MINNEAPOLIS — One year after thieves infiltrated Target’s cash registers, a website openly sells millions of credit and debit card numbers stolen in that data breach and many others.

Anyone can log on to the site, rescator.cm, and shop for cards by ZIP code. This illegal marketplace is the most glaring reminder that no one has been brought to justice in the theft of Target customer data.

Federal authorities declined to say anything about their investigation, which is being led by the U.S. Secret Service. Yet cybersecurity professionals have named one person they believe is linked to the stolen card website: a Ukrainian hacker named Andrey Hodirevski.

SECURITY ANALYSTS POINT FINGERS

Brian Krebs is the blogger who broke the Target breach story and first named Hodirevski a year ago. “He may not be rescator, but it’s pretty clear that he knows the people who are and probably is in touch with them,” Krebs said.

Two other security pros say Hodirevski almost certainly has a hand in running the site. Dmitry Volkov, head of investigations at Russian computer security company Group-IB, said in an interview that Hodirevski goes by the nickname “rescator” and has for several years been on his company’s radar as a carder, or dealer in stolen payment card information. He said Hodirevski was a main member of DarkLife, a defunct Russian-language hack team.

Advertisement

“He has a high reputation and credibility among other carders and hackers,” Volkov said. “He is not just another carder.”

Mark Lanterman, a former member of the Secret Service Electronic Crimes Task Force and now chief technology officer at Computer Forensic Services in Minnetonka, Minn., said the evidence points to Hodirevski.

“It’s circumstantial, but there’s a lot of it,” Lanterman said. “His website is up and active and going stronger than ever, which is disappointing.”

Hodirevski has not spoken out publicly, despite his name and photos having been publicized in cybersecurity reports and magazines such as Bloomberg Businessweek.

UNABLE TO FIND HACKER

One Ukrainian familiar with him said Hodirevski is living in a flat in Odessa with his grandmother following a previous hacking arrest, and he is being monitored by the Security Service of Ukraine.

Advertisement

An old school friend in Odessa said Hodirevski has disappeared and there’s no point looking for him. He’s probably in Russia, said the friend, Alex Zhimalov: “If he wants to be invisible – he will be.”

A recent report by Group-IB, the Russian cyberintelligence company, examined the Russian-language carding market. It said rescator not only runs his own shops but supplied information from more than 5 million cards stolen from Target to a popular online crime shop called Swiped1.su. Group-IB estimated that the 151,720 cards rescator sold there from December 2013 to February 2014 earned rescator about $1 million.

A BACKGROUND IN ELCTRONICS

The spelling of Hodirevski’s name varies depending on the transcription from Cyrillic. Profiles for Andrey Hodirevski on LinkedIn, and for Andrew Hodyrevsky on Retratech, a Russian-language website for certifying IT professionals, appear to be for the same person. The Retratech profile gives a birth date that would make him 22 and says he attended International Humanitarian University with a specialty in “maintenance of electronic networks” and the STEP Academy, a popular computer school in Ukraine. It lists a range of experience with various operating systems, programming skills such as JavaScript, software and databases.

He also notes “extensive experience in research, and troubleshooting of web application vulnerabilities, server software and other aspects of network security.”

An archived 2011 blog of an Odessa Internet marketing company, Netpeak, featured a group of employees. “Andrew Hodyrevsky aka hel” was described as a “strong programmer.” A photo posted there shows the same young man in photos Krebs obtained.

Netpeak head Artyom Borodatiuk said Andrew Hodyrevsky worked at Netpeak from November 2010 to March 2011. He was a junior programmer in the R&D department, Borodatiuk wrote in an e-mail. He was fired for disciplinary problems, Borodatiuk said, such as showing up late for work “and some other little things we don’t accept.”

Meanwhile, Hodirevski’s carding reputation only grows. Sycophants on his bulletin boards think he’s the “end all,” Lanterman said.

“They seem to be singing his praises,” Lanterman said. “He must be thrilled with that.”


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.