In December 2023, KrebsOnSecurity unveiled the real identity of the elusive Russian cybercriminal known as Rescator. Mikhail Shefel, a Moscow resident, is alleged to have trafficked over 100 million stolen payment card details from major retailers such as Target and Home Depot between 2013 and 2014. In a recent interview, Shefel confirmed his involvement with the Rescator persona and attributed his outreach to financial struggles and a desire for publicity for new ventures.
Shefel, who has since changed his legal last name to Lenin, was previously featured in a significant investigation, “Ten Years Later, New Clues in the Target Breach.” This inquiry revealed that at the age of 38, Shefel was serving as the vice president of payments at ChronoPay, a Russian payment processor tied to various fraudulent activities, including promoting counterfeit pharmaceuticals and misleading antivirus software.
Despite the revelations, Shefel reportedly did not respond to requests for comment prior to the publication of the December profile, nor did he address allegations in January 2024 regarding his association with Aleksandr Ermakov, a sanctioned individual connected to the data breach of nearly 10 million Medibank customers in Australia.
However, following KrebsOnSecurity’s report on Shefel’s involvement in a 2012 breach that compromised Social Security and tax information of most South Carolina residents, he began reaching out, aiming to clarify his involvement in various hacking activities. Through multiple text exchanges and video conversations, Shefel admitted to operating several websites between 2013 and 2015 that sold the illicitly obtained data from well-known retailers.
Shefel claims that Dmitri Golubov, a notorious Ukrainian hacker and co-founder of one of the earliest Russian cybercrime forums, was the true orchestrator behind the Target and other retail data breaches. While Golubov could not be reached for comment, Shefel stated that he lacks the evidence needed to substantiate this claim, as he no longer possesses the relevant laptop.
According to Shefel, he and his team developed the malware used by Golubov’s group to infiltrate payment terminals at the targeted retailers. At the time, he was a technical director in a prominent Russian cybercrime community called Lampeduza, underscoring the collaborative nature of cybercriminal activities at that time. He emphasized his previous nickname as MikeMike and noted that he developed significant technologies for Golubov.
KrebsOnSecurity previously identified a Ukrainian hacker named Helkern as Rescator’s initial alias. However, Shefel asserts that Helkern was subordinate to Golubov and facilitated the introduction between himself and Golubov back in 2013. He claims to have profited significantly from card sales before being excluded from the operation following political upheaval in Crimea.
In the wake of the Target breach, Shefel briefly engaged in other business ventures, including investments in a now-defunct search engine. As his legitimate businesses faltered, he returned to offering malware development services under the alias Getsend, which has seen some corroboration via Telegram handles connected to his recent communications.
Now facing dire financial straits, Shefel has expressed the urgency of reinstating his financial footing, particularly as he contends with mounting legal challenges. In February 2024, he and Ermakov were arrested for their roles in a ransomware affiliate program called Sugar, which operated in 2021. Shefel is expected to stand trial in a Moscow court later in 2024. He claims that the program generated no profits and attributes his current legal woes to a personal vendetta from a former associate.
Throughout all these events, the tactics and techniques illustrated in the MITRE ATT&CK framework provide valuable insights into the methods employed by cybercriminals like Shefel and Golubov. Initial access through malware development, persistence via ongoing fraudulent schemes, and privilege escalation in the context of infiltrating corporate payment systems exemplify key adversary techniques. As business owners grapple with ongoing cybersecurity threats, understanding these tactics is vital for safeguarding their operations from similar breaches.
