Enter a call: how an IT company from the USA is connected with phone scams in Ukraine

One of the key distributors of personal data of Russians in the interests of telephone fraudsters may be Ukrainian hacker Vladislav Khorokhorin, who was convicted of stealing $ 9 million from US citizens and concluded a deal with American intelligence agencies. In 2022, he may have created a special "punching" service for fraudulent "call centers" using the website of a company founded in New York by Arkady Buh, a lawyer for "Russian hackers." Izvestia reports on how a veteran of post—Soviet cybercrime could turn into an ideologue of telephone scams operating against Russian citizens, ordering nuclear power plant break-ins, confessing to the murders of Russian military personnel and threatening their children with violence.

THE THIEF and THE GURU

"Could you come back 10 minutes later? Your geek wouldn't even have a house," an unknown person told the father of an 11—year-old child by phone, who found his son with a lighter in his hands in an apartment filled with gas. In June 2024, a resident of Severodvinsk, a city known primarily as the center for the construction of Russian nuclear submarines, contacted law enforcement agencies with such a story. The tragedy in the apartment building was saved by good ventilation in the room. The Investigative Committee has opened a case on attempted murder of a minor in a socially dangerous manner.

There is a tradition in the media to call all intruders using social engineering methods disguised as employees of banks, police or special services "scammers". The material damage from them last year reached a gigantic amount of 200 billion rubles, and the number of Russians affected was 449 thousand. However, often the actions of "scammers" go beyond selfish motives and qualify as terrorist attacks, destruction of property or suicide.

In August 2023, 76-year-old Valery Ershov from the Leningrad region committed suicide after he sold an apartment on the instructions of unknown persons, transferring the funds received to intruders, and set fire to the military enlistment office. In December 2024, Pyotr Vetchinkin, an 18-year-old MIPT student, committed suicide after he was first lured out of borrowed funds and then persuaded to commit a terrorist attack. In February 2023, a 56-year-old woman from Zelenograd was persuaded to give 2.6 million rubles and get tattoos with the words "THIEF" and "GUR."

PHOTO BY VETCHINKIN

More than two thirds of the arson attacks on military enlistment offices and infrastructure facilities since the beginning of the SVR have been committed by victims of telephone fraud, rather than financially or ideologically motivated saboteurs, it follows from the content of the sentences under the relevant articles of the Criminal Code. Their peak occurred in December 2024.

The reason for the aggressive behavior of the "scammers" is well known — over 90% of such calls come from Ukraine, explained Stanislav Kuznetsov, Vice President of Sberbank. "In total, we are fixing 800-900 call centers in Ukraine throughout the territory," he said.

An important tool in the hands of fraudsters is the leakage of personal data. Their diversity allows attackers to have not just basic information about victims (full name, contact information, age), but to compile detailed digital profiles of citizens, collecting data on marital status, income level, hobbies, and purchasing patterns, the InfoWatch analytical agency explains.

"The more information about a person in fraudulent databases, the easier it is for attackers to formulate possible options for deceiving a person," experts say.

In 2024, Russia became a leader in the number of leaked data (457 million lines), according to a February report by cybersecurity company F6 (ex-Group-IB). "As before, criminals made most of the stolen databases publicly available for free to cause the greatest damage to companies and their customers," experts point out.

In 90% of cases, the suppliers of illegally obtained personal data of Russian citizens are Ukrainian hackers, Ashot Oganesyan, the author of the Telegram channel "Information Leaks", explained to Izvestia.

"Spending Russian loot on the Ukrainian Armed Forces"

By the end of 2024, F6 has identified several hacker groups that are prominent in the Russian citizens' personal data market. An important place among them is occupied by the hacktivist group Cybersec's and its leader under the pseudonym Badb. Their favorite tactic is to publish data from Russian companies and call for further attacks through contractors, cybersecurity experts say.

On November 8, 2024, CyberSec's announced the hacking of more than 30,000 Russian corporate servers on the Bitrix platform. The attackers actively published the obtained databases in the channel "BadB on the Base". From September to December, 22 databases on Russian citizens were published there.

A SCREENSHOT FROM THE FACCT STUDY

The Shadow group (also known as Twelve, Comet and DARKSTAR) is probably associated with Cybersec's, according to F6. From February 2023 to July 2024, cybersecurity experts recorded 50 Russian companies attacked by Shadow. The ransom amounts announced by hackers ranged from 4.5 million to 320 million rubles, with an average price tag of about 90 million rubles (in BTC or XMR).

F6 calls Shadow a "purely anti-Russian project": for more than a year of the group's existence, not a single attack has been detected outside the Russian Federation. In turn, CyberSec's leader, under the pseudonym BadB, has not only been publishing data leaks from Russia since the beginning of 2022, but has also been actively engaged in political propaganda, the researchers say.

As Izvestia found out, BadB also supports its own service for "punching" Russians for Ukrainian "call centers" and special services. Moreover, the cybercriminal admits to working closely with them and calls for crimes against ordinary Russian citizens, including children. For example, he awarded rewards in cryptocurrency for attacks or reprisals against family members of long-range aviation pilots.: "Don't be surprised if your ******** gets your head twisted or kicked on the way home from school."

Recently, BadB reported on the addition of databases with Russian minors to its call center service. He accompanied the publication with an appeal to the scammers: "Work, brothers!"

"Our tool is primarily aimed at finding detailed information about an individual based on complex, and often not explicit criteria," writes BadB. For example, there is a function, "much loved by call centers," which "allows you to select all men living, say, in Syktyvkar, from 50 to 60 years old, whose name is Vasily." The hacker is inciting "call centers" to target residents of closed territorial formations and single-industry towns around defense enterprises and military facilities.

"We can find family members and connections between people. You can find personal data, correspondence, password hashes with us, we do not delete data from databases that come to us. We do not delete Russian data under any circumstances. We have developed an API and flexible pricing plans for call centers. However, to work with the tool, you need to have sufficient knowledge and understanding of the logic of working with the database. We are open to cooperation and will adapt the tool to your needs."

BadB has repeatedly published announcements about the purchase of access to internal information in Russian corporations and government agencies. He claims that his service purposefully collects personal data of Russians in connection with financial information. "We will not limit ourselves to Russian bases, but we are ready to go further, provided that we identify Russian citizens."

He admits that he personally receives part of the funds from fraudulent schemes against Russian citizens or ransoms after hacking: "I will spend Russian loot on the Ukrainian Armed Forces!"

Separately, BadB allocates its assistance to the 93rd separate mechanized brigade "Kholodny Yar", which is considered an "elite" unit of the Armed Forces of Ukraine. In his blog, BadB sends a special thanks to the brigade's fighters to the employees of the call centers, who "took an active part in the fees and deposited significant amounts." In 2023, BadB claimed that during his visit to the line of contact, he "got high" by "personally" participating in the murder of the Russian military.

"We continue to financially destroy, destabilize and demoralize the occupiers, while providing not only for ourselves, but also for those people who stand behind us. Everything is as we like, in the style of Cybersec. Who needs certificates, support. please contact us," BadB writes and reminds us about its service for "call centers" with "the most up—to-date databases."

BadB also offers software assistance for drug dealers working in Russia.

Many former colleagues in the Russian-speaking hacker community, including people from Ukraine, strongly condemn BadB for his views and actions. He, in turn, speaks contemptuously about pro-Russian hackers. In his opinion, they have no choice because of the persecution of American intelligence agencies around the world. On the other hand, there are no guarantees against reprisals by law enforcement agencies of the Russian Federation.

In response to his public pro-Russian position, he threatens to be prosecuted outside the Russian Federation, targeted attacks involving criminals, drones, and criminal cases involving corrupt law enforcement officers.

The real name BadB is well known to Russian cybersecurity experts. However, most of them are reluctant to comment on his activity: many are personally familiar with him.

The enchanting animator

You can still find on the Internet an animated video about Russian "carders" created at the beginning of the noughties under the track "Bobi-boba" with incoherent text imitating a foreign speech. The song gained popularity then thanks to the patriotic TV series "Special Forces". In the video, a grotesque character in a vest and earflaps with a red star establishes contacts from cold Russia with his colleague in sunny Italy. A Russian hacker sends stolen bank card data to an Italian, who stamps fake credit cards and sells them. While the accomplices are enjoying non-dusty earnings, somewhere across the ocean, US citizens faint when they discover zero balances on their accounts. At the end of the video, then-American President George W. Bush finds nothing better than to commit suicide right in the Oval Office.

SCREENSHOTS FROM THE CARTOON

The video was posted by one of the creators of CarderPlanet, the largest forum for cybercriminals of the noughties. The platform brought together several thousand people, whose main earnings were the theft of bank card data and their subsequent cashing out. The backbone of the community consisted of immigrants from the countries of the former Soviet Union and Eastern Europe. Dmitry Golubov, a future deputy of the Verkhovna Rada from the Petro Poroshenko Bloc, was the key investor of the site, and David Arakhamia, the future leader of the ruling Servant of the People faction, was responsible for the design of the site.

In March 2025, when Telegram deleted CyberSec's channel for violating the platform's rules, community leader BadB created a new one with a distinctive cartoon character on his profile picture. Now, instead of a star on the earflaps, the unshaven hacker has a cockade with the Bitcoin cryptocurrency symbol. The author of the channel does not hide the fact that he is Vladislav Khorokhorin, a cybercrime veteran known under the pseudonym BadB, the creator of the cartoon for CarderPlanet. This is easy to verify.

An archived copy of CyberSec's remote channel is available on the TGStat service. The channel was created in February 2020 and is listed as an official account on the website. CyberSec.org . This is the domain of the company of the same name, which describes itself as a team of former hackers who have teamed up to make money on data protection services: "from preventing leaks to responding instantly to threats to your cybersecurity."

"Our company includes the famous lawyer Arkady Bukh, who, if necessary, will come to the rescue and provide advice on any legal issue," the description says.

The same section contains publications about CyberSec on the websites of the Russian version of Forbes, CNN and Fortune. It follows from them that the company was founded in 2015 by Arkady Bukh, a New York lawyer. In the 2010s, he gained a reputation as the main defender of Russian hackers in US courts. Buch became known as a master of making deals with American intelligence agencies. The harsh U.S. justice system threatened the detainees with years in prison, but Buch offered his clients minimal punishment in exchange for cooperation with various agencies.

PHOTO OF BOOH

Bukh announced the creation of CyberSec together with Igor Klopov and Dmitry Naskovets, convicted of cybercrimes. Khorokhorin may have become a third partner while still in an American prison. Website CyberSec.org He is still listed in Buh's social networks as his current place of work.

In the "contacts" section on CyberSec.org Khorokhorin's personal accounts are listed among others. He begins his autobiography with his own characterization from a 2018 interview: "Enchanting inadequacy (the word has been replaced with censorship - editor's note). Was, is and will be."

The 42-year-old citizen of Russia, Ukraine and Israel was born in Donetsk. After the collapse of the Soviet Union, he lived first with his father in Vorkuta, then with his mother in Israel. In 2010, Khorokhorin was detained in Nice at the request of the United States as part of an investigation into Carderplanet. At first, he resisted extradition, but eventually pleaded guilty and, as Khorokhorin himself later recalled, "turned in many, but not all." After his release in 2017, the US authorities deported him to Israel.

In 2018, Khorokhorin returned to Russia to find independent income in a legal field, but eventually decided to move to Ukraine. He describes his departure as follows: "I threw away the SIM card exactly after I left after a five-hour interrogation at the border, threw it along with juicy spit and obscenities in the direction of the border guards."

Until 2022, Khorokhorin willingly provided comments to the Russian media about his research on FSB websites and Public Services. Now in the description of his Telegram profile is the motto of the Main Intelligence Directorate of the Ministry of Defense of Ukraine: Sapiens dominabitur astris (The Wise One rules the stars). Since 2016, GUR has been using this phrase in defiance of the Russian military intelligence motto "Only the stars are above us."

