Hacker News new | past | comments | ask | show | jobs | submit login
The Ukrainian police arrested a man for selling data of over 300M people (securityaffairs.com)
78 points by jruohonen on April 28, 2023 | hide | past | favorite | 28 comments



I haven't visited Ukraine or Russia in 10 years, but back then, you could buy USBs with all kinds of data at flea markets. Moscow would mostly have passport data, including international travelers. Odesa had addresses, job history, and so on.


This has been used countless times by OSINT investigators to out Russia's covert activities, such as Novichok poisonings of Navalny and Skripal, identifying most operatives by cross-referencing e.g. flight record, passport, property and even taxi databases sold in Russia, sometimes overtly and sometimes covertly.


Bill Browder's Red Notice[0] described using 'street sourced' data like this as their team dug into the illegal shenanigans being done against their company.

[0]https://www.goodreads.com/book/show/22609522-red-notice


Wasn't there a gay couple of assassins, touring Europs famous churches, poisoning people?


But note that 300M is far beyond the population of Russia.


Yeah, this guy's stash may or may not include any Russian data. What I'm saying is that it's a common problem in eastern Europe, in democratic countries and authoritarian hellholes alike. Just because the Russian state can arbitrarily imprison you forever without any valid reason does not make it capable enough as an organization to securely store even data that can be used to badly hurt its interests.

The Ukrainian state has been "digitizing" by leaps and bounds even before the war, and now it's accelerated further. Everything's moving "to the cloud". They seem to be relatively competent these days, past lessons learned perhaps. But the breakneck pace of moving everything online (far outpacing most western European countries) will surely result in breaches, it's just common sense.


Yet some say Ukraine has been quite successful precisely because of their cloud strategy. Opinions vary, of course.

The original announcement (via a DeepL translation) indicates that also data of EU citizens was involved, so maybe you are on the right track [1].

[1] https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-zlovm...


Calling it "OSINT" is a stretch when it is state funding and collaboration that enables the firm you are referencing (according to Paul Mason).


Pretty interesting to have leaked data available in flea markets. In Hong Kong only government agencies would have access to leaked data


pretty funny that I recall walking in the "pirate shop" area in Hong Kong, and finding multi-thousand pirate copies of American shrinkwrap software, including perfect cover art and sometimes tiny manuals.


late 90s and early 00s? Those were better times...


I recall Mongkok, 1998. MP3 CDs. Haha.


Well, it is the law enforcement ppl who sell that data. Sometimes personally


Not only flea markets. The problem was so ubiquitous that sellers would walk in traffic and sell CDs with data to drivers.


>The man was an administrator of closed groups and channels in the Telegram messenger, where he sold personal data of citizens of Ukraine and the European Union.

>Depending on the amount of data offered for sale, the man demanded from 500 to 2000 dollars.

Sounds like a small fish who downloads known leaks from the darknet and sells it on Telegram.


Among the interesting speculations is how he got access to such data and which countries were affected.

"The man had information on passport data, taxpayer numbers, birth certificates, driver’s licenses, and bank account data."

I suppose this must imply that quite a few governmental services have been breached (or, alternatively, a single big one).


"Art. 362 (Unauthorized actions with information that is processed in computers, automated systems, computer networks or stored on carriers of such information, committed by a person who has the right to access it)"

If that is an accurate translation, seems like he worked for the government.


You'd be surprised how many websites (medical, financial etc) are leaking data. e.g. in many all you need is just to replace your profile id with (id+1) and get other user's data.

Especially if website owner is located in non-EU or western countries there is basically zero responsibility for this, so no one even bothers to hire a dev that understands these basic security things. The cheaper the better.

I've seen dozens of examples myself without even trying. Imagine what you can get if you spend more than 20 minutes on this.


Sure. Throughout the world, especially hospitals and healthcare seem to be particularly bad at infosec. But regarding this case, I think something like passport data is (or should be) fairly well-protected, which prompts further questions about the hypothetical breaches. Of course, it could as well be an insider case or something similar.

Another point is that Telegram was again involved.


> I think something like passport data is (or should be) fairly well-protected

It's sufficient if you're an EU citizen emigrating or traveling to another EU country. They ask you right and left for a passport, passport scan, over email, hard photocopy. You think you're "privacy conscious" and refuse to provide one? Well you're not getting an apartment, thanks bye. Hell, many HOTELS (encountered at least in Spain, Croatia, Malta) make a SCAN OF PASSPORT. Now for leaking hundreds of passport scans all you need is one bored, ill-treated, poorly paid reception worker.


>I think something like passport data is (or should be) fairly well-protected

It's astonishing how many times I've had to send scans of my passports to formations agents and banks (non-US) as email attachments in recent years. I always had on my mind how much damage could be done with a simple MX record cache poisoning.


> The Ukraine cyber police revealed that the stolen data were also bought by Russian citizens who paid using currencies prohibited in the Ukrainian territory.

What currencies are referred to here?


Likely Rubles. "The issuing and circulation in Ukraine of currencies other than the hryvnia are expressly prohibited by Ukrainian law."

https://bank.gov.ua/en/news/all/zaprovadjennya-obigu-rosiysk...


This seems to state All but local currencies are prohibited. I have first hand knowledge from 2014-2016, 2020 during covid, as well as after the war, that USD and EUR is commonly used by both people and businesses. And Banks. In fact, when I wire cash every couple of months to my friends stuck there, they prefer it in dollars.

So this statement is extremely confusing because it completely contradicts reality and official bank operation there.

BTW, after the 2014 war started, I visited both Kiev and Moscow quite a bit. RUB folded 3x almost overnight after Obama's sanctions. Most well-off people and the businesses they visit, simply switched to dollars. This did not happen in Ukraine because no one had dollars. What happened instead is the many Ukranians who took out bank loans in dollars, had their lives destroyed.


Is it me or does Netishyn (the city where the guy was caught, and presumably lived) seem eerily similar to the term "netizen"? ...Or, am I thinking/seeing things on a Friday that are not really there/linked? :-)


[flagged]


Since your profile says “Please help me to understand!” I’ll take a swing:

You’re being downvoted because HN prefers a more substantive discussion on topics than your comment. Security, privacy, currency controls…there are any number of interesting points in this story. A “jank” network setup isn’t one of them.

Probably more importantly the tone is very Reddit-esque.


Okay? Just because people have different ideas of what is relevant doesn't mean it's worth downvoting. It's clearly relevant that someone with such a shitty setup is capable of doing such harm. It doesn't cost any money or competency to be a menace. Also comparing this site to reddit is against the rules if you read them.


I suspect you're being downvoted for being somewhat off topic. Also for commenting on downvotes which is also frowned upon.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: