How Telegram bots are leaking information about Russians

From the point of view of the law, administrators and clients of large Telegram bots are criminals in terms of "breaking through".
23.11.2020
Origin source
Hundreds of thousands of Russians use the services of Telegram bots to break through people every day. All of them are potential criminals who face up to two years in prison. But these threats do not stop the clients of all-seeing bots. Uncertain young people who want to "punch" another girlfriend from Tinder, police officers who desperately need to upload information to close the check on an inconvenient statement, employees of microcredit organizations - all together they bring tens of millions of rubles to bot creators. The Daily Storm talks about how the Internet penetration market works, and what methods are used by the owners of Telegram services to make money and elude the attention of law enforcement officers.

The most popular Telegram bot in Russia for "breaking through" is called the "Eye of God". Its owners claim that about a million people use their service.

There are about 40 similar systems in the Russian Telegram segment. Each of them has its own "background" (usually not even one, but several) - a database in which the bot finds all the necessary information at the request of the user. And the most valuable resource for the organizers of the "breakout" is information, and the bot is just a shell.

Start button

“Our bot" Deanonimizer "has grown on the basis of a system developed by us for identifying a person by phone number or nickname in the messenger of the same name, - says Igor Bederov, head of the Internet-search company.

According to him, shortly before launching the bot, he managed to test the system on a real case. The operatives who were investigating the murder of the investigator for especially important cases Evgenia Shishkina turned to Bederov for help. The media called this case "the first contract murder organized through the darknet."

The customer of the crime was Yaroslav Sumbaev, a drug dealer and hacker who fled from Russia. Shishkina was involved in hacking the databases of Russian Railways and the S7 airline, behind which Sumbaev's group stood. At some point, the professional confrontation turned into a personal one, and Sumbaev began to consider Shishkina his personal enemy.

In 2018, he asked an employee of his drug store on the Hydra site, a high school student Ivan Kochetkov, to "remove someone" for a million rubles. The guy agreed and attracted his friend Abdulaziz Abdulazizov to the case. On October 9, 2018, they killed a female investigator.

“… I went up to the woman (Shishkina), at that moment she, seeing how I took out a gun, swung at me. Dodging the blow, I slipped and rested my left hand on the ground, and fired a shot in the stomach with my right. After that, I got up and shot her in the neck, while she was lying on the ground, ”Abdulazizov said during interrogation.

According to Bederov, after the murder, police officers approached him, who needed to extract as much information as possible from the victim's Telegram.

- Shishkina has repeatedly informed her colleagues that she receives anonymous threats in the Telegram messenger, Bederov clarifies. - The username of one of the profiles from which the threats came was exactly the same as the home address of the victim. It was him that I was asked to de-anonymize.

Bederov's company began an automatic "run" of all phone numbers that somehow figured in the case of the murdered woman.

- As a result, the threatening phone surfaced: one of the "run-away" numbers was tied to a Telegram user, whose nickname repeated Shishkina's address. Apparently, it was one of Sumbaev's assistants, who ordered the murder.

After that, the Deanonymizer program, which proved its effectiveness in the law enforcement system, became a Telegram bot. Unlike many others, this system is free, but its functionality is limited by the link "Telegram nickname - phone number".

Half a million a day - to break through

You have to pay money for more information. Now there are two systems for content monetization: a one-time payment (from 30 to 250 rubles per request - depending on the bot) and a subscription for a certain period (from 65 to 1000 rubles per day, with a system of discounts for those who are interested in a longer subscription).

The Eye of God service now looks like a kind of hegemon in the Internet breakout market. If each of the one million users declared by the service at least once bought the cheapest daily subscription for 65 rubles, then the Telegram bot has already brought its creators 65 million rubles.

Unfortunately, the “Eyes of God” administrators do not disclose more detailed statistics (the number of new subscriptions per day, the volume of requests, and so on).

