Cybercrime

''PROBIV'': An illegal service used for many purposes

OWN-CERT
-
12/7/2023
OWN Security

Figure 1. Logo of the forum “Probiv”.

Probiv – What is it and where it comes from ?

The Russian word “Probiv”, literally meaning to break through something, is used to advertise a type of illicit service on the Russian-language cybercriminal forums (RLCF). “Probiv” services are in fact a type of investigation that aims to gather as much information as possible about a person or a company thanks to the open-source searches and illegally obtained databases. The aim of a "Probiv" is for example to get the real identity of a target, map his presence on the Internet, obtain his credit record, address, phone numbers and other valuable personal information.  

“Probiv” became a popular scheme on the RLCF during the second half of the 2010s. Only in Russia, according to the statistics of the Russian Judicial Department, 178 people were sentenced for the sale of personal data of their fellow citizens between 2016 and 2018 [1].

Different types of “Probiv” services can be found on cybercriminal forums. The most accessible ones are free Telegram bots that can query openly available or leaked databases. Premium service providers, who have created a lucrative business focused on this activity, are for their part obtaining information about targets in real time from insiders working for them. OWN-CERT observed that these insiders are generally recruited among the employees of mobile operators, banks, and state agencies such as law enforcement of the former USSR States. OWN-CERT also witnessed “Probiv” providers who publicized their capability to obtain personal data of citizens of European, American, or Asian countries.

Figure2. Screenshot from the Russian-language cybercriminal forum “Probiv”. A famous gathering place for malicious actors specialized in this craft.

Malicious actors offering to sell “Probiv” services are generally present on RLCF who allow their members to work on targets located in the former USSR (ed. Not all RLCF allow their members to attack companies or citizens of the former USSR). The most famous among them is the forum “Probiv” who is specialized in this craft and brings together a large number of malicious actors involved in this business. Telegram bots are another way of commercializing “Probiv” services, they will be discussed in the following pages.

Figure 3. “Eye of God” one of the most popular OSINT/Probiv bots available on Telegram.

While free and paid “Probiv” services are easy to find, the goals of customers and the information that is sought can be different.

Finding any information for any purposes

Customers of Probiv services – a substantial variety of motivations – from deanonymizing a rival hacker to catching a cheating spouse

Motivations for purchasing "Probiv" services and the type of information a client is looking for are closely linked. According to OWN-CERT’s observation clients of Probiv services are often malicious actors involved in schemes such as fake documents creation or banking fraud.  

Deanonymizing a rival threat actor or business owner can also be handy to blackmail them or to destroy their reputation. Doxing is indeed widely used as a weapon by Russian-speaking threat actors. The famous threat actor Mikhail Pavolovich Matveev, a.k.a. “Wazawaka”, who was recently sanctioned by the United States because he is a “key actor in the Russian ransomware ecosystem” [2], was himself doxed in 2009 when he just began his hacking activities [3].

Figure 4. The user “ShAnKaR” has shared the real identity of Mikhail Pavolovich Matveev back in 2009.

A recent example of doxing implying the use of “Probiv” service occurred on the 1st of March 2023, when the administrators of the Russian-language drug marketplace Kraken deanonymized three developers of Solaris, a rival drug marketplace. Kraken then released a document containing personal information of Solaris’ employees. It included their passport numbers, ID photos, addresses, current location, phone numbers, email addresses and aliases. All this data could have not been gathered without access to databases belonging to the Russian administration.  

Figure 5. Screenshot of the document released by Kraken on the 1st of March 2023. It exposed three individuals who allegedly took part in the development of Solaris.

Politically motivated activists, journalists and opposition leaders have as well used “Probiv” services to conduct their investigations. It was for example the case of the Russian politician Alexey Navalny, whose team allegedly purchased “Probiv”services to identify the Federal Security Service agents reportedly involved in his poisoning [4].

Eventually, customers of “Probiv” services can be common people such as a spouse wishing to identify if his or her partner is present on dating app.  

Figure 6. A member of the forum is looking for ways to detect the presence of a target on Tinder with its phone number.

Information that can be found by Probiv operators – from credit history to the authorization to leave the country

The number of details and the type of available data that can be obtained through “Probiv” depends on the target’s country. According to the observations of OWN-CERT, Russia, Ukraine, Belarus and Kazakhstan are the most frequently mentioned countries where “Probiv” service providers can find information. Other countries, as the EU member States are nevertheless also targeted although not as extensively as Russia.  

In the former USSR countries “Probiv” services can obtain almost all personal information from any bank or mobile phone provider. Almost any administrative databases, including the ones belonging to the police are as well accessible for these malicious actors.  

Figure 7. Example of data that can be obtained from banks.
(Automatically translated from Russian)

Figure 8. Example of data that can be obtained from mobile operators.
(Automatically translated from Russian)

Since the beginning of the “Special military operation” in February 2022, some Russian citizens are afraid of being mobilized and sent to the war in Ukraine. “Probiv” sellers are exploiting this situation and are selling for 15,000 roubles (172 euros – May 2023) information about travel bans.  