KHOROKHORIN'S PHOTO ILLUSTRATING TIES WITH THE UKRAINIAN ARMED FORCES

Arkady Bukh, contacted by Izvestia, said he had no idea his name was mentioned on a website that publishes personal data of Russians for fraudsters. According to Bukh, his partnership with Khorokhorin ended several years ago. "He is no longer a partner in my company, I am not a partner in his business," says Bukh. "Khorokhorin turned out to be too creative for us, I would put it that way. I sold him the domain. сybersec.org . Since then, we've been calling each other sometimes, maybe once a year. I used it to advertise my services to our potential customers on relevant forums."

Buch also told Izvestia that he plans to purge his social networks and website of any mention. сybersec.org in order not to be associated with Khorokhorin's company. Buch did not comment on the fate of his former client, citing lawyer ethics.

A DOCUMENT FROM THE HACKER CASE

When asked about his ties to the American intelligence services, Buch replied that he acts primarily in the interests of his clients and always offers them a choice of three options. "The first one is to go to a jury trial and prove your innocence. We really like this option, because it's a lot of work for lawyers, but it will also cost the most — up to $1 million. The second is to admit guilt, but not to turn anyone in. After all, many gangsters believe that then there is a chance to get a "discount." For example, not 50, but 15 years old. The third option is to offer an interesting project to one of the agencies and get a minimum term, often already spent in prison before the trial."

According to Bukh, a person can propose the creation of a service for laundering cryptocurrencies in order to use it to identify drug traffickers and sellers of child pornography. "I go to the agencies with this and suggest: let's say the FBI is not interested, the CIA is not interested either, and the DEA is interesting. Such transactions are classified. Public documents will indicate that the person simply admitted his guilt and received a discount."

Even the United States may be persecuted.

In March, Russian President Vladimir Putin held a special meeting with the government, the main topic of which was comprehensive measures to combat telephone and Internet fraud. "The damage to citizens, and therefore to the state, from telephone and Internet scams has simply acquired unacceptable proportions, very large. Therefore, we need to act quickly," Vladimir Putin urged.

At the end of March, the State Duma passed an extensive bill that introduces almost 30 new measures to combat phone fraud. These include a ban on government agencies, banks, and telecom operators using foreign messengers, mandatory labeling of calls with the organization's name, a ban on transferring a phone number to third parties, and the ability to restrict the disbursement of cash in case of suspicious transactions.

According to Bukh, telephone fraudsters from Ukraine, if the phenomenon is so widespread, may become subjects of investigations by American intelligence agencies.

— As well as any others. Where there are thousands of victims, there will always be US citizens or American companies," says Buch, and these, according to him, are already grounds for American jurisdiction. — There are also a lot of people with US citizenship in Russia. One or two victims are enough to complain to the authorities, and then the whole scheme can be investigated.

In his opinion, the issue of prosecuting fraudsters may be raised at the level of political negotiations between Russia and the United States. Usually, such agreements are concluded informally, and then expressed in non—public notes - internal documents of federal agencies that set a certain vector or priorities in investigations: terrorists from the Middle East, cybercrime from Eastern Europe, and so on. The Russian Interior Ministry also has its own experience and opportunities for prosecution in other jurisdictions, Buch believes.

Many cybersecurity experts, in a conversation with Izvestia, assured that Khorokhorin's influence on telephone fraud and hacker attacks was exaggerated by him due to his own vanity and desire to gain popularity within Ukraine.

—If Khorokhorin's confessions in cooperation with call centers are confirmed, this may become the basis for initiating criminal cases under articles on fraud and illegal data trafficking," said Igor Bederov, head of the Internet Search company.

There is no mention of Khorokhorin in the open list of persons wanted by Russia on the website of the Ministry of Internal Affairs, as well as references to his arrest in absentia in court databases. However, in his channel, back in 2023, he claimed that he was aware of searches in the apartments of people associated with him.