Connect with us

Hi, what are you looking for?



Facebook Unmasks Reputed Koobface Gang Members

The mask protecting the infamous Koobface gang appears to have been yanked down by a mix of Facebook investigators and security researchers.

The mask protecting the infamous Koobface gang appears to have been yanked down by a mix of Facebook investigators and security researchers.

According to the New York Times, those tracking the worm have identified the following five people as being part of the Koobface crew, which has adopted the name “Ali Baba & 4”: Anton Korotchenko, who uses the online alias “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by the names “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the moniker “PoMuc”; and Alexander Koltysehv, who goes by the nickname “Floppy.”

Koobface Gang MembersMembers of the gang are believed to be hiding in plain sight in St. Petersburg, Russia. Efforts by the Times to contact the five were unsuccessful.

Graham Cluley, senior technology consultant at Sophos, blogged that the company’s own investigation of the crew uncovered the same five names. He cautioned however that the people named have not yet been charged, and the evidence only links individual names to ones being used by the Koobface gang.

The Koobface worm has been the source of much research and speculation since it was first detected back in 2008. The worm, which got its name from an anagram of Facebook, is known for targeting a variety of social networks including MySpace, hi5, and of course, Facebook.

The worm is known for hitting users with pay-per-install malware as well as hijacking search queries to display advertisements. A report from the Information Warfare Monitor initiative in 2010 showed that the crew behind the malware made more than $2 million between June 2009 and June 2010 using pay-per-click and pay-per-install affiliate programs and compromising computers with rogue antivirus.

Just recently, researchers at Trend Micro, the Koobface crew designed their own traffic direction system (TDS) to aid in their operations and possibly offer as a service to others. The gang’s TDS handles all the traffic referenced to their affiliate sites, which combined with new binary components increase the amount of traffic headed to their TDS and generates a bigger profit.

Facebook did not respond to a request for comment by SecurityWeek on the situation. However, Cluley blogged that Sophos has shared its findings with authorities, and the Times reported Facebook has done the same. According to the Times, Facebook officials believe naming names can make it harder for cyber-crews to operate.

“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” Ryan McGeehan, manager of investigations and incident response at Facebook, told the Times.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights