Since the time of Eugene Vidocq, the " father” of classic criminal investigations, their algorithm has changed little: the detective collects evidence, builds a hypothesis, eliminates unnecessary suspects and, finally, comes to the villain, who is eventually sent to prison. Cybercrime is not so simple — attribution is added to all the mandatory stages for collecting and analyzing digital evidence, clues and artifacts — the digital identity of the suspect must be " tied” to a specific living person. Cyber investigation can take a couple of hours, and sometimes it stretches for years, turning into a huge puzzle quest. The new heroine of the project "Cyber Professions of the Future" — Anna Yurtaeva-talks about how it is possible to identify an attacker in the digital world, even if it worked almost flawlessly.
I did my first investigation... on the train! When I was a student, I had to travel to the university every day from the Moscow region — it was very difficult to take an empty seat in a crowded car. To entertain myself, I came up with the idea to find all these unfamiliar guys who often traveled with me on VKontakte. I found the accounts of my fellow travelers, wrote to them and asked them to take a seat for me. Soon we had a whole team I could count on, and we kept seats for each other. This simple skill of searching in social networks in the future has helped me out more than once in real investigations.
I studied to become a technician at MTUCI and MISIS, but these specialties were far from cyber security. Even in my first year, I decided to go to work at Group-IB. And... they didn't take me. Despite the fact that the company was small, even then the staff consisted of professionals - specialists in forensic science, cyber intelligence, reverse engineering, pentests, and so on. I was advised to gain knowledge and skills, understand what exactly I want to do, and come back. I was offended and thought that all the girls here get rejected: at uni, I constantly encountered stereotypes about tech girls. Of course, this was not the case — for example, Vesta Matveeva, who now heads the Department of High — tech crime Research in Singapore, already worked in the team of criminologists. If you really want something, you need to be persistent: I came back for an interview a couple of years later and got the position I dreamed of.
computer forensics, they were the” calling card " of the company. history of Group-IB began with investigations and Let no one think that this is bragging, but we were and remain the best in this business. Our competitors send us those who have contacted them. And this is an indicator. Although now we are better known in the world as engineers and developers. The first cases that the founders of the company Ilya Sachkov and Dima Volkov personally investigated were simple from a technical point of view: hacking email accounts, LiveJournal, ICQ, blackmail, custom DDoS attacks. And now our team is investigating fraud in online banking and mobile banking systems, BEC attacks (Business Email Compromise), attacks using malware distribution, creation of botnets, competitive espionage, data leaks, and so on. Without the tools and data shared with us by our colleagues from the Threat Intelligence (Cyber Intelligence) Department, the CERT-GIB 24/7/365 Incident Response Center (by the way, the largest in Eastern Europe!) and the Digital Risk Protection Department, we would not have been so comprehensively upgraded. For example, our cyber intelligence service tracks criminal groups such as carders, phishers, and ransomware, and writes hunting rules that allow us to track the attackers ' infrastructure. I follow their work very closely: any attack is prepared for quite a long time, from a couple of weeks to months: when villains "raise" servers for an attack or destroy sites that will send fake emails with malicious content on board-we, and therefore our customers, will be the first to know about it.
I am not exaggerating when I say that we are involved in the investigation of most major information security incidents: we study such incidents or help the police with their analysis in order to protect our customers. That is, in the literal sense, we live by it and" use our hands " to investigate the infrastructure of intruders. Each product or service of the company actually has one goal-to stop a cybercriminal. If you are interested, you can view some of our public cases, for example, the case of the Popelysh brothers, CRON, TipTop groups, and "Cyber Fascists" here.
We found links to our Group-IB blog in the browser bookmarks of cybercriminals — they know about us, and while we study them, they study what we write. After our analytical reports and blogs, groups changed their techniques, tactics, and tools so that we could no longer track them. But this can be evaluated as a nice try. No more than that.
We are not the cyber police. Don't confuse them. This is mostly the opinion of those who do not understand the essence of our work. Private companies do not engage in operational investigative activities, nor do they detain cybercriminals. They work exclusively in the interests of business and the ultimate beneficiary of our work is always business. We collect evidence for the court, act as technical experts-we help you correctly (strictly according to the law!) seize equipment from cybercriminals-laptops, phones, hard drives, servers. I don't go to searches and detentions, I work in the rear — with seized equipment. The more clues and artifacts I find, the faster we can track down the culprit.
