Card Not Present Fraud , Fraud Management & Cybercrime
Russian Carder Tied to $4 Million in Fraud SentencedMikhail Malykhin's Schemes Drove Healthcare Benefits Firm Out of Business
A Russian national who was illegally residing in the United States has been sentenced to serve 70 months in federal prison in connection with a payment card fraud scheme. He admitting to hack attacks as well as using stolen administrator credentials for a healthcare benefits administrator to issue unauthorized cards that were used for fraudulent purposes.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Authorities say Mikhail Konstantinov Malykhin, 36 - aka "LAX and "Ebay" - ran a criminal scheme that led to losses of more than $4 million and drove out of business FlexMagic Consulting, a Colorado-based, third-party healthcare benefits administration firm.
Malykhin pleaded guilty in 2016 to two felonies: hacking into accounts and conspiring to use fraudulent debit cards. On Friday, he was sentenced by U.S. District Judge Dolly M. Gee, who described Malykhin's offenses as "reprehensible," noting that he had "caused much pain" and "ruined the lives of many of his victims."
The judge ordered Malykhin to pay $4.1 million in restitution. "Malykhin has agreed to forfeit approximately $1.3 million in cash and more than $22,000 in gift cards previously seized by FBI agents from Malykhin's safe deposit boxes, as well as several gold bars, nearly $30,000 that Malykhin sent to a plastic surgery center and a 1966 Ford Mustang," the U.S. Department of Justice says.
Malykhin's defense attorney, George Mdyesyan, didn't immediately respond to a request for comment on the sentence, including why there was a two-year delay between his client's guilty plea and the sentence being imposed.
Documents associated with Malykhin's case also remain under seal. Thom Mrozek, a spokesman for the U.S. Attorney's Office in Los Angeles, said he couldn't comment on the delay in sentencing, in part because of the sealed documents.
Malykhin's 70-month sentence will likely reflect time he has already served. "He has been in custody for just shy of two years, which likely will be credited against his prison sentence," Mrozek told Information Security Media Group.
Five 'Runners' Sentenced
During the investigation, led by the FBI, agents identified suspects who had been making purchases at "local Best Buy, Apple, Home Depot, and furniture and hydroponic stores," according to the complaint against Malykhin.
On April 18, 2016, a judge authorized arrest and search warrants, leading to the arrest of four suspects, and later a fifth, who were charged with using the fraudulently issued cards, which Malykhin later admitted to supplying.
Last year, five defendants who acted as "runners" or money mules - using the fraudulently issued cards at retail stores - were sentenced to serve prison time after pleading guilty.
Siarhei Patapau, a native of Belarus, was sentenced to 30 months in prison. Four Russian nationals - Dmitry Fedoseev, Timur Safin, Kristina Gerasimova and Fedoseev's ex-wife, Irina Fedoseeva - were respectively sentenced to serve 33 months, 36 months, 12 months and 14 months in prison.
At the time of their arrest in 2016, "Fedoseev and Fedoseeva possessed more than 519 unauthorized credit, debit and gift cards and $29,300 in cash," the Justice Department says. "Patapau was found with approximately 525 credit and debit cards in other people's names."
All five defendants, by virtue of having been convicted of a felony and not being U.S. citizens, are due to be deported after they serve their prison sentences.
Suspect Turned 'Cooperator'
According to the complaint against Malykhin, one of the suspects arrested in the course of the investigation - "the cooperator" - agreed to work with law enforcement in a bid to receive leniency.
It's not clear if this cooperator was one of the five "runners" employed by Malykhin and subsequently sentenced.
The cooperator, who said he'd worked with Malykhin for 14 years and been trained by him to conduct fraud on eBay, in 2007 followed Malykhin after he moved to the U.S. from Russia, where they gave up eBay fraud in favor of credit card fraud, aka "carding," according to the complaint.
The cooperator told the FBI that Malykhin was behind an intrusion of Polestar Benefits, a healthcare third-party administrator that offers Flexible Spending Accounts and COBRA health insurance, as well as "other computer intrusions and credit card fraud using a laptop computer that is stored at the subject premises."
But the complaint, which requested authorization for a 6 a.m. "no knock" raid - it said that Malykhin and his girlfriend were night owls, with surveillance teams never having seen them awake that early - noted that the suspect said Malykhin "stores a backup of his computer on a SanDisk flash drive that is kept in the middle console" of his vehicle that investigators were keen to obtain.
The complaint added that the FBI had obtained surveillance footage showing Malykhin entering a Best Buy store with the cooperator while the cooperator used a fraudulently issued MasterCard debit card to buy goods.
Hacked: Alegeus Technologies
According to the complaint, a Russian organized crime syndicated based in Los Angeles and Russia had hacked into Alegeus Technologies, a corporate insurance provider based in Waltham, Massachusetts, on or around Dec. 18, 2015, by using administrator credentials stolen from an account manager employed by Polestar Benefits.
