On Dec. 18, 2013, KrebsOnSecurity revealed that the retail giant Target experienced a significant computer intrusion that compromised over 40 million customer payment cards over the previous month. The malware, known as “Rescator,” was used in the breach and was also the handle of the cybercriminal responsible for selling the stolen cards from Target.
Fast forward ten years, and KrebsOnSecurity has found new evidence surrounding Rescator’s real-life identity, including their ties to a 2014 breach at P.F. Chang’s. Despite previous indications that Rescator was a hacker from Ukraine, this individual declined to confirm their identity and even offered a $10,000 bribe to prevent the story from being published. Initially, Rescator was known to have originally been named “Helkern” in a cybercrime forum called Darklife.
Efforts to identify Rescator were reignited in 2018 after the U.S. Department of Justice revealed a different Ukrainian man as Helkern. More reasons pointing to Rescator’s involvement in the Target breach were discovered, such as the usage of the text string “Rescator” in the malware and the sale of stolen cards in the subsequent Home Depot breach.
Subsequent discussions about Rescator’s true identity uncovered evidence from a 2013 story related to the author of the OSX Flashback Trojan. These developments pointed to “Rescator,” also known as “MikeMike,” one of Pavel Vrublevsky’s collaborators.
Pavel Vrublevsky, the CEO of the Russian e-payments company ChronoPay, has a long history in cybercrime, including running a pharmacy affiliate spam program. It’s been confirmed that Rescator, known as MikeMike, was a close associate of Vrublevsky for a significant period.
The investigation further discovered that the user account “MikeMike” used the email address “zaxvatmira@gmail.com.” This email address was linked to an account created in 2010 on the site searchengines[.]ru under the handle “r-fac1.” This user’s introductory post on searchengines[.]ru advertised musictransferonline[.]com, a website that was revealed to be affiliated with ChronoPay and Vrublevsky by leaked ChronoPay emails.