Friday, October 24, 2014

Perpetrator Profile (aceboogie145)

This post is a peek into the private operations of an active carder.

He was found in the database of RDP-Shop.RU where he had been purchasing access to hacked servers. He would then login to the servers and use them as a proxy to conceal his true location while he committed the fraud detailed here. He works with a group of fraudsters to manage 'mules' and 'drops' who are used to withdraw money transfers and to reship goods purchased with stolen credit cards.


Purchased access to hacked RDP servers to use for:
  • Payment card fraud, purchases with stolen credit cards
  • Income tax fraud
  • wire fraud
  • Identity theft

South Florida, USA
Port Saint Lucie, FL
Hollywood, FL
Miami, FL
(emails from dating websites he had signed up for show him in South Florida in May 2014) 

highest balance on RDP-Shop.RU

select * from 'users' order by 'balance' desc
username password icq email ips regdate lastlogin failedlogin balance checkercredits lastip amount_purchased amount_refunds admin banned
aceboogie145 59b6309e95043752b675f4a86c89158d null xxx 2014-03-16 10:10:35 2014-09-21 09:21:54 0 53.00 0 xxx 0 0 0 0
aceboogie6 sage2323
aceboogie145 sage2323

64 hacked RDPs purchased


Colorado Department of Revenue - Tax Return Fraud

LexisNexis Corporate Account

Mules. $1900 per week. 
"the others you can do the $2500 a week, 5k a month."

Attachments from emails:

IRS Tax Refund Fraud - $9,190

2x Apple iMac 21.5 inch Desktop
(one for the drop mule to keep, one reship to carder)

Package drop address from above shipment. Miami FL

Other email:

Email contact list:

Sunday, October 19, 2014

Hacked: RDP-Shop.RU

"the black online shop"

This shop was selling login credentials to hacked Windows servers (TS/RDP) . 

Criminals usually purchase access to these hacked servers and use them for shady activities such as spamming or to make online shopping purchases with stolen credit cards. It becomes clear only after gaining administrative access to and closely researching some prolific users of this particular black market, that 'traditional' internet fraud activities are being supplemented by more lucrative schemes. 

The crooked customers of this website have been observed committing identity theft, wire/bank transfer fraud, and federal and state income tax fraud by filing an income tax return online and depositing the refund to an account the thieves control. Some prefer to get their stolen refund in the form of VISA debit cards mailed to 'drops' inside the U.S. 

To the fraudsters, the value of using hacked servers in this manner is that it provides a proxy layer for the perpetrator, making it more difficult to attribute activities back to their original source. The true location of the criminal could be somewhere in Lagos or Los Angeles, but they are remotely accessing a computer in another country and using it to disguise their location. The servers are cheap and practically disposable. However, access to the hacked servers is volatile, due to the fact that the real owner of the server could (and usually does) discover the illegal activities.  

There are a handful of shops that sell hacked or stolen digital goods like this one, but they are now becoming more popular venture for enterprising mongers. This trend is likely related to the recent major data breaches that have provided the criminal underground with a wealth of personal information and this paves the way for a cascade effect of fraud and theft.

[ More developments on this research will be posted soon ] 

main login screen index page

Users of Lampeduza looking for RDP shops.

'Wino' an admin of


Ok, so after some work we now have administrative access.

Lets look around.

Bitcoin config:
// config Blockchain account
$system = "bitcoin";
$btc = 600;
$guid = 'b6b013ef-62ca-4561-811d-1aa6b2736d43';  // Blockchain account
$main_password = 'Drilonial123.'; // Blockchain pass
$second_password = 'Winoal123..'; // Blockchain pass
$rate = 600;



The back end of the shop was a MySQL database, (salted password hashes - salt = fs978 )
The database contained the login credentials and IP address for the hacked RDP servers being sold, and user information.

The picture below is a sorted list of the users with the highest balance on the shop. (Users of the shop deposit bitcoin to their shop account, allowing purchases to be made.)

select * from 'users' order by 'balance' desc

RDP-Shop.RU High Roller:


Read more about this perpetrator here.


('drilon', '925a55978b473420d3d07e40bf102941', '123456', '', '', '2011-10-01 23:03:49', '2014-09-11 06:15:40', '0', '0.00', '0', '', '5', '0', '1', '0')
,('Wino', '83275c8093a8e9ca03434bc590d2c151', '123456', '', '', '2013-03-06 14:48:07', '2014-09-24 19:27:15', '0', '0.00', '0', '', '0', '0', '1', '0')

Admin Area: 
(update 3/29/15 - forgot to post these admin screenshots)


Main Database dump:
if you have a legit need for this, email me.

Support database dump:
if you have a legit need for this, email me.

Plain text user:password list:
sorry, not sharing this data.  
ProTip: Add some code to the login form processor so that it writes the form input to a file before the hashing and voila need to crack hashed passwords ;-)

250+ email addresses from user table:

Drilon (admin)