plenty of technical capabilities and a string of data breaches under his belt, but little business expertise, based on Group-IB. Within a year, that he was advertising access to the corporate networks of banks and hotels around the world, an indication of rapid success and a growing criminal business.

In 2019, Fxmsp made headlines by advertising use of data from three major cybersecurity organizations, reported to be McAfee, Trend Micro, and Symantec. He offered network access and source code at prices which range from $300,000 to $1 million. US officials say victims lost tens of millions of dollars to the malware, unauthorized access, and network damage.

The tactics used are described as “very simple, yet effective” by Group-IB. Fxmsp took advantage of mundane gaps in security that exist in major organizations around the world, even organizations that purport to be well protected. He was active across some of the best-known cybercrime forums in the Russian-speaking world and, after joining forces with another hacker named Lampeduza, became one of the most prolific and effective marketers in the market.

“Fxmsp is one of the most prolific sellers of access to corporate networks in the history of the Russian-speaking cybercriminal underground,” Group-IB’s Dmitry Volkov said last month. “Despite rather simplistic methods he used, Fxmsp managed to gain access to energy companies, government organizations, and even some Fortune 500 firms.”

Officials said the case had involved the FBI, the UK’s National Crime Agency, and private-sector security organizations. 

“Prices typically ranged from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls,” the Department of Justice said in a statement. “Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access.”

But while that he was successful, Fxmsp is also inexperienced and brash. One of the long-standing rules of the Russian hacking underground is that you do not hack Russia itself—or, if you do, stay quiet about this. Fxmsp did the opposite, according to Group-IB’s report, when he tried to sell use of Russian government networks he previously broken in to. It got him quickly banned from cybercrime forums before that he realized his mistake, which he never repeated. And mistakes manufactured in his beginning helped researchers establish his identity. Now Turchin faces a battery of charges, including conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.

Extradition unlikely

American police force says Turchin has likely known for quite a while that criminal charges awaited him in the United States. US, European, and Kazakh authorities are investigating this case together. Kazakhstan does not extradite nationals, and because Turchin is a Kazakh citizen, the case will probably be prosecuted because country.

Fxmsp hasn’t been publicly active since last year, when the spotlight turned hot after those alleged $1 million breaches of cybersecurity firms. Recent reporting from the cybersecurity firm Advanced Intelligence, which followed Fxmsp closely for decades, has raised other theories, including that the hacking crew continues to be active under different names and spaces. 

The indictment was reported by Seamus Hughes, the deputy director of the Program on Extremism at George Washington University.