In 2021, the famous Russian cybercrime forum Mazafaka was targeted by hackers, leading to the exposure of the forum’s founders. This major security breach revealed that one of the brains behind the forum was an attorney who provided legal advice to some of Russia’s top hackers and had also served as an officer in the special forces of the GRU, the foreign military intelligence agency of the Russian Federation.
The forum, which was initiated in 2001 under the tagline “Network terrorism,” evolved into one of the most protected Russian-language cybercrime communities. At its peak, the forum’s member roster consisted of an elite group of top Russian cybercriminals, and it also hosted sub-forums dedicated to a wide range of cybercrime specialities, including malware, spam, coding and identity theft.
An analysis of the leaked Mazafaka database revealed that the user information posted online was not a typical database file. It was meticulously edited, redacted and restructured, causing a degree of uncertainty regarding the earliest users of the forum. The original Mazafaka was known to have been established by a hacker using the pseudonym “Stalker.” However, the member bearing the lowest numbered (non-admin) user ID in the Mazafaka database was an individual using the handle “Djamix,” and the email address djamix@mazafaka[.]ru.
Djamix was an active and influential member of the forum, with posts that included legal analyses of public cases involving hackers arrested and charged with cybercrimes in Russia and other countries. He often advised fellow members on the legal risks of engaging in cybercrime and strategies to evade law enforcement. Stalker, the forum’s original creator, credited Djamix with being an essential member of Mazafaka and regarded him as a driving force in keeping the community alive.
Further investigation into Djamix’s background revealed that the email address djamix@mazafaka[.]ru had been used to register at least 10 domain names since 2008, including websites relating to life in Sochi and Adler, Russia. Information linked to this email address also led to the discovery of a Facebook account belonging to an Aleksei Safronov from Sochi, with his profile indicating that he had a strong connection to the military and had been associated with the Russian special forces.
Aleksei Safronov’s domain, uposter[.]ru, was found to be connected to accounts on discussion forums relating to career preparation for a position in the Guardia Civil, one of Spain’s national police forces. This newfound information created more questions regarding Safronov’s involvement in both military and legal activities.
Furthermore, it was uncovered that the ICQ number assigned to Djamix in the Mazafaka user database was the same as the ICQ number listed on Safronov’s Facebook profile. Also, photos on his Facebook account showed Safronov dressed in military attire and features insignias associated with the Spetsnaz GRU, a special forces unit of the Russian military.
The Russian military intelligence agency, the GRU, has been implicated in numerous aggressive intelligence operations, including cyberattacks, disinformation and propaganda operations, and interference in the 2016 U.S. presidential elections. Therefore, it is speculated that Safronov’s role in the GRU may have connected him to the Russian cybercrime communities, contributing to the intelligence agency’s efforts.
Mark Rasch, a former cybercrime prosecutor for the U.S. Department of Justice, suggested that the close relationship between the GRU and the Russian hacker community has historically existed. He hypothesized that Safronov’s significant ties to the Russian cyber community may have been beneficial for intelligence services, allowing him to monitor or infiltrate the community for the GRU.
The intricate connections revealed by the leaked Mazafaka database have opened a window into the interplay between cybercrime, legal expertise, and military intelligence in Russia, shedding light on the complex and evolving nature of modern-day cyber warfare. However, Safronov’s precise role within these domains remains shrouded in mystery, leaving much to be unraveled and understood regarding the intersection of cybercrime and state intelligence in the digital age.