Thursday, May 19, 2022
HomeCyber SecurityWho's the Community Entry Dealer ‘Wazawaka?’ – Krebs on Safety

Who’s the Community Entry Dealer ‘Wazawaka?’ – Krebs on Safety

In an amazing many ransomware assaults, the criminals who pillage the sufferer’s community are usually not the identical crooks who gained the preliminary entry to the sufferer group. Extra generally, the contaminated PC or stolen VPN credentials the gang used to interrupt in have been bought from a cybercriminal intermediary often called an preliminary entry dealer. This put up examines among the clues left behind by “Wazawaka,” the hacker deal with chosen by a significant entry dealer within the Russian-speaking cybercrime scene.

Wazawaka has been a extremely lively member of a number of cybercrime boards over the previous decade, however his favourite is the Russian-language neighborhood Exploit. Wazawaka spent his early days on Exploit and different boards promoting distributed denial-of-service (DDoS) assaults that would knock web sites offline for about USD $80 a day. However in more moderen years, Wazawaka has centered on peddling entry to organizations and to databases stolen from hacked firms.

“Come, rob, and get dough!,” reads a thread began by Wazawaka on Exploit in March 2020, through which he offered entry to a Chinese language firm with greater than $10 billion in annual revenues. “Present them who’s boss.”

In keeping with their posts on Exploit, Wazawaka has labored with a minimum of two completely different ransomware affiliate packages, together with LockBit. Wazawaka mentioned LockBit had paid him roughly $500,000 in commissions for the six months main as much as September 2020.

Wazawaka additionally mentioned he’d teamed up with DarkSide, the ransomware affiliate group accountable for the six-day outage at Colonial Pipeline final 12 months that brought about nationwide gasoline shortages and value spikes. The U.S. Division of State has since supplied a $5 million reward for info resulting in the arrest and conviction of any DarkSide associates.

Wazawaka appears to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any information stolen from the sufferer must be revealed on the Russian cybercrime boards for all to plunder — not privately offered to the best bidder. In thread after thread on the crime discussion board XSS, Wazawaka’s alias “Uhodiransomwar” might be seen posting obtain hyperlinks to databases from firms which have refused to barter after 5 days.

“The one and the primary precept of ransomware is: the data that you just steal ought to by no means be offered,” Uhodiransomwar wrote in August 2020. “The neighborhood must obtain it completely freed from cost if the ransom isn’t paid by the facet that this info is stolen from.”

Wazawaka hasn’t at all times been so pleasant to different cybercrooks. Over the previous ten years, his contact info has been used to register quite a few phishing domains supposed to siphon credentials from individuals making an attempt to transact on numerous darkish internet marketplaces. In 2018, Wazawaka registered a slew of domains spoofing the actual area for the Hydra darkish internet market. In 2014, Wazawaka confided to a different crime discussion board member by way of personal message that he made good cash stealing accounts from drug sellers on these marketplaces.

“I used to steal their QIWI accounts with as much as $500k in them,” Wazawaka recalled. “A supplier would by no means go to the cops and inform them he was promoting stuff on-line and somebody stole his cash.”


Wazawaka used a number of electronic mail addresses and nicknames on a number of Russian crime boards, however information collected by cybersecurity agency Constella Intelligence present that Wazawaka’s alter egos at all times used one in every of three pretty distinctive passwords: 2k3x8x57, 2k3X8X57, and 00virtual.

These three passwords have been utilized by one or all of Wazawaka’s electronic mail addresses on the crime boards through the years, together with,,,

That final electronic mail tackle was used nearly a decade in the past to register a Vkontakte (Russian model of Fb) account underneath the identify Mikhail “Combine” Matveev. The telephone quantity tied to that Vkontakte account — 7617467845 — was assigned by the Russian telephony supplier MegaFon to a resident in Khakassia, located within the southwestern a part of Japanese Siberia. [an advertiser on this site] reviews was used to register three domains between 2008 and 2010:,, and That final area was initially registered in 2009 to a Mikhail P. Matveyev, in Abakan, Khakassia.

Mikhail Matveev is just not probably the most uncommon identify in Russia, however different clues assist slim issues down fairly a bit. For instance, early in his postings to Exploit, Wazawaka might be seen telling members that he might be contacted by way of the ICQ instantaneous message account 902228.

