Crypto Cybercrime Espionage Money Laundering Uncategorized

Interview with the ‘Vampire’: Is Eurasian Hacker Rap a New Front in Cyber-Threat SIGINT Collection?

While cyber-threat intelligence organizations like Intel471 and “dark web ninjas” like Gemini Advisory actively scan underground hacker forums for cybercriminal SIGINT like data breaches, new attack vectors, and money-laundering plugs, an unconventional, new front for analyst collection may have emerged: Eurasian rap music. Really.

Just as heavy metal tempested the cultural “winds of change” that demolished the Berlin Wall and propelled pro-kleptocracy Western ideals throughout the former Soviet Union over 20 years ago – in misty-eyed retrospect – the exploding popularity of ‘drift phonk’ and other rap genres suggests that urban, black American music may be seeding and ciphering a new subculture of young, upstart Eurasian cybercriminals.

Far from the shadowy, hooded incels depicted in virtually every hackneyed hero image that backdrops cybercrime news headlines, bonafide “cyber-Vors” like Maksim “AQUA” Yakubets, the dapper, 34-year-old kingpin of hacker gang Evil Corp, embody the modern Eurasian cybercriminal PWNtrepreneur.

A Ukrainian national who now resides in Russia and enjoys the protection of the Federal Security Services (FSB), Yakubets rocks five-thousand-dollar, designer suits, drives latest-model, custom-camo-painted Lambos, and generally slays. Even his wife is relatively hot.

Evil Corp kingpin Maksim “AQUA” Yakubets’s wanted poster, source: Department of Justice

A twinkish “Titanic”-era Leo could literally play dude in a movie. But naturally, Hollywood being Hollywood would predictably apply the compulsory revisionist “gaze” it has become so legendary for and mandate inclusive casting decisions to ensure that AQUA’s Evil Corp was sufficiently diverse, with priority consideration for the newly discovered 700 genders and pronoun identifiers that have revolutionized everything we thought we knew about mammalian biology in just the last few years.

Netflix producers could also perhaps cast that sassy, “unapologetically” Latina, “mija you are worth it,” reigning and dynastic TB12-repeating CIA diversity award winner from the agency’s stereotype-shattering recruitment video as AQUA’s chief confidante. Tactically, this would be analogous to a Hunter Biden-styled, Burisma board-seated “Fuck you to Putin,” and the authoritative, anti-Kremlin PsyOps coup of my generation – at a minimum.

Meanwhile, AQUA’s baller lifestyle has presumably been financed with the lion’s share of the reported $100 million he and his merry gang of cyber-bandits have stolen and muled from businesses and consumers. Examining supporting, hip-hop-sample-laced music subcultures that have remixed the TOR-routed catacombs of the Eurasian dark web, Rolling Stone recently introduced the world to the emergence of so-called drift phonk electro-rap collectives like LXST CXNTURY, Kaito Shoma, and Pharmacist in Russia.

Subgenres like these are increasingly becoming tantamount to a Morricone-cinema score for an upwardly mobile generation of modern cybercriminals like AQUA and the emerging zoomer ransomware actors and carders who are “creepin’ on the come up” like Bone was in the 90s. The ecstacy of crypto-gold indeed if you look at the $416-plus million ransomware operators minted last year, according to blockchain intelligence (BlockINT) firm Chainalysis data.

The Good, The Bad And The Ugly, Original Motion Picture Soundtrack; source: Universal Music Group

‘Vory Romantika’ and the Moscow Drift

This new wave of experimental drift phonk producers has achieved viral fame by fusing electronic music with Three 6 Mafia bars and hooks, along with those from other largely unknown Southern Memphis rap acts from the 90s. LXST CXNTURY’s latest EP, “Draw Hydra”, which was released this past February, even appears to evoke Hydra, the premiere Russian darknet market (DNM), in its album title and cover art.

LXST CXNTURY’s “Draw Hydra” EP album cover, source: SoundCloud

Representatives for LXST CXNTURY did not respond to multiple requests for comment sent over Instagram DM seeking clarification on any possible titular allusion to Hydra DNM. Hydra also happens to be the largest DNM in the world in terms of crypto transaction volumes its processes today, accounting for 75 percent of the $1.7 billion DNM crypto-flows identified by Chainalysis last year.  

This vertically integrated market put its predecessor, RAMP, out of business and mints most of its turnover supplying the booming regional market for synthetic drugs like bath salts and Flakka, a psychosis-inducing, zombie-apocalypse, face-eating concoction that also happens to be the official state drug of Florida.

In fact, recent opinion polls have even shown that Alpha-PVP, Flakka’s chemical name, currently enjoys a higher approval rating in Florida than the COVID-19 “Bill Gates ‘Mark of the Beast’ Vaccine,” as the latter is colloquially referred to in the Sunshine State.