Cybercrime detection can be approached from different angles — we always follow the path of exploring the technical background. When investigating embezzlement through remote banking services (RBS), the police first of all get on the trail of cashiers — they can be tracked down by cameras, quickly catch and interrogate the head of the cash withdrawal, find out the routes of money transfer. And he brought them out rather through the crypt and mixers — and all the ends in the water. We are going a slightly different way — from a technical point of view. We find programmers, so-called fillers — those who sit in the control center with malware and conduct transactions. And with the crypt, by the way, we can also deal with it.
No one is immune to mistakes, even experienced hackers. The main thing is to understand where cybercriminals have inherited, find punctures, weaknesses, typos – this is the first and very important stage of my work. Remember the episode from the movie "Home Alone" where the "wet bandits" turned on the water in the robbed houses? When the cops tied them up, they immediately realized who was operating in the other houses. The situation is similar with cybercriminals. One or two extra letters in the code can give the correct investigation vector. No one could understand for a long time why the shares of a well-known international company collapse without any reason. It turned out that this was a carefully thought-out information attack that damaged the company's reputation. My team and I managed to identify the attackers — by the way, they were Russian-speaking, and they came up with such a scheme. Its essence is to launch a lot of sites in English in order to discredit the company. Shareholders received false information about the company, panicked and dumped securities. We found the villains based on the numerous "breadcrumbs" that they left behind when creating fake resources. For each client, attacks on their company seem new and unconventional. But in fact, hacker schemes, even cunningly twisted ones, can be unraveled if you know where to start.
I divide cybercriminals into ambitious people and clumsy people. Ambitious people leave digital evidence everywhere — their nicknames (so they love themselves!) or keep a personal diary, and then test a fraudulent scheme on the same server. Of course, they clean up everything they can, but our Threat Intelligence system still “sees”and "remembers” changes in the attackers' infrastructure in retrospect of 10-15 years. I restore the timeline of changes and find some interesting "game". As for the clumsy ones, they constantly make the same mistakes – and these may just be typical mistakes in ordinary texts. These flaws are repeated on a whole branch of sites, and I already know that the same person did it. Next, you need to determine who exactly it was.
Some cybercrime investigations take years to complete and are similar to a TV show. For example, during the pandemic, the fraudulent scheme "Mammoth" ("mammoth" in the slang of scammers is called the victim) with fake courier delivery of goods ordered on bulletin boards became wildly popular. My colleagues from Group-IB Digital Risk Protection estimated that in 2020, the earnings of all criminal groups using this scheme exceeded $6.2 million, and the number of fake resources exceeded 3,000. In the end, “Mammoth "became cramped in Russia and" went” to the CIS countries, Europe and Asia, and began to explore new niches. With the help of telegram bots, scammers generated fake resources not only from courier services and bulletin boards, but also from popular sites for renting housing, cars, and bookmakers. We have several successful cases on these fraudulent groups: some specialized in courier services and bulletin boards, while others specialized in automotive services.
Ask more questions. This is the first commandment of cyberbullying. It is never too late to ask all the questions that arise to yourself, the client or a team colleague-this helps the business significantly. I remember when I first got a job, I was too shy to ask questions, wrote out some wild things in a huge notebook, and made life difficult for myself. After all, I was doing extra work! In a team, you can count not only on help and support, but also on good advice. What to read, who to contact, and what details to focus on — answering questions allows you to grow quickly as a professional.
Just like in a classic detective story where Sherlock disguised himself as a cab driver, there is always a place for an operational game in our work. For example, we need to infiltrate a group of scammers in closed Telegram chats and, under the guise of a novice worker (an ordinary participant in a fraudulent scheme), get as much useful information as possible: who was deceived and how, how much money was received, and where the money was withdrawn. Or take another fairly common crime — extortion. The victim's personal mailbox was broken, they connected to its cloud and restored a backup copy to their phone from there-gaining access to photos, correspondence, and documents. A person receives threats in Telegram that his correspondence with his mistress or competitors was in the hands of criminals. And they are ready to publish this correspondence if they do not receive a ransom. We help victims build a communication strategy to minimize possible damage and identify as much data as possible about the attacker. We can ask the wallets where to transfer the money, convince the villain that they are ready to fulfill his conditions, and send him trap links. I will not disclose any secrets, but I will say that as a result, we get his IP address, technical data, screen resolution, and various fingerprints that will allow us to establish his identity, even if he carefully hides behind anonymization tools.
I have several Group-IB achievements and I am very proud of them. Achievement is our signature feature, which means special commemorative badges for successful operations, research, and reports. If people ask me about the cases that I do at work, of course, I can't tell them anything, but when the case is finished, I can show them my achievements with pride and trepidation, which everyone will say for me.
Just like in detective movies, I have a graph diagram. No one puts up threads on the wall anymore, everything has long been turned into digital — we use both well — known popular tools like Maltego, and our own developments-for example, I can name a graph for studying the network infrastructure of intruders from the public ones. But I always try to do my work with the soul and decorate the schemes in an old-school way so that they are pleasant to look at. I found the suspect's social networks and added links and decorated them with a picture. This inspires us to continue working on the case. The girls will understand me.
We don't have boilerplate investigations and a standard approach. When we analyze information, we can catch on to an IP address or a line of code with our eyes, and understand that we have met it somewhere, or we can Google it, or find it in other data sources — and we start to unwind this chain. One attacker created a script that sent users of the site SMS in incredible quantities — "sms bomber". Users were very angry about this, they wrote and called support, and left negative reviews. The company was losing loyalty, customer trust — and therefore sales. When I received the attacker's script, I noticed that the data was “stuck together” in the code by mistake. It wasn't obvious to the customer, but it was a clue for me — and I found out who did it.
First of all, the moral principle of fighting cybercrime is important in cyber security, and this requires an internal core. Now some guys come to interviews and say that they want to improve their technical skills, build a career, and earn money. This is not enough. I work for Group-IB largely because the company's mission is to fight cybercrime. This is a noble cause that meets both my personal aspirations and the goals of my teammates.
I want to get a CompTIA certificate to be a world-class pro. This makes it easier to work with customers, and it is an advantage for a company when it has a lot of employees with certificates from international organizations. I watch specialized conferences and try to gain more legal knowledge in order to understand in which cases an attacker can be brought to justice.
Cyberscherlock day begins with preparation: you need to come to work beautiful and not show it even in stressful situations. I constantly monitor who hacked something and how — to automate the routine, you need to keep up to date with information security news. I have a list where I write out questions (ask more questions, remember?), and then discuss them with the team, asking for advice. By the way, we also go to lunch together to talk about informal things. Switching is also important, because attention can't work 24/7.
By the way, only those who are actively involved in sports and know how to have a good rest are attentive. I prefer trekking and yoga — meditative practices bring attention to detail back. If you work around the clock, do not get enough sleep and do not rest, you can make annoying, unforgivable mistakes. In critical cases, of course, I stay at work longer than usual. But practice shows that in the night most often it turns out some kind of nonsense.
I wear lipsticks to match my mood. Bold blue if clues are found and everything goes according to plan. This sign also inspires the team, because any research is a team game. In general, I love the lack of a strict dress code. I think with a white shirt, a tight skirt, and a severe bun on my head, it would have been harder for me to find the villains. When I look like a superhero, I act like a superhero-fast and accurate.
Photo: Kristina Dolgolapteva
P.S. Need more information? Subscribe to Group-IB's action-packed Telegram channel about information security, hackers, carders, APT, cyber attacks, scammers, and Internet pirates. Step-by-step investigations, practical cases using Group-IB technologies, and recommendations on how to avoid becoming a victim. Connect now!