Figure 9. Example of “Probiv” service advertisement.

Almost any public database is available for “Probiv” for a few thousand roubles. Currently “Probiv” services have for example access to databases of the Ministry of Interior of Russia, the pension fund, the federal tax system and many others.

 

Figure 10. Example the available administration’s databases.
(Automatically translated from Russian)

Some malicious actors are also selling personal information of EU citizens. Interpol and Europol seem to be infiltrated by insiders working for “Probiv” service providers. It is also possible to identify if a person possesses citizenship of an EU State, a banking account or real estate.

Figure 11. A Probiv” service provider advertised his ability to obtain data of EU citizens.
(Automatically translated from Russian)

Now that we have seen some of the most common types of services that can be obtained through a “Probiv” provider let’s try to understand how these illegal services operate.

The mechanisms behind the Probiv business – stolen databases, insiders and telegram bots

Access to an extensive amount of personal information is possible thanks to a constant gathering of leaked and stolen databases. Furthermore, “Probiv” service providers are permanently recruiting insiders from the administration, law enforcement agencies and private businesses.

Probiv providers’ constant quest for new databases and insiders

Aggregation of leaked personal information and purchase of newly stolen and leaked data is a permanent necessity for “Probiv” service providers. Below a section of the forum Dublikat is dedicated to the sale of databases.  

Figure 12. A section of the Dublikat forum devoted to the sale of databases with personal data.
(Automatically translated from Russian)

These databases can belong to shops or banks and telecom companies, or even online trading brokers.  

Figure 13. A threat actor is selling several databases among which one contains information about Forex users.  

 

The recruitment of insiders is another criterion of success for “Probiv” service providers, as it allows them to obtain almost any type of information about a citizen of a country of the former USSR.  

Figure 14. A threat actor searching for social networks employees.

Several cybercriminals do not hesitate to try to recruit officials from Europe. Interpol and Europol employees are among the personnel that are looked for. Moreover, online payment services, social networks, and instant messenger companies areas well targeted by threat actors wishing to recruit insiders.  

Figure 15. A threat actor looking for Interpol and Europol insiders
(Automatically translated from Russian)

Telegram “OSINT”and “Probiv” bots – the democratization of deanonymization services

Once the data is gathered, “Probiv” service providers have several ways to monetize it. Lately Telegram has become a powerful tool for all types of cybercriminals, as it not only offers a way to communicate easily but is also an automation tool. Instead of handling every client directly some malicious actors have decided to simply create a bot and sell automatically queries for a dozen roubles.  

These Telegram bots could be a useful OSINT tool for investigators looking for data about a target located in eastern Europe. Indeed, while owners of "Probiv" Telegram bots do not contact insiders to gather data about a particular target, their services are also much cheaper and offer access to leaked and stolen databases containing Personal Identifiable Information. Generally, this kind of bot can search for an email, a name, a phone number, an IP address, an alias or even a numberplate. The advantage of these bots is their ability to gather substantial amounts of data in one place. Nevertheless, passwords are usually not included in the results, and for some paid bots a Telegram account created with a Russian phone number is necessary.  

 

Figure 16. One of many "Probiv" services that can be found on Telegram.

OWN-CERT has recently published on its Twitter account a list of 10 Telegram bots that are used to find personal data. Do not hesitate to have a look if you want to learn more!

Figure 17. Probiv/OSINT Telegram bots.

One of these Probiv/OSINT Telegram bots is the infamous Eye of God, created by the Russian citizen Mr. Evgenii Viacheslav Antipov [5], but that is a story for another time.

Profile picture of Mr. Antipov’s Telegram account.
Figure 18. Profile picture of Mr. Antipov’s Telegram account.

[1] ‘“Пробить по-быстрому”: кто и как сливает личные данные россиян’, BBC News Русскаяслужба, 25 April 2019, https://www.bbc.com/russian/features-48037582.

[2] ‘Alleged Babuk Ransomware Gang Leader “Wazawaka” Indicted,Sanctioned by US’, accessed 17 May 2023, https://therecord.media/alleged-babuk-ransomware-leader-sanctioned-and-indicted-by-us.

[3] ‘ДДОСФорума. Надо Наказать Виновного.’, ANTICHAT - Security online community,accessed 8 October 2022, https://forum.antichat.com/threads/128304/.

[4] ‘“Пробивщики”, передавшие Навальному данные для расследований,получили сроки’, BBC News Русская служба, accessed 17 May 2023, https://www.bbc.com/russian/news-60351641.

[5] ‘«Еслинужно будет рассказать, как кто-то из вас нарушает закон, я это сделаю»Интервью создателя «Глаза Бога» Евгения Антипова — об отравлении Навального,сотрудничестве с силовиками и грядущей войне с Telegram’, Meduza, accessed 1June 2023, https://meduza.io/feature/2021/07/12/esli-nuzhno-budet-rasskazat-kak-kto-to-iz-vas-narushaet-zakon-ya-eto-sdelayu.

Partager l'article :

Your OWN cyber expert.