Access Management , Card Not Present Fraud , Cybercrime

Russian Charged in $1.5 Million Cyber Tax Fraud Scheme

Anton P. Bagdanov Allegedly Hacked Private Tax Preparation Firms to Steal Data
Russian Charged in $1.5 Million Cyber Tax Fraud Scheme
Anton P. Bogdanov being arrested at Phuket International Airport in Thailand on Nov. 29, 2018. (Photo: Thai police)

A Russian citizen has been charged with stealing more than $1.5 million from the Internal Revenue Service after hacking into tax preparation companies and stealing personal data.

See Also: The State of Organizations' Security Posture as of Q1 2018

On Monday, an indictment was returned in U.S. federal court against 33-year-old Anton P. Bogdanov, aka "Kusok," charging him with wire fraud conspiracy, aggravated identity theft and computer intrusion. Prosecutors have accused Bogdanov of working with unnamed accomplices to steal personal information and use it to file federal tax returns and fraudulently obtain tax refunds.

Bogdanov was arrested in Phuket, Thailand, on Nov. 28, 2018, by Royal Thai Police, pursuant to a provisional arrest request issued by the U.S. In January, he waived his right to appeal a U.S. extradition request, The Phuket News reported. He was extradited to the U.S. last month and has yet to be arraigned.

An indictment against Bogdanov, dated April 12, 2018, was unsealed on April 1.

Indictment against Anton P. Bogdanov

"As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury," says Richard Donoghue, the U.S. attorney for the Eastern District of New York. "This office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are."

Bogdanov's attorney, New York-based Andrew J. Frisch, couldn't be immediately reached for comment.

Authorities say that from June 2014 to November 2016, Bogdanov and his co-conspirators stole personally identifiable information, including Social Security numbers and dates of birth, from U.S. taxpayers, by hacking into American tax preparation firms' systems.

"They then changed the information on the tax returns so that the refunds were paid to prepaid debit cards that he and his co-conspirators controlled," according to the Justice Department. "Bogdanov and his co-conspirators also used misappropriated PII to obtain prior tax filings of victims from an IRS website, and filed new tax returns, purportedly on behalf of the victims, so that refunds were paid to prepaid debit cards under their control."

Authorities say that cybercrime service providers cashed out the debit cards in the U.S. and wired more than half of the proceeds to Bogdanov in Russia.

"Since discovering this scheme, the IRS has added additional layers of security to its website," the Justice Department says. A Justice Department spokesman declined to specify which private U.S. tax preparation firms were hacked, saying that information has yet to be made public.

If convicted of all of the charges files against him, Bagdanov faces up to 27 years in prison.

Thai news media have reported that Bogdanov was on vacation at the time of his arrest and ready to board a flight to return home. He is not the first Russian to have been accused of hacking who was arrested at U.S. request while vacationing abroad (see Hackers' Vacation Plans in Disarray After Prague Arrest).

Inside the Cybercrime Ecosystem

U.S. law enforcement agents reported discovering Bogdanov's alleged scheme after arresting and charging an unnamed individual in February 2014 with committing access device fraud.

"Access device fraud is the principal description for any type of crime that involves credit or debit card, ATM cards, banking cards and other types of account access devices that affects electronic monetary transactions by transferring funds from one bank account to another by way of providing access to financial institutions," says Fort Lauderdale, Florida-based criminal defense attorney Michael B. Cohen, who is a former assistant U.S. attorney. "It is usually prosecuted as fraud or a violation of identity theft laws."

In this other case, the arrested individual pleaded guilty to multiple crimes, including access device fraud and aggravated identity theft, and became a cooperating witness for the government, referred to as CW-1 in court documents. "Following his/her arrest, CW-1 continued to receive and carry out instructions from individuals with whom he/she worked," said Matthew Alex, an FBI special agent, in an affidavit in support of a search warrant submitted to the court on Jan. 30, 2017.

One of these services involved "cashing" services, which CW-1 provided to another suspect arrested by the FBI who pleaded guilty to similar charges and also turned cooperating witness, referred to as CW-2.

The FBI said it corroborated evidence provided by both and that it has proved reliable. Rose writes that both defendants are cooperating in the hope of receiving leniency at sentencing.

Cashing Services

Here's how the cashing services worked: "Specifically, CW-2 fraudulently obtained prepaid debit cards using stolen personally identifiable information ('PII') and loaded the cards with funds obtained through a variety of criminal schemes, including income tax refund fraud and ransomware," according to court documents.

"CW-1 was responsible for 'cashing out' the prepaid debit cards and forwarding the funds (less CW-1's fee) at the direction of CW-2."

CW-2 provided this as a service to others via online crime forums, according to court documents. The FBI reports that it conducted a digital forensic investigation of CW-2's computer and recovered chats between CW-2 and someone using the online handle Kusok, and then it continued to record such chats after CW-2's arrest. The chats were conducted using the private, encrypted chat service Jabber.

Excerpt from the affidavit against Anton P. Bogdanov

"On or about July 25, 2014, Kusok told CW-2, in sum and substance, that he had the ability to file for hundreds of thousands of dollars in business tax refunds using what CW-2 understood to be fraudulently obtained information," according to court documents. "Kusok sought prepaid debit cards from CW-2. It was CW-2's understanding that Kusok provided the prepaid debit card information to the IRS in the fraudulent tax filings as the account to which the return should be deposited."

In addition, "Kusok provided a WebMoney address to which CW-2 was to send Kusok's share of the proceeds, which was 55 percent." WebMoney is a digital currency system based in Russia that was created in 1998. It has previously been used by criminals to move money.

FBI Traces 'Kusok' to Bogdanov

In his affidavit, FBI Special Agent Alex wrote that the bureau tied the Kusok handle to Bogdanov after tracing the Kusok username on the Verified cybercrime forum, which also used ICQ number 275232.

"User Kusok on online criminal websites Cardingworld.cc and Carder.su also used the ICQ number 275232," Alex wrote. "On Cardingworld.cc, Kusok registered using the email address durmalin88@mail.ru, which was also used to register accounts at multiple other domains."

Alex wrote that the durmalin88 email account was also used to register a mail.ru domain that contained 20 photographs, which also appeared on a Vkontake - aka VK - account registered in Bogdanov's name. "Photos posted on this account repeatedly show one particular male, who I believe to be Bogdanov," Alex wrote.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.