Sherlock and Cluedo brought me to Cyberbuiz
As a child, I loved books about detectives, cartoons about spy girls, and movies about special agents with cool devices. I also couldn't keep my eyes off the Cluedo board game, where you had to solve a detective puzzle and find out who killed whom and how — I could play it all day long. As a student, I reread Sherlock Holmes for the hundredth time and once met the guys from Group-IB at a party. They talked so fascinatingly about the company and what they were doing that I was dying of curiosity. As a keepsake, I got a notebook-a merch with Sherlock on it. "It's a sign," I thought, and decided that sooner or later I would work there.I did my first investigation... on the train! When I was a student, I had to travel to the university every day from the Moscow region — it was very difficult to take an empty seat in a crowded car. To entertain myself, I came up with the idea to find all these unfamiliar guys who often traveled with me on VKontakte. I found the accounts of my fellow travelers, wrote to them and asked them to take a seat for me. Soon we had a whole team I could count on, and we kept seats for each other. This simple skill of searching in social networks in the future has helped me out more than once in real investigations.
I studied to become a technician at MTUCI and MISIS, but these specialties were far from cyber security. Even in my first year, I decided to go to work at Group-IB. And... they didn't take me. Despite the fact that the company was small, even then the staff consisted of professionals - specialists in forensic science, cyber intelligence, reverse engineering, pentests, and so on. I was advised to gain knowledge and skills, understand what exactly I want to do, and come back. I was offended and thought that all the girls here get rejected: at uni, I constantly encountered stereotypes about tech girls. Of course, this was not the case — for example, Vesta Matveeva, who now heads the Department of High — tech crime Research in Singapore, already worked in the team of criminologists. If you really want something, you need to be persistent: I came back for an interview a couple of years later and got the position I dreamed of.
Everyone leaves clues, even the pros
computer forensics, they were the” calling card " of the company. history of Group-IB began with investigations and Let no one think that this is bragging, but we were and remain the best in this business. Our competitors send us those who have contacted them. And this is an indicator. Although now we are better known in the world as engineers and developers. The first cases that the founders of the company Ilya Sachkov and Dima Volkov personally investigated were simple from a technical point of view: hacking email accounts, LiveJournal, ICQ, blackmail, custom DDoS attacks. And now our team is investigating fraud in online banking and mobile banking systems, BEC attacks (Business Email Compromise), attacks using malware distribution, creation of botnets, competitive espionage, data leaks, and so on. Without the tools and data shared with us by our colleagues from the Threat Intelligence (Cyber Intelligence) Department, the CERT-GIB 24/7/365 Incident Response Center (by the way, the largest in Eastern Europe!) and the Digital Risk Protection Department, we would not have been so comprehensively upgraded. For example, our cyber intelligence service tracks criminal groups such as carders, phishers, and ransomware, and writes hunting rules that allow us to track the attackers ' infrastructure. I follow their work very closely: any attack is prepared for quite a long time, from a couple of weeks to months: when villains "raise" servers for an attack or destroy sites that will send fake emails with malicious content on board-we, and therefore our customers, will be the first to know about it.
I am not exaggerating when I say that we are involved in the investigation of most major information security incidents: we study such incidents or help the police with their analysis in order to protect our customers. That is, in the literal sense, we live by it and" use our hands " to investigate the infrastructure of intruders. Each product or service of the company actually has one goal-to stop a cybercriminal. If you are interested, you can view some of our public cases, for example, the case of the Popelysh brothers, CRON, TipTop groups, and "Cyber Fascists" here.
We found links to our Group-IB blog in the browser bookmarks of cybercriminals — they know about us, and while we study them, they study what we write. After our analytical reports and blogs, groups changed their techniques, tactics, and tools so that we could no longer track them. But this can be evaluated as a nice try. No more than that.
We are not the cyber police. Don't confuse them. This is mostly the opinion of those who do not understand the essence of our work. Private companies do not engage in operational investigative activities, nor do they detain cybercriminals. They work exclusively in the interests of business and the ultimate beneficiary of our work is always business. We collect evidence for the court, act as technical experts-we help you correctly (strictly according to the law!) seize equipment from cybercriminals-laptops, phones, hard drives, servers. I don't go to searches and detentions, I work in the rear — with seized equipment. The more clues and artifacts I find, the faster we can track down the culprit.
