Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Unmasks Reputed Koobface Gang Members

The mask protecting the infamous Koobface gang appears to have been yanked down by a mix of Facebook investigators and security researchers.

The mask protecting the infamous Koobface gang appears to have been yanked down by a mix of Facebook investigators and security researchers.

According to the New York Times, those tracking the worm have identified the following five people as being part of the Koobface crew, which has adopted the name “Ali Baba & 4”: Anton Korotchenko, who uses the online alias “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by the names “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the moniker “PoMuc”; and Alexander Koltysehv, who goes by the nickname “Floppy.”

Koobface Gang MembersMembers of the gang are believed to be hiding in plain sight in St. Petersburg, Russia. Efforts by the Times to contact the five were unsuccessful.

Graham Cluley, senior technology consultant at Sophos, blogged that the company’s own investigation of the crew uncovered the same five names. He cautioned however that the people named have not yet been charged, and the evidence only links individual names to ones being used by the Koobface gang.

The Koobface worm has been the source of much research and speculation since it was first detected back in 2008. The worm, which got its name from an anagram of Facebook, is known for targeting a variety of social networks including MySpace, hi5, and of course, Facebook.

The worm is known for hitting users with pay-per-install malware as well as hijacking search queries to display advertisements. A report from the Information Warfare Monitor initiative in 2010 showed that the crew behind the malware made more than $2 million between June 2009 and June 2010 using pay-per-click and pay-per-install affiliate programs and compromising computers with rogue antivirus.

Just recently, researchers at Trend Micro, the Koobface crew designed their own traffic direction system (TDS) to aid in their operations and possibly offer as a service to others. The gang’s TDS handles all the traffic referenced to their affiliate sites, which combined with new binary components increase the amount of traffic headed to their TDS and generates a bigger profit.

Facebook did not respond to a request for comment by SecurityWeek on the situation. However, Cluley blogged that Sophos has shared its findings with authorities, and the Times reported Facebook has done the same. According to the Times, Facebook officials believe naming names can make it harder for cyber-crews to operate.

“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” Ryan McGeehan, manager of investigations and incident response at Facebook, told the Times.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.