{"id":31926,"date":"2020-11-18T06:00:47","date_gmt":"2020-11-18T04:00:47","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=31926"},"modified":"2025-08-28T06:08:25","modified_gmt":"2025-08-28T03:08:25","slug":"bank-heists-security-services-and-the-democratic-party-hack-the-story-of-russias-lurk-hackers","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/bank-heists-security-services-and-the-democratic-party-hack-the-story-of-russias-lurk-hackers\/","title":{"rendered":"Bank Heists, Security Services and the Democratic Party Hack: The Story of Russia\u2019s Lurk Hackers"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">At the end of October 2020, the Sverdlovsk regional court <\/span><a href=\"https:\/\/www.kommersant.ru\/doc\/4550140\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">freed<\/span><\/a><span style=\"font-weight: 400;\"> Konstantin Kozlovsky \u2014 one of the alleged leaders of the Lurk hacking group, whose activities have been investigated for years by law enforcement and cybersecurity specialists. He is believed to have stolen more than a billion rubles from Russians&#8217; bank accounts.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Kozlovsky himself says that he acted on orders from the FSB and is implicated in the hack of the Democratic Party of the United States.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">ForkLog examines how Lurk was organized, what links it to the security services, and what tacit rule it violated.\u00a0<\/span><\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Initially, the hackers distributed software that, when tested by cybersecurity specialists, did nothing. It later turned out that the program was a modular system and gradually loaded malicious elements. Hence the name Lurk (from English \u2014 to lie low).<\/li>\n<li>Law enforcement detained the suspected participants of Lurk after nearly five years since the start of their activity.<\/li>\n<li>One of the group&#8217;s leaders claimed to have been recruited by the FSB and to be involved in attacks on the Democratic Party of the United States and in creating the WannaCry virus.<\/li>\n<li>Lurk violated one of the tacit rules in the cybercriminal milieu \u2014 &#8220;do not operate against Russia&#8221;.<\/li>\n<\/ul>\n<\/div>\n<p><span style=\"font-weight: 400;\">Lurk came under the scrutiny of cybersecurity experts in 2011, when several banks reported money theft from accounts. Analysts at <a href=\"https:\/\/securelist.ru\/the-hunt-for-lurk\/29220\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">Kaspersky Lab<\/span><\/a><span style=\"font-weight: 400;\"> detected hidden malware that attacked software for remote banking services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After the trojan was identified, experts noted that the program behaved as if it did \u201canything but steal money.\u201d In laboratory tests of its capabilities, no suspicious activity was detected.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At the time, because of this, as well as the relatively small number of incidents involving the software, it attracted little attention. However the malware proved far from harmless, as later turned out.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Thus the program earned the name associated with its operators \u2014 Lurk, which in English means \u201cto lie low.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">***<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In 2012 a number of major Russian media outlets came under cyberattack \u2014 attackers used them to spread malicious software.\u00a0<\/span><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><span style=\"font-weight: 400;\">&#8220;Technically, the malware was unusual: unlike most others, it left no traces on the hard drive of the attacked system, and operated only in the machine&#8217;s volatile memory,&#8221; said <a href=\"https:\/\/securelist.ru\/bankovskij-troyanec-lurk-specialno-dlya-rossii\/28708\/\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Lab<\/a>.<\/span><\/p>\n<\/blockquote>\n<p><span style=\"font-weight: 400;\">Its main aim was reconnaissance. It determined whether a device carried remote banking software from one of the Russian developers. If such a program was found, the device was infected with additional malware.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It also allowed automatically creating payment orders or changing account details.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As later emerged, the program was a continuation of the Lurk virus. In studying many victims&#8217; reports to <a href=\"https:\/\/securelist.ru\/the-hunt-for-lurk\/29220\/\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Lab<\/a>, analysts concluded that a hacker group stood behind the spread of the malware.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to the investigation, one of the main organisers of the group was Konstantin Kozlovsky.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Team members were sought online among ordinary programmers. After selection, future staff were told what they would actually do.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some members were responsible for development and distribution, others for operating the botnet from infected devices. Lurk also had specialists who withdrew illegally transferred funds from ATMs and handed them to the organizers.<\/span><\/p>\n<div class=\"wp-block-image wp-image-116762\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/lurk_hunt_ru_4-300x300.jpg\" alt=\"Bank heists, security services and the Democratic Party hack: the story of Russia\u2019s Lurk hackers\" class=\"wp-image-116762\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/lurk_hunt_ru_4-300x300.jpg 300w, https:\/\/u1f987.com\/wp-content\/uploads\/lurk_hunt_ru_4-150x150.jpg 150w, https:\/\/u1f987.com\/wp-content\/uploads\/lurk_hunt_ru_4.jpg 605w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption>Source: Kaspersky Lab.<\/figcaption><\/figure>\n<\/div>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><span style=\"font-weight: 400;\">&#8220;That period can fairly be called the \u2018golden\u2019 period in Lurk&#8217;s history, because due to weaknesses in protection of transactions in the remote banking systems, stealing money through an infected accountant&#8217;s machine in the attacked organisation was not so much a matter of skill as sometimes simply automatic,&#8221; said <a href=\"https:\/\/securelist.ru\/bankovskij-troyanec-lurk-specialno-dlya-rossii\/28708\/\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Lab<\/a>.<\/span><\/p>\n<\/blockquote>\n<p><span style=\"font-weight: 400;\">However, over time cybersecurity tools improved and banking systems became less vulnerable.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Consequently, Lurk&#8217;s earnings declined. The hackers began offering paid access to other criminals to the Angler exploit package, previously used to spread the Lurk malware, and also altered their methods of stealing funds.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, group members began engaging in SIM-swapping. After infecting a victim&#8217;s computer, the attackers gathered personal data, then reissued the SIM card and emptied the accounts.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lurk members carefully encrypted their activities, but over time made more and more mistakes, which allowed law enforcement to identify them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As a result, in 2016 law enforcement detained 50 suspects with links to Lurk in 15 regions of Russia.<\/span><\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/8GDpJbbc-Vw\" allowfullscreen=\"allowfullscreen\" width=\"560\" height=\"315\" frameborder=\"0\"><\/iframe><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><span style=\"font-weight: 400;\">&#8220;The arrest of Lurk hackers looked like a thriller. Emergency Ministry workers cut locks in the hackers&#8217; country houses and apartments in different parts of Yekaterinburg, after which FSB officers rushed in, grabbed the hackers and threw them to the floor, and searched the premises,&#8221; writes Daniil Turovsky, author of <em>Invasion. A Short History of Russian Hackers<\/em>.<\/span><\/p>\n<\/blockquote>\n<p><span style=\"font-weight: 400;\">The exact sum of losses from Lurk&#8217;s activities varies by source. The <a href=\"https:\/\/xn--b1aew.xn--p1ai\/news\/item\/7883870\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">MVD<\/span><\/a><span style=\"font-weight: 400;\"> puts it at more than 3 billion rubles, the <a href=\"http:\/\/www.fsb.ru\/fsb\/press\/message\/single.htm%21id%3D10437717%40fsbMessage.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">FSB<\/span><\/a><span style=\"font-weight: 400;\"> at 1.7 billion, and media citing investigators\u2019 data report losses of 1.2 billion rubles.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Beyond financial damage to Russian banks, Lurk was suddenly implicated in a political scandal.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Konstantin Kozlovsky, during one of the court hearings, said that, acting on orders from the FSB, he participated in the hack of the Democratic National Committee and Hillary Clinton&#8217;s emails. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">It was after this breach that the &#8216;Russian hackers&#8217; became a semi-legendary group and arguably the United States&#8217; main cybersecurity threat, at least according to American authorities and the media.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">***<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In July 2016, Wikileaks published almost 20,000 emails from the Democratic Party of the United States, obtained in the hack and containing a multitude of compromising items.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">CrowdStrike, which investigated the incident, concluded that Russian groups were involved, but not Lurk \u2014 Cozy Bear and Fancy Bear.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Nevertheless, Kozlovsky asserted that he was behind the attack and acted on orders from the FSB.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Initially, excerpts of his testimony and letters appeared on his Facebook page, but later they disappeared.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition to the Democratic Party hack, he was allegedly involved in attacks on government and military structures, banks and exchanges, FIFA, the Olympic Committee, WADA and others. He also claimed to have been behind the WannaCry virus, whose damage exceeded $1 billion.