Cybercrime detection can be approached from different angles — we always follow the path of exploring the technical background. When investigating embezzlement through remote banking services (RBS), the police first of all get on the trail of cashiers — they can be tracked down by cameras, quickly catch and interrogate the head of the cash withdrawal, find out the routes of money transfer. And he brought them out rather through the crypt and mixers — and all the ends in the water. We are going a slightly different way — from a technical point of view. We find programmers, so-called fillers — those who sit in the control center with malware and conduct transactions. And with the crypt, by the way, we can also deal with it.
No one is immune to mistakes, even experienced hackers. The main thing is to understand where cybercriminals have inherited, find punctures, weaknesses, typos – this is the first and very important stage of my work. Remember the episode from the movie "Home Alone" where the "wet bandits" turned on the water in the robbed houses? When the cops tied them up, they immediately realized who was operating in the other houses. The situation is similar with cybercriminals. One or two extra letters in the code can give the correct investigation vector. No one could understand for a long time why the shares of a well-known international company collapse without any reason. It turned out that this was a carefully thought-out information attack that damaged the company's reputation. My team and I managed to identify the attackers — by the way, they were Russian-speaking, and they came up with such a scheme. Its essence is to launch a lot of sites in English in order to discredit the company. Shareholders received false information about the company, panicked and dumped securities. We found the villains based on the numerous "breadcrumbs" that they left behind when creating fake resources. For each client, attacks on their company seem new and unconventional. But in fact, hacker schemes, even cunningly twisted ones, can be unraveled if you know where to start.
I divide cybercriminals into ambitious people and clumsy people. Ambitious people leave digital evidence everywhere — their nicknames (so they love themselves!) or keep a personal diary, and then test a fraudulent scheme on the same server. Of course, they clean up everything they can, but our Threat Intelligence system still “sees”and "remembers” changes in the attackers' infrastructure in retrospect of 10-15 years. I restore the timeline of changes and find some interesting "game". As for the clumsy ones, they constantly make the same mistakes – and these may just be typical mistakes in ordinary texts. These flaws are repeated on a whole branch of sites, and I already know that the same person did it. Next, you need to determine who exactly it was.
Some cybercrime investigations take years to complete and are similar to a TV show. For example, during the pandemic, the fraudulent scheme "Mammoth" ("mammoth" in the slang of scammers is called the victim) with fake courier delivery of goods ordered on bulletin boards became wildly popular. My colleagues from Group-IB Digital Risk Protection estimated that in 2020, the earnings of all criminal groups using this scheme exceeded $6.2 million, and the number of fake resources exceeded 3,000. In the end, “Mammoth "became cramped in Russia and" went” to the CIS countries, Europe and Asia, and began to explore new niches. With the help of telegram bots, scammers generated fake resources not only from courier services and bulletin boards, but also from popular sites for renting housing, cars, and bookmakers. We have several successful cases on these fraudulent groups: some specialized in courier services and bulletin boards, while others specialized in automotive services.
The First Commandment of a cyber fighter
Ask more questions. This is the first commandment of cyberbullying. It is never too late to ask all the questions that arise to yourself, the client or a team colleague-this helps the business significantly. I remember when I first got a job, I was too shy to ask questions, wrote out some wild things in a huge notebook, and made life difficult for myself. After all, I was doing extra work! In a team, you can count not only on help and support, but also on good advice. What to read, who to contact, and what details to focus on — answering questions allows you to grow quickly as a professional.
Just like in a classic detective story where Sherlock disguised himself as a cab driver, there is always a place for an operational game in our work. For example, we need to infiltrate a group of scammers in closed Telegram chats and, under the guise of a novice worker (an ordinary participant in a fraudulent scheme), get as much useful information as possible: who was deceived and how, how much money was received, and where the money was withdrawn. Or take another fairly common crime — extortion. The victim's personal mailbox was broken, they connected to its cloud and restored a backup copy to their phone from there-gaining access to photos, correspondence, and documents. A person receives threats in Telegram that his correspondence with his mistress or competitors was in the hands of criminals. And they are ready to publish this correspondence if they do not receive a ransom. We help victims build a communication strategy to minimize possible damage and identify as much data as possible about the attacker. We can ask the wallets where to transfer the money, convince the villain that they are ready to fulfill his conditions, and send him trap links. I will not disclose any secrets, but I will say that as a result, we get his IP address, technical data, screen resolution, and various fingerprints that will allow us to establish his identity, even if he carefully hides behind anonymization tools.