Another large industry bot (it does not give out all possible information about the user, but information only from one specific area) AVinfoBot, on the contrary, publishes information about the number of reports per day - 15 thousand. The cost of each is 150 rubles. The total is more than two million rubles. Due to discounts given by subscriptions, earnings may fall, but the order remains the same.

Another large industry bot (it does not give out all possible information about the user, but information only from one specific area) AVinfoBot, on the contrary, publishes information about the number of reports per day - 15 thousand. The cost of each is 150 rubles. The total is more than two million rubles. Due to discounts given by subscriptions, earnings may fall, but the order remains the same.

Judging by the social networks of both services, the volume of active users of the "Eyes of God" can be approximately three times more than that of AVinfoBot. But at the same time, the cost of a daily subscription at the "Eye of God" is 11 times lower. It turns out that the service turnover in monetary terms has a ceiling of 200 thousand rubles per day.

Cybersecurity experts who agreed to speak with the Daily Storm think the metrics shown by bot admins are too high. But not much.

- "Eye of God" in any case has several hundred thousand users. The number of users of the largest bots that have been functioning for years easily exceeds half a million, - said the source of the Daily Storm.

According to the bot administrators themselves, there are representatives of all walks of life and even professions among their clients. There are a lot of police officers who find it easier to pay small "compensation" to the bot than to break through the bureaucratic machine to the official databases.

- Precinct all applicants are checked daily through this bot. They take information from the report, change the font to Times New Roman and bring it to the authorities. They do not look at departmental databases - there is no time to enter passwords and indicate the basis for the search, - a law enforcement officer told the Daily Storm.

The owners of the bots admit that other police officers also visit their services: judging by the requests, they can be identified as employees of the drug department. They search for users on the dark web using drug slang. Drug addicts sometimes use the same method to find a dealer.

Other regular users of bots: lovers of "punching" girls from Tinder and bank security officers.

Data Source

In the summer of 2016, the hacker Peace_of_mind put up for sale a dump of the VKontakte database with information about 100 million social network accounts. The hacker posted the database on a darnet forum and rated it at one bitcoin. This is about 38 thousand rubles at the exchange rate for June 2016. In the same year, there was a multimillion-dollar data leak on Rambler users.

Today, on darknet forums for 72 thousand rubles, you can buy a dump of the Avito service database containing information about passwords and mailing addresses of 29 million users, and the Joom marketplace database containing information about 550 thousand clients of Russian banks (full name, phone number, email, bank name, card number), sold for 228 thousand rubles.

Some of this data is fake or just outdated information. For example, in the dump on which Peace_of_mind was trying to make money, VKontakte employees identified an old database of usernames and passwords that the scammers had been collecting between 2011 and 2012.

However, many plums circulating on the dark web contain relevant information. Moreover, not all of them are paid.

In June 2020, a database with the data of Telegram users was distributed free of charge on shadow forums and in Telegram channels, of which about 12 million are Russians. In April this year, a database of nearly 34 million LiveJournal users, containing e-mail addresses, passwords and links to the user's profile, was made publicly available.

By accumulating information from the leaks, the owners of Telegram bots form their own databases, which users turn to with requests.

Most often, databases consist of combinations of several bundles, which may contain the necessary information: "password + email", "phone + email", "VKontakte page + phone + email". For example, if a person registered under one e-mail on the sites VKontakte, LiveJournal, MySpace and Last.fm, then it will be enough for a large bot to send an e-mail address or ID of the VKontakte page in a request to receive structured information from all available dumps.

Bots working with information about cars collect databases leaked from the traffic police and insurance companies.

The value of a bot is primarily determined by the size and depth of its data array.

“Are you getting a job? Selling a car? Or just want to scare the person that you have absolutely all the information about him ?! We present to your attention the Archangel bot - such a message, posted in early September 2020, could be found on one of the darknet forums.

The administrators of this bot do not collect databases - it is connected to one of the information and analytical systems. A user hiding under the nickname Colombo and making money on "breaking through" people, in a conversation with the Daily Storm correspondent suggested that "Archangel" is probably using one of two similar systems: Protocol or Solaris.