"Malykhin is technically savvy with computers but relies on a computer hacker ... who owns a botnet, to provide him with stolen login credentials."
—FBI's criminal complaint against Malykhin
Polestar, the third-party administrator based in Lake Oswego, Oregon, used software from Alegeus Technologies.
"During this intrusion, the cyber intruder(s) reactivated the accounts of 43 previous employees of one of Polestar's clients, affiliated those accounts to a Dependent Care Plan, and then ordered 10 Flexible Spending Accounts cards, which functioned essentially as high-limit credit cards, to be mailed to a variety of locations, including to persons in Southern California," according to the complaint against Malykhin.
The FBI says that whoever reactivated the accounts gave them spending limits ranging from $500,000 to $5 million.
Ultimately, the FBI says 10 cards were issued via the reactivated accounts, mailed to recipients and used to make point-of-sale purchases at multiple stores in California, Maryland and New Jersey, as well in Moscow.
Authorities say the suspects used the fraudulently issued credit cards to purchase goods for sale at a later date, as well as to sometimes return the goods in exchange for store credit. Purchased goods included televisions, computer tablets, media players, smart watches, cellular telephones, drones, laptops, robotic vacuums, cameras, toothbrushes, video game consoles and more.
On Jan. 19, 2016, Polestar reported to the FBI unauthorized transactions that ultimately totaled $510,000.
The suspect turned cooperator also told the FBI that Malykhin was the hacker behind $3.5 million in fraud suffered by FlexMagic. The FBI said Malykhin, after accessing Alegeus, later used the platform to issue Flexible Spending Account payment cards tied to FlexMagic Consulting.
"On April 26, 2016, the CEO of FlexMagic was interviewed by FBI Special Agent Samantha Baltzersen and confirmed being victimized of $3.5 million in fraudulent transactions over the weekend of March 26, 2016," according to the complaint. "FlexMagic could not pay the fraudulent transactions and has been forced to close its business, thus leaving the responsibility for the losses on Alegeus."
Safety Deposit Box Stored Millions in Cash
Malykhin's criminal activities appeared to have been lucrative. "Malykhin told the cooperator that he has approximately $5 million in a safety deposit box located at a vault on Olympic Boulevard [in Los Angeles]" that Malykhin accesses "through an iris scan."
The complaint said some of Malykhin's ill-gotten gains also came from employing 20 or 30 people who filed false US tax returns, receiving 20 to 30 percent of the proceeds in return (see IRS Disables Hacked PIN Tool).
Some other gains, meanwhile, allegedly came from ATM cash-out schemes, none of which are associated with the companies named in the complaint. On one evening in January 2016, for example, the cooperator told the FBI, he'd received 20 ATM cards and used them to withdraw $90,000 in cash. After delivering the cash to Malykhin's apartment, the cooperator reported seeing $500,000 in cash there and receiving $10,000 for the work.
Money Laundered via Trucking Firm
Malykhin also owned a trucking company with a partner - Sergey Smolin - "which they used primarily to launder money obtained through their fraud schemes," according to the complaint. "Smolin recruits Russian college students through the website vk.ru, a Russian equivalent of the social media website Facebook.com. The students are in the U.S. on J-1 visas and are paid to file false tax returns, obtain fake driver's licenses, open residential and P.O. Box addresses, conduct ATM cash-out schemes," as well as other types of fraud.
Rather than hacking directly into target sites, the complaint said that Malykhin relied on the services of an unnamed computer hacker, "who owns a botnet, to provide him with stolen login credentials." It said the hacker would send spam emails with attached malware that acts as a keylogger and transmits victims' usernames and passwords. "Malykhin met the hacker in an online Russian forum a long time ago and communicates with the hacker through Jabber, a free instant messaging service."
Malykhin would sometimes access the botnet records - including data exfiltrated from infected PCs - to run searches, for example for such terms as "insurance account usernames and passwords," according to the complaint.
But according to the cooperator, Malykhin lost his access to the botnet "sometime in early 2016" for unspecified reasons.
Fraud to Fund Plastic Surgery
The complaint against Malykhin reveals not just the particulars of his cybercrime schemes, but also more domestic details. For example, the $30,000 sent to the plastic surgery center - in Beverly Hills, California - that was charged to FlexMagic was to pay for procedures for two women, according to the complaint.
One of the women was named by the cooperator as being "Viktoriia" - allegedly she was living in the same Los Angeles apartment complex as Malykhin's ex-wife - who "drives a Maserati but does not have a job," according to the complaint. The other procedure was for "another unknown female who supposedly is Malykhin's 'fake wife' for U.S. citizenship purposes," it said.