While identifying FSB agents reportedly involved in Alexey Navalny’s Novichok poisoning, international investigation group Bellingcat revealed today how deep and worrying are the implications of Russia’s data black market.
Bellingcat’s work on the Navalny case originated from a previous investigation into Russian chemical weapons projects. Call metadata were analyzed for the telephone numbers used by two executives of SC Signal, an entity “involved in the development of new variants and application methods for nerve agents.”
Bellingcat found that these two executives had communicated with one of the FSB operatives reportedly involved in Navalny’s poisoning, as well as with his superiors, in the months preceding the event.
“With this information, we started our search, eventually finding a team of FSB officers and chemical weapon experts who had trailed Alexey Navalny since 2017.”
For example, Bellingcat used leaked air booking databases to identify FSB agents who travelled across Russia to track Navalny and make attempts to kill him.
“Much of the information we used for our investigations could never be found in most Western countries, but in Russia, is readily available either for free or a fairly modest fee,” notes Bellingcat.
“A few hundred euros could — and does — provide you with months of phone call data for an FSB or GRU officer, allowing investigators to trace the intelligence services’ operations, identify the colleagues of research targets, and follow the physical tracks of spies across Russia and abroad.”
Porous data protection measures
Do Russia’s demanding personal data laws exist only on paper? Bellingcat believes “Russian email services, such as Mail.ru and Rambler, and social networks, such as Vkontakte, are far less secure and privacy-focused than their Western equivalents, leading to frequent data leaks and robust search functions.”
Thus, “it only takes some creative Googling (or Yandexing) and a few hundred euros worth of cryptocurrency to acquire telephone records with geolocation data, passenger manifests, and residential data.”
This market to buy and sell data is thriving, generally involving “low-level employees at banks, telephone companies and police departments.” By manually fetching this data, and providing it to resellers or direct to customers, these wrongdoers may be caught and face criminal charges.
Meanwhile, automated services either within websites or through bots on Telegram provide other batches of records, “circumventing the necessity of a human conduit to provide sensitive personal data,” notes Bellingcat.
“For example, to find a huge collection of personal information for Anatoliy Chepiga — one of the two GRU officers involved in the poisoning of Sergey Skripal and his daughter — we only need to use a Telegram bot and about 10 euros. Within 2-3 minutes of entering Chepiga’s full name and providing a credit card via Google Pay or a payment service like Yandex Money, a popular Telegram bot will provide us with Chepiga’s date of birth, passport number, court records, license plate number, VIN number, previous vehicle ownership history, traffic violations, and frequent parking locations in Moscow,” says Bellingcat, providing a sample of the baseline information provided.
It cannot be ruled out that western secret services lent a helpful hand to Bellingcat in the course of their daunting investigation into Navalny’s poisoning. But the existence of a huge black data market in Russia is undeniable.
In May 2019, BBC journalist Andrey Zakharov already published an in-depth investigation of the matter. He was able to purchase his own passport file for about 2,000 rubles ($31 at that time) from a data seller on an online forum. He could also purchase accurate phone records for both himself and a family member for less than 10,000 rubles ($150).
Citing cyber-security experts, the BBC journalist concluded: “Vast quantities of supposedly private data – including from Russian state institutions – are bought and sold every day. Private detectives, scammers or just jealous husbands can search illegal forums online and order the services of a hacker to give them an almost limitless supply of personal data.”
As Navalny notes sarcastically, much credit for the extravagant development of this black market is due to Russian lawmaker Irina Yarovaya, a fierce supporter of President Putin.
In 2016, Yarovaya authored Russia’s ‘Big Brother law,’ which requires Internet and telcos to store massive amounts of data. This legislation created the objective basis for Russia’s data black market to develop at an unprecedented scale.
