Hunting The Secret Service’s $10M Joker: Timur Kamilevich Shakhmametov

The U.S. Secret Service, in collaboration with the U.S. Department of State, is offering a significant reward of up to $10 million for information that leads to the arrest and/or conviction of Timur Kamilevich Shakhmametov.

On September 26, 2024, the U.S. Attorney’s Office for the Eastern District of Virginia publicly announced an unsealed indictment against Shakhmametov, a Russian national, who was charged with serious crimes related to the establishment and management of Joker’s Stash. This notorious website was notorious for its focus on the illicit sale of stolen payment card data. According to the U.S. Secret Service, Joker’s Stash operated on a massive scale, making available information from approximately 40 million stolen payment cards each year. Over its operational period, this marketplace emerged as one of the largest carding platforms in history, facilitating the trade of millions of payment card details. Analysts estimate that the profits generated from this criminal enterprise could range from an astounding $280 million to more than $1 billion.

Shakhmametov faces multiple charges, including one count of conspiracy to commit and aid and abet bank fraud, one count of conspiracy to commit access device fraud, and one count of conspiracy to commit money laundering. The severity of these charges highlights the extensive impact of his actions on the financial security of individuals and institutions alike.

Background Joker’s Stash opened in 2014 and is one of the oldest ongoing compromised credit card shops on the internet. It has become a notable presence in various illicit cyber schemes, gaining recognition for its significant breaches of credit card information. In the past year, Joker’s Stash has been linked to selling compromised credit card information from point-of-sale transactions at Dickey’s Barbecue Pit, Champagne French Bakery and Cafe, and Wawa Inc.

What sets Joker’s Stash apart from its competitors is the freshness of the cards it offers, which assesses the validity of the card data. They also claim to source their card information through “exclusive self-hacked databases.” Additionally, they are unique in their choice to host their shop on blockchain DNS, and in April 2020, they expanded their operations by adding Tor domains to the shop.

Compromised payment card information available in underground card shops can be classified into two categories:

1. Dumps: These are skimmed track details from a physical card, obtained using a skimmer or point-of-sale (POS) malware.

2. Cards: This refers to data gathered from intercepted network traffic that can be used for online purchases.

While the reasons for the closure have not been explicitly stated, it is suspected that the administrators decided to shut down the site due to concerns about potential intrusions from federal authorities. A coordinated police operation by the FBI and Interpol resulted in the seizure of multiple servers belonging to Joker’s Stash, which temporarily disrupted the site’s operations. Additionally, the agencies seized four of Joker’s Stash domains, further impacting its ability to function.

• jstash.bazar

• jstash.lib

• jstash.emc

• jstash.coin
  

  

  Active since 2014, the Joker's Stash carding platform has been implicated in numerous data breaches, trading and exposing millions of users' financial information on the dark web. The operators of this platform have illegally profited by hundreds of millions of dollars using the stolen information.

  
  

  There have been multiple security incidents involving cybercriminals trading stolen credit card data on Joker's Stash. The threat intelligence company Gemini Advisory reported that hackers stored payment card details of Wawa customers on the platform. Wawa confirmed that hackers attempted to sell the card information of customers impacted by a security breach that occurred on December 10, 2019. This breach affected the data of 30 million Americans and over one million individuals from more than 100 other countries.
  

  

  

  Timur Shakhmametov is accused of operating a notorious cybercriminal marketplace known as Joker’s Stash, which U.S. authorities allege generated hundreds of millions of dollars in profits from selling stolen payment card information. Neither Shakhmametov nor his accomplice is currently in U.S. custody, and the State Department is offering a reward of $10 million for information that leads to their arrest or conviction.

   

  Shakhmametov is alleged to have helped run "carding" websites like Joker’s Stash that sell stolen credit and debit card information. These sites have been linked to financial data stolen from tens of millions of Americans, according to U.S. law enforcement. Additionally, millions of dollars in ransomware payments and darknet drug sales have reportedly flowed through cryptocurrency accounts associated with the services provided by Ivanov, another individual involved in this operation.

   

  For years, the U.S. government has attempted to persuade Russia to take action against cybercriminals operating from its territory, often with little success.

   

  Joker’s Stash was a dominant force in the Russian-speaking criminal underground for many years. The crime forum advertised data stolen from significant breaches of U.S. corporations. The Justice Department claims that Shakhmametov used various online crime forums to promote Joker’s Stash and its vast collection of stolen data.

   

  After U.S. and European law enforcement agencies seized some computer servers associated with Joker’s Stash, the forum announced its shutdown in 2021. However, the hunt for the two Russian men by U.S. law enforcement continues.
  

What is already known

Full name: Timur Kamilevich Shakhmametov / Тимур Камильевич Шахмаметов

Aliases: “JokerStash”, “Vega”, “vip”, “v1pee”, “ViperSV”

Nationality & Citizenship: Russia

Height, Weight, hair color, eye color: 5’9”, 180 lbs, Brown

This is one of the websites operated by Shakhmametov.

Then we began OSINTing

Our first course of action involved shifting our focus away from the images of Shakhmametov that had been released by the U.S. Secret Service. In our search for more recent and relevant images, we came across a captivating photograph of him taken during an anniversary celebration in Novosibirsk. This vibrant city, known for being the third largest in Russia, is situated to the north of Kazakhstan, rich in culture and history, and serves as an important hub in Siberia.

Pivoting from known information

We initiated an extensive search for Shakhmametov utilizing advanced Open-Source Intelligence techniques. Our efforts led us to uncover Shakhmametov's known alias, “JokerStash,” which surfaced in the notorious “CardMafia” database that was compromised in 2021. Carding Mafia is an underground forum notorious for the theft and trade of stolen credit card information, and it suffered significant data breaches in both March and December of that year. These breaches resulted in the exposure of sensitive user information, including email addresses, usernames, IP addresses, and passwords that were stored as salted MD5 hashes.

This data provided us with two key insights. Firstly, it allowed us to correlate Shakhmametov with a well-known website involved in illicit activities. Secondly, we discovered a new email address associated with him: jstashhhh@yandex.ru. Furthermore, we identified his last recorded activity on the platform using this account, which occurred on February 1, 2021. In another breach, we successfully linked the alias “JokerStash” and the newly found email address to several IP addresses: 185.61.137.100 in Lilystad, Netherlands; 185.162.10.129 and 185.162.10.198 both traced back to Sofia, Bulgaria. Our investigation also uncovered crucial personal information, identifying Shakhmametov's driver’s license, national ID number, Tax ID, and a passport issued by the Department of Internal Affairs of the Leninsky District of Novosibirsk. This confirmed that he is, in fact, a Russian national residing in Novosibirsk.

In addition, we located several other email addresses: shahmametov@list.ru, gsgs.2021@list.ru, shaxmametov.timur@bk.ru, and 79139511590@monetnaya-lavka.ru. We were able to trace these emails to different platforms, including Skype, Microsoft, and Vivino. Our search also led us to two phone numbers: 9139511590 and 79133709629, both associated with accounts on messaging and social media platforms such as WhatsApp, CallApp, and VK.

The VK account stood out in particular, as it was used as a sock puppet under the alias Spiridon Krasnokonev. Notably, the last recorded activity on this account was on March 10, 2024, which provides further context to Shakhmametov’s online presence and activities.

Upon examining the extensive list of phone numbers and email addresses we managed to uncover, it's quite intriguing to note that they were not utilized to create a significant number of accounts. Typically, one would anticipate a rich trove of data when investigating such a large volume of personally identifiable information (PII). This observation becomes even more fascinating as it suggests that Shakhmametov possesses a strong understanding of his operational security (OPSEC) measures, showcasing his efforts to maintain a degree of anonymity and protect his personal information from potential exposure.

Where is Shakhmametov located?

Shakhmametov acquired his passport and driver's license in Novosibirsk, a prominent city in Russia's Siberian region. At the time he received his driver's license, his official registered address was located at Ulitsa 9 Gvardeyskoy Divizii, apartment X, unit XXX, within the lively neighborhood of Novosibirsk. This information provides insight into his identity and residence.

It is reasonable to assume that the majority of individuals secure their driver's licenses at a relatively young age. This detail suggests that the address in question likely dates back to the early stages of the individual’s life. Furthermore, the building itself does not possess the characteristics one might expect of a hideout for a multimillion-dollar criminal - its appearance is decidedly unremarkable.

Through our investigation, we successfully identified the banking services utilized by the individual. We discovered three accounts registered under the name of ‘Alfa-Bank’. Notably, in October 2024, prominent Ukrainian hacker groups KibOrg and NLB, working in conjunction with Ukraine's Security Service (SBU), executed a significant breach of Russia’s largest private financial institution, Alfa-Bank. They claimed to have accessed the personal information of more than 30 million customers, including sensitive data such as names, dates of birth, account numbers, and phone numbers (https://novayagazeta.eu/articles/2024/01/08/hackers-publish-personal-data-of-20-million-alfa-bank-customers-en-news).

When constructing a timeline based on data breaches, it’s essential to exercise caution. For instance, a breach involving Facebook in 2024 does not necessarily indicate that an account was created in that year; it could have been established at any point prior. However, with regard to bank accounts, it seems highly improbable that an individual would have an account without actively using it. This context leads us to believe that the information retrieved from the Alfa-Bank breach is likely quite recent and accurately reflects the individual's current status.

Upon correlating the data, we identified the following addresses: Новосибирск, Кедровая улица, 41 and Новосибирск, улица Галущака, both situated in the city center of Novosibirsk. 

