A notorious hacker who made an estimated $1.5 million by stealing information from more than 300 companies and governments in 44 countries has been identified as a 37-year-old man from Kazakhstan.
Known as Fxmsp, the hacker became famous in 2019 when he advertised access and source code for leading cybersecurity companies, amid claims that he could make his customers “the invisible god of networks.” His identity and techniques remained largely unknown, however.
But today an American court unsealed criminal charges that named a single Kazakh national Andrey Turchin as the man behind the attacks, and detailed five felony charges against him. The charges date back to 2018, when American investigators say they uncovered Turchin’s real identity, but had remained sealed—a move which is typical in cases involving foreign hackers. But a judge in the Western District of Washington ruled to unseal the charges in large part because cybersecurity company, Group-IB, had publicly revealed Turchin’s identity in a report last month.
A “prolific” attacker
Fxmsp first emerged in 2016 as a hacker with plenty of technical capabilities and a string of data breaches under his belt, but little business expertise, according to Group-IB. Within a year, he was advertising access to the corporate networks of banks and hotels around the world, a sign of rapid success and a growing criminal business.
In 2019, Fxmsp made headlines by advertising access to data from three major cybersecurity companies, reported to be McAfee, Trend Micro, and Symantec—offering network access and source code at prices ranging from $300,000 to $1 million. US officials say victims lost tens of millions of dollars due to the malware, unauthorized access, and network damage.
The tactics used are described as “very simple, yet effective” by Group-IB. Fxmsp took advantage of mundane gaps in security that exist in major companies around the world, even organizations that purport to be well-protected. He was active across some of the most well-known cybercrime forums in the Russian-speaking world and, after joining forces with another hacker named Lampeduza, became one of the most prolific and effective marketers in the market.
“Fxmsp is one of the most prolific sellers of access to corporate networks in the history of Russian-speaking cybercriminal underground,” Group-IB’s Dmitry Volkov said last month. “Despite rather simplistic methods he used, Fxmsp managed to gain access to energy companies, government organizations and even some Fortune 500 firms.”
Officials said that the case had involved the FBI, the UK’s National Crime Agency and private sector security companies.
“Prices typically ranged from a couple thousand dollars to, in some cases, over a hundred thousand dollars, depending on the victim and the degree of system access and controls,” the Department of Justice said in a statement. “Many transactions occurred through use of a broker and escrow, which allowed interested buyers to sample the network access for a limited period to test the quality and reliability of the illicit access.”
But while he was successful, Fxmsp could also be inexperienced and brash. One of the long-standing rules of the Russian hacking underground is that you do not hack Russia itself—or, if you do, stay quiet about it. Fxmsp did the opposite, according to Group-IB’s report, when he tried to sell access to Russian government networks he had broken into. It got him quickly banned from cybercrime forums before he realized his mistake and never repeated it. And mistakes made in his early days helped researchers establish his identity. Now Turchin faces a battery of charges, including conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.
American law enforcement say Turchin has likely known for some time that criminal charges awaited him in the United States. US, European, and Kazakh authorities are investigating this case together. Kazakhstan does not extradite nationals and, because Turchin is a Kazakh citizen, the case will likely be prosecuted in that country.
Fxmsp hasn’t been publicly active since last year when the spotlight turned hot after those alleged $1 million breaches of cybersecurity firms. Recent reporting from the cybersecurity firm Advanced Intelligence, which followed Fxmsp closely for years, has raised other theories, including that the hacking crew is still active under different names and spaces.
The indictment was first reported by Seamus Hughes, the deputy director of the Program on Extremism at George Washington University.