Florida-grade, Organic Alpha-PVP Psychotropicana Goodness; source: Hydra DNM

As for Hydra, word on the street is that ‘Uncle Vova’ is alarmed about the rising use of novel synthetic drugs by Russian youth, not to mention the amount of heat this DNM is generating for Russian organized crime.

As such, a Kremlin-orchestrated shake-up of Hydra’s management may be imminent. That’s just what Shadow Banker heard, but it goes without saying that he’s not as well-sourced as experts like Chainalysis’ ‘HBSinCharge,’ nor the cyber-sleuths at Flashpoint.

Clandestine DNM chatter aside, yet another group of Russian rhymers like Plinofficial and Truetnya, have taken the traditional ‘blatnaya pesnya,’ or thug folklore, genre of music that first emerged in the 19th-Century, and transposed it into modern, regional hip-hop.

While the blatnaya pensa genre initially arose as jail-house protest ballads performed by czarist and Bolshevik political prisoners, it wasn’t until after Stalin’s death that this artform took hold over mainstream Soviet culture.

In fact, famed blatnaya pensa balladeer Grigory Lepsveridze, who performs as Grigory Leps, and who was blacklisted by the Treasury in 2013 for his ties to the Bratski Krug, or Brothers Circle, a term that refers to the Russian mafia’s senior board of directors, is rumored to be Vladimir Putin’s favorite singer, according to Los Angeles Times reports.

Putin’s favorite raconteur, Grigory Leps

The romanticization of outlaws and bandits, which has long been a staple of Russian society, given the serfs’ and working classes’ deep-rooted distrust for ruling power structures since the era of feudalism and the czars, is the prevailing theme in the blantaya genre. It follows that this style of music inherently evokes comparisons to American ‘gangsta rap.’

Given the proliferating transnational threat posed by organized Eurasian organized cybercrime, however, comparisons to certain Mexican drug trafficking organizations – which have used Movimiento Alterado-crooned narcocorridos to communicate their own ciphered inter-cartel messages, according to one decade-old, law enforcement intelligence bulletin – maybe even more apropos.

2012 California State Threat Assessment Center Note on Mexican DTOs using original songs to communicate messages, source STAC

Regardless, certain Russian cyber-vory-romantika rappers may also be lacing their ‘bars’ with clues that could help cyber-sleuths crack capers and attribute attacks to the threat actors that PWNd them. That is if they can access the tracks chronicling their ‘exploits.’

Who Did the Rhyme, Did the Crime

PlinOfficial debuts his last album cover before his March 2020 arrest, source: Facebook

Shadow Banker first gleaned this insight a year ago when they reported on the March 2020 arrest of QQAAZZ cyber-laundering-gang-affiliated Russian rapper Maxim ‘Plinofficial’ Boiko by the Federal Bureau of Investigation in Miami.

According to the FBI affidavit filed before the rapper’s arrest, the discovery of Boiko’s personal email account within a seized database of users from the rogue Russian crypto-exchange BTC-e, helped the Bureau build its case against the rapper.

Music videos for Plinofficial songs like “Night High”, also glorify cybercriminal culture, with one shot depicting a hooded man using a laptop to hack into and steal a BMW in a parking garage. Then, following the March Sky ECC cryptophone bust, Shadow Banker connected with a prolific Serbian hacker who goes by the handle “Tito” and, who proclaims himself to be “one of the most reputable users” on the Dread darknet forum.

Tito tipped off this reporter to another Eurasian rhymer who raps under the moniker, “Vampire.” As an aside, this hacker’s self-praise is not without merit. Dude is so solid, he literally ‘cards’ the cryptophone companies, which may not be the safest thing to do considering the “scary people” who reportedly operate many of them, as several industry insiders have alleged.

But this guy’s carding skills are so expert-level, that he inspired this blog post authored by Scottish cryptophone-maker Omerta Digital, titled “DEBIT & CREDIT CARDS NO LONGER ACCEPTED – CYBER CRIMINALS RUIN IT FOR EVERYONE.”  

Interview with the Vampire

Vampire advertising his services on Verified forum, source: Verified

In any event, Vampire is a rapper who is “very big in Eastern European cybercrime scene” said Tito. “Many hackers paid him to make on order songs about their hacks.” The Omerta-carder also noted that Vampire frequently posts and advertises his songwriting services on popular hacking forums like Exploit, Verified, and Damagelab. Vampire’s posts can also be found on the XSS.IS hacker forum as well.  

Shadow Banker found Vampire’s profile on music-sharing app SoundCloud, where he has posted about a dozen, original, public tracks, some of which are named after notorious Russian hackers and carders like Basterlord, Manu, Lalartu, Everyone, and Jastfank, along with ransomware crews like REvil. Other songs are named after the above-mentioned hacker forums.

Shadow Banker connected with Vampire in April and the rapper agreed to an interview after Shadow Banker assured him, he’s “not a cop/Fed.” “I have nothing to worry about, I’m clean before the law,” said Vampire.

The rhymer said he grew up in Ukraine. “In my childhood I’ve really dreamed to be a hacker,” said Vampire. “My parents didn’t have money for such a luxury and, of course, there was no Internet in my small town.” The rapper also said he gained access to computers via private Internet clubs.

“Exactly there, I found out something about the darknet,” he said. His dark-web rap career all started in the beginning of 2019, said Vampire, when his close friend said, “you’re a talent, why don’t you try to make songs to order?”

“Hard times were around me and it was hard to believe in the future. Without any doubts, I chose the darknet as a platform for development of my talent,” said the rapper.

Early Beginnings

At first, Vampire registered on the Russian Verified forum, one of the most trusted and enduring cybercrime forums on the web, he recalled. However, he was blocked from creating a topic because he had neglected to pay the $50 membership upgrade fee mandated by the forum to be able to post threads, said Vampire.

“After that, I registered on another forum and posted there my song, “Mech” (Sword in English) as an example for listeners. And that night INC, the admin from Verified, wrote to me, saying he liked the song. In the morning, he unblocked my account and gave me a topic for free.”

“And it all started. I’ve started learning to write lyrics. I didn’t sleep, I’ve noticed everywhere words to song, phrases, even when I was driving. Some other songs I wrote are “The Fifth Power” (Пятая власть) Manu, and many private songs,” said Vampire.

“I wrote songs about them [hackers], their organizations, to their wives, their children, as a gift for their birthday, for the New Year – there have even been two or three orders from one customer. The rapper said, “all my songs are written on real events that have been and are happening now in the darknet. Many people write me in private messages with gratitude, as many do not want to show their nicknames on the forums with reviews, and I’m not going to show them!”

“There are also many private songs, and I don’t know their customers, maybe these are the people you are asking about. At the beginning, it was difficult for me, because I did not understand the meanings of words, special words, and terms that they are using on the darknet. I read and studied this side of life, their life, during long days and nights.”

“And, as it turns out, there are a lot of good and cool guys there,” said the rapper, expressing gratitude. The rapper also noted that he keeps his rap act a secret from his friends and relatives. “No one knows I am doing this,” he said. The lone exception to this rule is the rapper’s sister. “You can hear her voice in choruses often and in different parts of songs.”

The rapper recalled one particularly harrowing interaction he had with one underworld customer who invited him to play a game of a ‘Durak,’ or ‘fool’ in English, a popular Russian card game predicated on players ridding themselves of all 36 cards they are initially dealt to win, or more specifically, not to lose. At the game’s conclusion, the last player still holding cards is the fool.

But this customer’s proposition entailed an especially high-stakes game of Durak, said Vampire. “He offered $250,000 if he lost, and if I lost, my life. And he was one-hundred-percent not joking.”

Established Rep

As his reputation on the cybercrime forums grew from his initial posts in early 2019, “people on the darknet offered help, they proposed their help as much as they could in any situation. They said I could ask for help any time,” Vampire said.

These hackers have even “proposed different “jobs, but for some reason, I’ve abstained,” said Vampire. “I was surprised and, to tell the truth, and shocked, how these people fell in love with me and my music.”

The rapper said he even had a “few invites for private concerts from serious darknet personas, (nicknames the rapper is keeping secret). These locations were in other countries, and flights were impossible because of COVID-19.”

Scanning the Verified forum, evidence of Vampire’s growing clout on the dark web is palpable. On July 3rd 2019, user “oxx2235” wrote, “Now I want to hear from you thug folklore in the style of Truetnya. I feel you can do it at the level!” Truetnya is one of the most popular performers in the Russian vory-romantika rap genre.

“I am not one of them, but in my songs, I feel that I am like they are,” he explained. “I came to the darknet to change history and tell the story of the Fifth Estate ( fifth power), about the strongest minds on the planet,” he said.

“These songs will forever stay in history, in the history of the world which I call the city “VARAVAN,” quoth the Vampire. The rapper clarified that Varavan is a fictional city that he invented, derived from the Russian word, “vor,” which translates into ‘thief.’ Varavan is thus, like San Francisco, the mythical city of thieves.

To date, the rapper said he has written 25-to-30 songs. Vampire’s public songs can be found here – and he solicits Bitcoin donations too. The private tracks, however, remain safely out of reach from the long arm of American cyber-sleuths hoping to “find, fix and disrupt hacking groups,” as former CIA Russian Chief of Station Daniel Hoffman suggested on a Fox Business news segment last month, in response to REvil’s ransomware attack on Miami-based IT firm Kaseya over Independence Day weekend.

So, it remains to be seen if the most hardened elements of U.S. intelligence, envisioning their own brand of offensive and even kinetic “advanced persistent threat” operations, with literal boots on the ground on Russian territory, will ever get the right signal to black-site the highest-priority targets in a rapidly evolving cyber-war.