An Web seek for Wazawaka’s ICQ quantity brings up a 2009 account for a Wazawaka on a now defunct dialogue discussion board about Kopyovo-a, a city of roughly 4,400 souls within the Russian republic of Khakassia:


Additionally round 2009, somebody utilizing the nickname Wazawaka and the 902228 ICQ tackle began posting to Russian social media networks making an attempt to persuade locals to frequent the web site “,” which was billed as one other web site catering to residents of Khakassia.

In keeping with the Russian area watcher, was registered in January 2009 to the e-mail tackle combine@devilart.internet and the telephone quantity +79617467845, which is similar quantity tied to the Mikhail “Combine” Matveev Vkontakte account. says the combo@devilart.internet tackle was used to register two domains: one referred to as badamania[.]ru, and a defunct porn web site referred to as tvporka[.]ru. The telephone quantity tied to that porn web site registration again in 2010 was 79235810401, additionally issued by MegaFon in Khakassia.

A search in Skype for that quantity reveals that it was related greater than a decade in the past with the username “matveevatanya1.” It was registered to a now 29-year-old Tatayana Matveeva Deryabina, whose Vkontakte profile says she presently resides in Krasnoyarsk, the most important metropolis that’s closest to Abakan and Abaza.

It appears possible that Tatayana is a relative of Mikhail Matveev, maybe even his sister. Neither responded to requests for remark. In 2009, a Mikhail Matveev from Abaza, Khakassia registered the username Wazawaka on weblancer.internet, a contract job change for Russian IT professionals. The Weblancer account says Wazawaka is presently 33 years outdated.

In March 2019, Wazawaka defined a prolonged absence on Exploit by saying he’d fathered a toddler. “I’ll reply everybody in per week or two,” the crime actor wrote. “Turned a dad — went on trip for a few weeks.”

One of many many electronic mail addresses Wazawaka used was, which is tied to a more moderen however since-deleted Vkontakte account for a Mikhail Matveev and used the password 2k3X8X57. As per regular, I put collectively a thoughts map exhibiting the connections referenced on this story:

A tough thoughts map of the connections talked about on this story.

Analysts with cyber intelligence agency Flashpoint say Wazawaka’s postings on numerous Russian crime boards present he’s proficient in lots of specializations, together with botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, promoting databases for spam operations, and launching DDoS assaults.

Flashpoint says it’s possible Wazawaka/Combine/M1x has shared cybercriminal identities and accounts with a number of different discussion board members, most of whom seem to have been companions in his DDoS-for-hire enterprise a decade in the past. For instance, Flashpoint factors to an Antichat discussion board thread from 2009 the place members mentioned M1x labored on his DDoS service with a hacker by the nickname “Vedd,” who was seemingly additionally a resident of Abakan.


All of that is tutorial, after all, offered Mr. Wazawaka chooses to a) by no means go away Russia and b) keep away from cybercrime actions that focus on Russian residents. In a January 2021 thread on Exploit relating to the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka appears already resigned these limitations.

“Don’t shit the place you reside, journey native, and don’t go overseas,” Wazawaka mentioned of his personal private mantra.

Which could clarify why Wazawaka is so lackadaisical about hiding and defending his cybercriminal identities: Extremely, Wazawaka’s alter ego on the discussion board XSS — Uhodiransomware — nonetheless makes use of the identical password on the discussion board that he used for his Vkontakte account 10 years in the past. Fortunate for him, XSS additionally calls for a one-time code from his cellular authentication app.

The second step of logging into Wazawaka’s account on XSS (Uhodiransomwar).

Wazawaka mentioned NetWalker’s closure was the results of its administrator (a.ok.a. “Bugatti”) getting grasping, after which he proceeds to evangelise about the necessity to periodically re-brand one’s cybercriminal id.

“I’ve had some enterprise with Bugatti,” Wazawaka mentioned. “The man bought too wealthy and commenced recruiting People as affiliate companions. What occurred now’s the consequence. That’s okay, although. I want Bugatti to do some rebranding and begin from the start 🙂 As for the servers that have been seized, they need to’ve hosted their admin panels in Russia to keep away from getting their servers seized by INTERPOL, the FBI, or no matter.”

“Mom Russia will provide help to,” Wazawaka concluded. “Love your nation, and you’ll at all times get away with every little thing.”

Should you preferred this put up, you may additionally take pleasure in Who Is the Community Entry Dealer “Babam”?


Most Popular

Recent Comments