I have several Group-IB achievements and I am very proud of them. Achievement is our signature feature, which means special commemorative badges for successful operations, research, and reports. If people ask me about the cases that I do at work, of course, I can't tell them anything, but when the case is finished, I can show them my achievements with pride and trepidation, which everyone will say for me.
Just like in detective movies, I have a graph diagram. No one puts up threads on the wall anymore, everything has long been turned into digital — we use both well — known popular tools like Maltego, and our own developments-for example, I can name a graph for studying the network infrastructure of intruders from the public ones. But I always try to do my work with the soul and decorate the schemes in an old-school way so that they are pleasant to look at. I found the suspect's social networks and added links and decorated them with a picture. This inspires us to continue working on the case. The girls will understand me.
We don't have boilerplate investigations and a standard approach. When we analyze information, we can catch on to an IP address or a line of code with our eyes, and understand that we have met it somewhere, or we can Google it, or find it in other data sources — and we start to unwind this chain. One attacker created a script that sent users of the site SMS in incredible quantities — "sms bomber". Users were very angry about this, they wrote and called support, and left negative reviews. The company was losing loyalty, customer trust — and therefore sales. When I received the attacker's script, I noticed that the data was “stuck together” in the code by mistake. It wasn't obvious to the customer, but it was a clue for me — and I found out who did it.
Meditation and sports increase attention to detail
There is no ready-made “recipe” for how to become a cool investor. One theory is clearly not enough — the world is changing rapidly. A lot is gained with experience, but a broad outlook helps to look for clues. When you are well-read and interested in many things, you are creative and better understand the logic of intruders. I can say for sure that it doesn't hurt to take courses in computer forensics or pentesting (ethical hacking), know tools for OSINT and graph analysis, and learn programming languages. English can generally be put in the first place, because the best literature in the field of cyber investigation, OSINT, and forensic science is published mainly in English.First of all, the moral principle of fighting cybercrime is important in cyber security, and this requires an internal core. Now some guys come to interviews and say that they want to improve their technical skills, build a career, and earn money. This is not enough. I work for Group-IB largely because the company's mission is to fight cybercrime. This is a noble cause that meets both my personal aspirations and the goals of my teammates.
I want to get a CompTIA certificate to be a world-class pro. This makes it easier to work with customers, and it is an advantage for a company when it has a lot of employees with certificates from international organizations. I watch specialized conferences and try to gain more legal knowledge in order to understand in which cases an attacker can be brought to justice.
Cyberscherlock day begins with preparation: you need to come to work beautiful and not show it even in stressful situations. I constantly monitor who hacked something and how — to automate the routine, you need to keep up to date with information security news. I have a list where I write out questions (ask more questions, remember?), and then discuss them with the team, asking for advice. By the way, we also go to lunch together to talk about informal things. Switching is also important, because attention can't work 24/7.
By the way, only those who are actively involved in sports and know how to have a good rest are attentive. I prefer trekking and yoga — meditative practices bring attention to detail back. If you work around the clock, do not get enough sleep and do not rest, you can make annoying, unforgivable mistakes. In critical cases, of course, I stay at work longer than usual. But practice shows that in the night most often it turns out some kind of nonsense.
I wear lipsticks to match my mood. Bold blue if clues are found and everything goes according to plan. This sign also inspires the team, because any research is a team game. In general, I love the lack of a strict dress code. I think with a white shirt, a tight skirt, and a severe bun on my head, it would have been harder for me to find the villains. When I look like a superhero, I act like a superhero-fast and accurate.
Photo: Kristina Dolgolapteva
P.S. Need more information? Subscribe to Group-IB's action-packed Telegram channel about information security, hackers, carders, APT, cyber attacks, scammers, and Internet pirates. Step-by-step investigations, practical cases using Group-IB technologies, and recommendations on how to avoid becoming a victim. Connect now!