The Daily Storm correspondent, having ordered a statement for himself, made sure that the issuance had up-to-date information on air travel in 2016, passport data and last year's income statement.

Colombo claims that the Protocol system appeared in 2018 and was developed by "security and private investigators." Initially, the main clients were the security services of banks, law firms and credit organizations, but then the owners of Telegram bots also joined in. Now the system has about 30 terabytes of data.

The cost of one extract from the Protocol system starts from 250 rubles. The same price tag is set by bots that work with passport data.

Some of the services also use the legal capabilities of social networks and instant messengers, automating the processes. For example, if you enter a random address into the "Eye of God", the "People nearby" button will appear in the bot. It displays a list of Telegram accounts "lit up" next to the specified address. Probably, the “Eye of God” can collect information about the participants of Telegram geochat appeared in 2019. To do this, the bot spoofs its address using tools like Mock Locations and scans chats at a given address.

System error

The rapid development of Telegram bots was largely due to the open source code of the messenger. Bots can be written in any programming language, although Python is most commonly used. But PHP c JavaScript is also widely used.

You can do without programming at all: there are bot constructors that allow you to quickly and conveniently assemble the necessary tool. For example, HowToFind, a large Telegram bot for "breaking through" (an aggregator of tools and bots for finding information about a person) was created on a similar constructor.

The development and implementation of a Telegram bot is legal. But bots that use “leaked” or bought on the shadow market databases with personal data of a person are illegal.

“Anything that involves the use of unlawfully obtained personal data is, of course, illegal,” says Ekaterina Abashina, a lawyer and lawyer of RosKomSvoboda and DigitalRightsCenter. - When a person secretly punches another person through such a bot, he interferes with his private life, and the bot administrator, in addition to this, illegally processes personal data and makes profits in an illegal way. On the one hand, both the owner of such a bot and the user are provided with administrative (Article 13.11 of the Code of Administrative Offenses of the Russian Federation) and criminal punishment (Article 137 of the Criminal Code of the Russian Federation), but the situation is complicated by the fact that it is very difficult to identify the offender, especially on the Telegram messenger platform ...

In Russia, there has not yet been a precedent when the police detained the administrators of a bot to break through. However, in July 2020, a similar story happened in Ukraine. In April, information appeared in local media about the UA BAZA Telegram bot, which sold personal data: a driver's license with a photo, passport data of a person. The Minister of Digital Information of Ukraine then argued that the bot downloads information from databases that have been available on the dark web for more than one year. For example, from the merged base "Privat Bank".

In June, the police, together with the SBU, conducted 36 searches and identified the creators of UA BAZA. Of the 25 people involved in the creation of the bot, eight were detained as suspects. One of the detainees worked for an unnamed private company. When he got access to the firm's database, he hoped to sell it for ten thousand dollars, but was detained. Another attacker turned out to be a hacker - he got access to the registers of insurance companies.

The Daily Storm interlocutor from Russian law enforcement agencies believes that the creators of the bot were ruined by the fact that they independently hacked databases, gained access to companies' servers and took personal data from there. Russian penetration bots buy stolen information rather than trying to get it on their own.

Flashback

The emergence of AVInfo is considered to be the starting point of the history of Telegram bots for breaking through in Russia. Formally, it was registered in Telegram at the end of 2015, but it was already actively earning in 2017.

In order to find out the date of registration of this or sometimes bot, you also need to use the services of the bot - id bot. Having received the required identifier from it, you need to send it to the Creation Date bot, the only function of which is to display the date of the profile creation.

The creators of AVInfo went to its release in Telegram gradually: first, they developed a site for searching for used cars, then presented the tools of the future AVInfo bot in the form of a web system. Already in 2017, the bot was presented with a striking advertising video "Will not ride with girls".

In 2017, the bot could be used for 1,000 rubles a month. Now the price has risen to 2500 rubles.