Data theft forum admins busted after flashing their cash in a life of luxury

Two men without a clear source of income landed cyberfraud charges after being so flash with their ill-gotten cash that it gained the attention of the authorities.

In 2022, Russian national Pavel Kublitskii and Kazakhstan national Alexandr Khodyrev arrived in Florida and requested asylum, which was granted by the Department of Homeland Security (DHS).  Both provided DHS with the same residence address in Hollywood, Florida.

However, their lavish lifestyle was unusual. For example, Kublitskii opened a Bank of America account with a cash deposit of $50,000 and rented a luxury house, while Khodyrev purchased a 2023 Corvette with approximately $110,000 cash. All while appearing to not have a job.

The investigation indicated that the two men were involved in the activities of the dark web platform WWH Club and related forums Skynetzone, Opencard, and Center-Club.

WWH Club and the other forums are Dark Web marketplaces where cybercriminals buy, sell, and trade login credentials, personal identifying information (PII), malware, fake identification documents, and financial credentials. The forums even provide training for aspiring cybercriminals.

The FBI was able to determine the IP addresses of the WWH Club site’s administrators after obtaining a search warrant for the US-based Cloud company Digital Ocean. Based on the information derived from the logs, the FBI agent concluded:

“In addition to the forum owner and creator, it appears there are several other top administrators who operate the site and receive a portion of the generated revenue. One of those top administrators operates under the usemame “Makein.” The FBI agent provides details which show there is probable cause to believe that Kublitskii and Khodyrev both serve as administrators of WWH and share the Makein username.”

Makein is also the handle of the owner and primary administrator of Skynetzone.

Part of the offered training at WWH was a scheme that recruited and taught users to purchase items with stolen credit card data. An FBI covert online employee registered for an account on WWH and paid approximately $1,000 in bitcoin to attend the WWH training.

While on the forums, the agent saw an post where a user was selling stolen PII of people and businesses in the US. Buyers could choose how many people’s PII they wished to buy and specify the particular US state of residence, gender, age, and the credit score of their desired victims. In exchange for $110, paid in Bitcoin, the WWH seller sent the undercover agent a folder containing 20 files, each of which contained the name, date of birth, Social Security Number (SSN), state of residency, address, credit score, credit report, and account information from LendingTree.com for a US citizen.

The lead FBI agent explained:

“I know, based on my training and experience, that the presence of account information from LendingTree.com suggests that this stolen PII derived from a February 2022 breach of LendingTree that compromised the data of over 200,000 customers.”

The FBI researched domain registrations, exchanged messages, Bitpay transactions, blockchain analysis, and other digital evidence and came to the conclusion that the suspects shared the Makein account and were responsible for the cybercrimes committed by that persona.

Agents obtained records from Google which revealed that messages from and to their accounts often contained stolen PII and credit card information and which tied the account to the suspects.

With probable cause provided, the FBI agent requested the court to authorize the requested criminal complaint charging the suspects with conspiracy for trafficking in unauthorized access devices and possession of 15 or more unauthorized access devices.

Kublitski has been placed under arrest. It is not clear if Khodyrev was arrested as well. The WWH forums are running as usual and the current administrators acknowledge that the suspects were involved, but only as moderators.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

https://blog.malwarebytes.com/feed/