Shakhmametov runs a multimillion-dollar mobile game app scheme

Recent investigations led by cybersecurity expert Brian Krebs reveal troubling information about Shakhmametov, the head of a mobile game app development company known as Arpaplus. In the year 2023 alone, Arpaplus generated a staggering revenue of $1,143,570.87 and continues to remain operational, indicating its significant presence in the mobile app market. As evidence of its popularity, Arpaplus boasts an impressive 8 million downloads across various platforms.

A closer examination of user reviews highlights a worrying trend: many downloads come from individuals in Nordic countries. This is particularly concerning given Shakhmametov's notorious background involving credit card theft and the distribution of infostealers. We strongly advise extreme caution when dealing with the apps developed by Arpaplus, as there is a substantial risk that sensitive information, including credit card details, could be compromised.

For those interested, the mobile applications developed by Arpaplus can be found at https://play.google.com/store/apps/developer?id=ARPAPLUS&hl=da, but it is imperative to approach these downloads with skepticism and care.

Moreover, it is noteworthy that the Arpaplus website is hosted on a server identifiable by the IP address 185.193.90.36. This server is also home to www.fashion.girls.co.com, a site that has achieved tens of millions of downloads. Our investigations suggest a pattern, as several reviews indicate that users from Denmark and other Nordic regions frequently engage with the gaming apps associated with Arpaplus. This raises further suspicion that Fashion Girls, another app in the catalog, may also be operated by Shakhmametov.

“Arpaplus” is located in the center of Novosibirsk.

Introducing the most recent picture of Timur Kamilevich Shakhmametov 

Through a comprehensive analysis of Social Media Intelligence, we successfully uncovered the family members of Shakhmametov, which led us to their VK accounts and a wealth of previously unseen photographs.

Identifying new images of Shakhmametov was not a straightforward task. We required access to his social networks and his close circle of friends. Although the target may employ strict operational security measures, our experience indicates that friends and family members often have a more relaxed approach to what they share online.

We identified one of Shakhmametov’s former addresses, which was linked to his phone number. As shown in the Predicta Graph below, his phone number was associated with an order from an online shoe store. This order was connected to an email address belonging to Shakhmametov’s wife. Through in-depth social media intelligence (SOCMINT), we successfully discovered Shakhmametov’s wife’s VK, OK and Instagram accounts. These accounts featured recent images of Shakhmametov, offering valuable insights into his whereabouts. We created a graph on Predicta Graph to follow up:

In the picture below, we can clearly see our Person of Interest (POI), with his wife sitting on the right. However, we do not disclose her face as we do not involve family members in our investigations.

In the image above, Shakhmametov enjoys the restaurant "Leto/Лето" located in the heart of the woods in Novosibirsk. The venue, known for its opulent décor and refined atmosphere, exudes a sense of luxury and extravagance, as showcased in photos from its Instagram page. The scene is set in April 2024. We analyzed social media accounts and found a picture of one of his family members celebrating at a restaurant. Below is the object comparison.

We have located the restaurant and found updated satellite imagery of its location.

Shakhmametov leads a life of opulence and excess, indulging in the finest luxuries that wealth can offer. His extravagant lifestyle is marked by lavish parties, designer clothes, and high-end cars, all of which are a stark contrast to the suffering he has caused. As a notorious kingpin in the world of cybercrime, he has amassed an immense fortune, a chilling testament to the dark underbelly of his operations. Millions of innocent individuals have fallen victim to his schemes, grappling with financial ruin and emotional distress as a direct result of his malicious activities. The impact of his actions is profound, leaving a trail of hardship that underscores the heavy price of his greed. In this picture, we can see Shakhmametov sitting next to his alleged wife on the right in a red shirt, that we found through social media analysis.

We created a collage using pictures from the past few years found through OSINT on his family members' social media accounts.

A big shout out to our partners, Silent Push, for enhancing the efficiency of DNS pivoting! Additionally, we appreciate District 4 Labs for providing us with access to their incredible platform -"Darkside"! This is not a paid advertisement.

References: - https://www.state.gov/reward-for-information-timur-kamilevich-shakhmametov/ - https://www.secretservice.gov/sites/default/files/reports/2024-09/SHAKHMAMETOV-Timur-Reward-Combined.pdf - https://krebsonsecurity.com/2024/09/u-s-indicts-2-top-russian-hackers-sanctions-cryptex/ - https://home.treasury.gov/news/press-releases/jy2616 - https://www.justice.gov/opa/pr/two-russian-nationals-charged-connection-operating-billion-dollar-money-laundering-1 - https://edition.cnn.com/2024/09/26/politics/us-russians-accused-money-laundering-schemes/index.html - https://cyberscoop.com/jokers-stash-card-forum-shut-down-dark-web/ - https://www.predictagraph.com/graph/snapshot/6f6fb8ea-4aa5-4cec-bd73-1cead6863d00 - https://flashpoint.io/wp-content/uploads/Indictment-USA-v.-Sergey-Sergeevich-Ivanov-and-Timur-Kamilevich-Shakhmametov.pdf © Copyright 2024 | OSINord.