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Kozlovsky said that he supervised its actions alongside the former FSB major Dmitry Dokuchayev, who was arrested on treason charges and later received six years of imprisonment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to the hearing transcript, Kozlovsky insisted that the Lurk-related case was fabricated and that the defendants were in fact innocent:<\/span><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><span style=\"font-weight: 400;\">&#8220;My heart aches that I betrayed them all, and that the FSB officers treat us this way. Since I was 16, Dokuchayev and his people led me, and I did everything they said, and now we are all in prison.&#8221;<\/span><\/p>\n<\/blockquote>\n<p><span style=\"font-weight: 400;\">Dokuchayev himself rejected cooperation with Kozlovsky and said he did not even know the latter.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Kozlovsky also mentioned a Kaspersky Lab employee, Ruslan Stoyanov, who was involved in treason cases alongside Dokuchayev. Notably, Stoyanov was among those who investigated Lurk and described in detail how the group was organised.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Other defendants in the Lurk case did not unequivocally confirm Kozlovsky&#8217;s statements. One of the group\u2019s members, Igor Makovkin, said he had never heard of any supposed FSB role in Lurk&#8217;s actions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Makovkin entered into a pre-trial cooperation agreement and his case was separated into a separate proceeding. In 2018 the court sentenced him to five years in a standard regime colony.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In summer 2020, some of the defendants were released from custody, with their remand replaced by house arrest. Later Kozlovsky was released as well \u2014 he is barred from using a phone and the internet, and from communicating with other defendants.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">***<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Whether Lurk operated under the auspices of the FSB or whether this was merely Kozlovsky\u2019s attempt to shift part of the responsibility remains unknown.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some argued that the statements that appeared on the Facebook page could not have been posted by Kozlovsky, since he was in pre-trial detention at the time.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition to the Democratic Party hack, experts attributed the WADA incidents to the group Fancy Bear. It is associated with Russian security services, but linked to the GRU rather than the FSB.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Despite media naming Lurk as one of the largest hacker groups in Russia\u2019s history, its scale and threat may be overstated \u2014 one member, Alexander Safonov, described Lurk as largely an ineffective &#8220;gathering of amateurs&#8221;.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At the same time, he claimed that shortly before the arrest the hackers carried out several breaches together with a more advanced group of specialists who, he says, were recruited by the FSB.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lurk violated one tacit but important rule \u2014 &#8220;do not operate against Russia&#8221;.<\/span><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><span style=\"font-weight: 400;\">&#8220;In translation to Russian, the phrase means the following: &#8216;do not steal from Russian citizens, do not infect their machines, do not use compatriots to launder money'&#8221;, explain <a href=\"https:\/\/securelist.ru\/bankovskij-troyanec-lurk-specialno-dlya-rossii\/28708\/\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Lab<\/a>.<\/span><\/p>\n<\/blockquote>\n<p><span style=\"font-weight: 400;\">The matter is not about patriotism, but about &#8220;utterly utilitarian considerations,&#8221; ForkLog says, citing Group-IB head Ilya Sachkov. If a cybercriminal operates in the country where he lives, he will be found and jailed quickly.<\/span><\/p>\n<p><em>Author: Alina Saganskaya.<\/em><\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\"https:\/\/t.me\/forklogfeed\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog Feed<\/a> \u2014 all the news stream, <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog<\/a> \u2014 the most important news and polls.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In late October 2020, the Sverdlovsk Regional Court freed Konstantin Kozlovsky from custody \u2014 one of the alleged leaders of the Lurk hacking group, whose activities have been investigated for years by law enforcement and cybersecurity specialists. He is accused of stealing more than a billion rubles from Russians\u2019 bank accounts.<\/p>\n","protected":false},"author":1,"featured_media":31927,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[1154,1444,27],"class_list":["post-31926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-crimes","tag-law-enforcement","tag-russia"],"aioseo_notices":[],"amp_enabled":true,"views":"53","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/31926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=31926"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/31926\/revisions"}],"predecessor-version":[{"id":31928,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/31926\/revisions\/31928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/31927"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=31926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=31926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=31926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}