Hacker Sold Backdoor Access Information to Corporate Networks and Earned More Than $1.5 Million

A hacker under the username fxmsp has been an active online threat for the past two and a half years, selling backdoor access to hundreds of corporate networks across the globe. Uncovered to be Andrey A. Turchin of Almaty, Kazakhstan, the hacker had managed to earn well over $1.5 million since 2017. In fact, he had become so in-demand in online circles that he had managed to hire a sales manager, a different hacker by the name Lampeduza.

fxsmp’s Activity

Turchin had been frequenting hacking forums since at least 2016. However, he would not attempt to offer his hacking services until late 2017. During his first 11 months, Turchin has managed to earn close to $268,000. He did that by selling access to various organizations across the globe, including a global chain of luxury hotels and a Nigerian commercial bank. It was at this point that he hired the hacker known as Lampeduza, a fellow forum member, to handle all of his hacking requests. Lampedusa himself was an active hacker, largely selling stolen Facebook data and bank card dumps.

From August to November of 2018, fxsmp and Lampeduza had managed to earn over $1,100,800, making it their most profitable period to date. A mere month before that, Turchin took a short break, but soon enough he reappeared promising access to over 60 different companies. In addition, he had also claimed that he managed to compromise three different antivirus software systems: McAfee, Trend Micro, and Symantec. He and Lampeduza would go on a new break until reappearing again in May of 2019. From May to September that year, the pair had made ‘only’ $124,100 and offered information about 22 different companies. Turchin reportedly retired from this venture in December of 2019, according to Lampeduza.

fxsmp’s System

fxsmp had used a somewhat low-key technique in hacking his victims. He would exploit the 3389 RDP port, which programmers commonly use for remote access to Windows servers. The hacker did not develop his own tools for hacking the companies. Instead, he would use different IP scanning tools and look for any available RDP port. Next, he would deploy a password-guessing attack with a special tool that searches for passwords based on previously compromised company credentials. That way he would have access to both the regular and the backup files of the company.

Authorities Yet to Catch fxsmp

Turchin was tracked by a cybersecurity firm called Group-IB for three years. Operating from both Moscow and Singapore, the group managed to learn about Turchin’s identity through his old Jabber account, which he used during his early forum days in order to learn how to monetize backdoor access. Experts managed to track down an old email account linked to an old domain registration under Turchin’s full name. In addition, they matched this info with similar data that Turchin had posted to one of his social media accounts. However, the hacker still remains at large, with the government of Kazakhstan assisting the US DoJ in his eventual capture.