Full Report
In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.
Analysis Summary
# Threat Actor: Rescator (Mikhail Shefel/Lenin)
## Attribution & Identity
* **Primary Identity:** Mikhail Shefel (now legally changed to Lenin), a Moscow resident.
* **Known Aliases:** Rescator (used when selling stolen payment cards), MikeMike, Getsend (when offering malware coding services for hire).
* **Known Associations:** Claimed to have worked closely with infamous Ukrainian hacker **Dmitri Golubov** (formerly of Carderplanet). Also ran an IT company with **Aleksandr Ermakov** (sanctioned for the Medibank breach).
## Activity Summary
* **2012:** Allegedly responsible for the theft of Social Security and tax information from a majority of South Carolina residents.
* **2013–2014:** Sold over 100 million payment cards stolen from major retailers like **Target** and **Home Depot**.
* **2013–2015:** Operated several websites selling stolen payment card data.
* **Post-2014:** Claimed to have been pushed out of the payment card data business by Dmitri Golubov.
* **Recent Activity (Post-2022):** Reverted to offering malware coding services under the alias "Getsend" to make money, and recently sought publicity/business partners.
## Tactics, Techniques & Procedures
* Developing and selling card-stealing malware installed on compromised retail payment terminals.
* Operating underground forums/websites to sell bulk stolen data.
* (Implied/Claimed Association): Involvement in the development and dissemination of early ransomware strains, including **Cryptolocker**.
## Targeting
* **Sectors:** Retail (Payment Processing), Government (Tax/SSN records).
* **Geography:** Initially focused on U.S. retail victims (Target, Home Depot), and U.S. state residents (South Carolina).
* **Victims:** Target, Home Depot, a number of other nationwide retail chains, South Carolina residents.
## Tools & Infrastructure
* **Malware Families Used:** Card-stealing malware developed for use on payment terminals. Claimed association with early ransomware strains like Cryptolocker.
* **Infrastructure:** Ran various websites for selling data between 2013-2015. Later operated under the Telegram handle associated with the alias "Getsend."
## Implications
The subject, Rescator, is a long-term, high-volume data exfiltration actor whose activities span nearly a decade, impacting millions of consumers through major retail breaches. Despite his high-profile past, he is currently seeking new criminal enterprises, indicating an ongoing risk leveraging his technical knowledge. His claims regarding Dmitri Golubov’s involvement hint at connections to some of the earliest major Russian-language cybercrime forums and potentially advanced initial access techniques, though these claims remain unverified by evidence provided.
## Mitigations
* Organizations should ensure rigorous segmentation and hardening of POS and payment processing environments, specifically targeting malware capable of scraping card data from terminals (Point-of-Sale malware).
* Maintain advanced behavioral monitoring for large-scale data exfiltration events, particularly following initial network compromise.
* Be wary of unsolicited contact from known or suspected cybercriminals seeking new business partnerships or offering services, as this can be a reconnaissance or recruitment effort.