The Hacker History Of Alexsey Belan, A Latvian Accused Of Attacking Yahoo For Russian Spies

Alexey Belan Yahoo hacker

Department of Justice

Alexey Belan is accused of hacking Yahoo. He’s already on the FBI’s Most Wanted list.

Alexsey Belan is a wily character, if the stories are to be believed.

Alexey Belan Yahoo hacker

Department of Justice

Alexey Belan is accused of hacking Yahoo. He’s already on the FBI’s Most Wanted list.

Alexsey Belan is a wily character, if the stories are to be believed.

In 2013, after an arrest warrant was put out by the United States, the auburn-haired, blue-eyed 29-year-old Latvian managed to escape from his hideout in Europe, believed to have been in Greece, sources familiar with the matter told Forbes. That came after American law enforcement called for international assistance in apprehending someone they believed to have carried out attacks on two major e-commerce sites. No one knows exactly how or when he escaped and made it back into the protective arms of Russia.

As a result of his escapades, the FBI put out a $100,000 reward for anyone who could help arrest him. There was also an Interpol Red Notice, demanding his apprehension if he was spotted by law enforcement in any country, whether in one of his journeys to the homeland of Latvia, or his sojourns in the Maldives or Thailand.

He was never caught. And earlier this week, he was indicted for one of the biggest hacks ever, the 2014 breach of Yahoo in which the attackers stole information on 500 million accounts. And in that indictment, the U.S. government alleged he did so at the behest of the FSB, Russia’s national law enforcement agency.

Belan was an obvious recruit for Russia’s clandestine online operations, according to security experts who’ve monitored his various web personas, as named on his FBI Most Wanted page: M4G, Magg, Fedyunya and Quarker. From M4G in particular, it appears Belan moved quickly from teenage hijinks to becoming one of the more adept website hackers working across the Russian cybercrime underworld, researchers told Forbes.

Who is Belan?

Belan’s alleged monikers were active since at least 2006, when he was aged just 18. From 2007 onwards, the M4G alias associated with Belan was gaining a reputation across hacker forums and comms channels like InsidePro and Zloy, while blogging on his own site, M4G.RU, though archived posts reveal no obvious illicit activity.

But the M4G name is linked to multiple breaches. In his early days, M4G focused on websites related to ICQ communications, said Vitali Kremez, director of research at cybercrime intelligence provider Flashpoint. Those sites included uinshop.com, nomerkov.net and uinzz.com. Another of his targets, lordmancer.ru, was a massively multiplayer game, Kremez added. And a screenshot from a hacking forum on which M4G posted also indicated he’d acquired data from Tjat.com, a cloud computing supplier based in Israel. (The named targets hand’t responded to request for comment at the time of publication).

M4G Alexsey Belan hacker forum post

Flashpoint

The M4G alias associated with Belan posts on an underground hacking forum about target Tjat.com.

Another source, who wished to remain anonymous, said Belan’s alleged personas were also associated with breaches at a number of major sites across Russia and the old Soviet Block. They included Ukrainian entertainment website Bigmir.net, and one of Russia’s biggest search engines and web portals Rambler.ru, which admitted to a 2014 breach last year in which records on 98 million accounts were stolen. (Neither company had responded to requests for comment). All of those hacks boosted his reputation in the darker corners of the web, the sources said.

M4G was a collaborative player too, often requesting services to crack hashes of passwords he’d stolen. (Hashes are cryptographic representations of plaintext that can be “cracked” by computers running a large number of guesses at rapid speed, putting each through a hashing algorithm until a match has been found). He’s been seen selling credit card data, ICQ accounts he’d hacked, and data from a number of breached forums too, said Kremez.

Flashpoint tracks M4N hacker on Russian forum

Flashpoint

A post on a hacker forum from M4G, a moniker the DOJ associated with Alexsey Belan. M4G is seen here asking someone to crack passwords he’d acquired.

By 2011, the M4G name had built a reputation as an adept web app hacker, breaching a large number of website, with a specialty in breaching WordPress sites. “He’s definitely on the radar of the most sophisticated hackers we’ve seen,” said Kremez.

An escape to and from Greece

In 2012 and 2013, U.S. authorities filed indictments against three unnamed American e-commerce companies. Sources told Forbes Belan was linked to attacks on a number of companies in the online healthcare insurance market, though it was unclear if it was those hacks for which he was charged.

At that time, Belan was living in Greece, sources familiar with his activities told Forbes, and it’s believed that’s where he was apprehended in 2013. It’s unclear for what specific crime he was arrested, nor how he escaped.

By 2014, much of his attention turned to Yahoo, according to the Department of Justice indictment. Far more than co-defendant Karim Baratov, he helped two FSB agents – Dmitry Dokuchaev and Igor Sushchin – acquire access to a large number of Yahoo accounts belonging to targets of interest to Russian intelligence, the DOJ claimed. They included: the former Minister of Economic Development of a country bordering Russia, a diplomat from another bordering nation, an investigative reporter who worked for Russian publication Kommersant Daily, employees of a U.S. cloud storage company, a Nevada gaming official, a senior officer of a major U.S. airline, a managing director of a U.S. private equity firm, and 14 members of staff at a Swiss Bitcoin wallet provider, amongst many others.

Belan was lining his own pockets at the same time, prosecutors alleged, and had one particularly devilish scheme in November 2014 when he manipulated Yahoo search algorithms so that anyone looking for erectile dysfunction treatments would be presented with his own links to an online pharmacy company. That firm would then pay Belan a commission for driving traffic to the site.

From March 2015, he also used his technical finesse to craft access cookies that allowed him into an astonishing 30 million Yahoo accounts, the U.S. said. He then rummaged through victims’ contacts to spam them, according to the charges, while also searching for credit card data.

Most Wanted hackers

The only comparable hacker, said Kremez, was another alleged cybercrime kingpin: Evgeniy Bogachev. He’s believed to have the protection of the Russian government too. Despite being accused of running a massive malware operation that caused as much as $100 million in damage to U.S. organizations, he continues to live out his days as a free man in a town near the Black Sea, according to law enforcement officials and security companies with knowledge of his activities.

Both Bogachev and Belan were on the list of President Obama’s sanctions following the hacks of the Democratic National Committee (DNC) and multiple other organizations involved in the 2016 election, allegedly sponsored by the Kremlin. As reported by Forbes in 2015, Bogachev was also associated with Russian cyberespionage activity focused on the U.S., Georgia and Ukraine.

FBI Most Wanted hacker Evgeniy Bogachev associated with espionage

Department of Justice

Evgeniy Bogachev is one of the FBI’s Most Wanted and found his way onto American sanctions of Russian individuals and entities following the U.S. election hacks of 2016.

No one is telling where Belan might be enjoying the good life. According to the DoJ indictment released last week, he’s receiving intelligence from the FSB that’s helping him avoid the watchful eyes of Western agencies.

Emails to addresses associated with Belan’s alleged online aliases – quarker@bk.ru and moy_yawik@bk.ru – received no reply.

Got a tip? Email at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail. Get me on Signal on +447837496820 or tfoxbrewster@jabber.hot-chilli.net on Jabber for encrypted chat.

Leave a Reply

Your email address will not be published. Required fields are marked *