Koobface unmasked: A modern Bulgarian detective story

Jan 31, 2012
One Comment

There’s not a lot of good detective stories in the world these days. Whether in real life or in the movies, they seem to have been overshadowed by car chases, explosions and government-wide conspiracy stories.

That’s why I was delighted to stumble on the story of Dancho Danchev, a Bulgarian cybersecurity researcher and how he unmasked the identity of a gang of  of Russian scam artists responsible for the Koobface (an anagram of Facbook) botnet, which infected some 800,000 computers over a several-year period and made $2 million for the gang, according to the Telegraph.

I first found the story through a great interview in Deutche Welle, where Danchev explains how he did it:

“…it took me some efforts to do this. I’ve been following them for 2.5 years. This guy, the leader, his name is Anton Nikolaevich Korotchenko, but his online nickname is Krotreal. But he made a mistake. He registered a domain using his personal e-mail address, and left it in the command-and-control structure of the botnet, which I was monitoring at the time.”


Danchev goes into more detail on his personal blog on how he was able to track down more of Korotchenko’s personal info, including photos and social network accounts.

Danchev was not secret about his pursuit of the group.  His blog reads like a serialized account of his detective work–a Dr. Watson to his Sherlock Holmes-like research.  At one point though, word must have gotten back to Koobface because the group started taunting him.  At one point they responded to Danchev’s post “10 things you didn’t know about the Koobface gang” by making a point-by-point response in a message to infected users.

Not everyone was happy about Danchev’s very public release of the info.  According to an article in PC World, the FBI and other security researchers had also already been on the trail of the group for a while but were keeping quiet about their progress so as to not scare the criminals into hiding. Though once Danchev published his blog article on Korotchenko, another security group tracking the Koobface went ahead and also published their report. One of the report’s authors told PC World that he worried whether Danchev’s leak of information harmed the investigation.

In mid-January, Facebook went ahead and also released all the info they had on the group, prompting the five to take down their server and start deleting their social media profiles, according to ZDNet. However, none has yet to be arrested.

For now, they’ve gotten away and, in the spirit of any good detective story, those of us following are left with a  bit of a cliff-hanger.

Guess we’ll have to wait for the next episode to find out what happens next.

Photo courtesy Flickr user dynamosquito

About the Author

Joshua Boissevain

Joshua Boissevain is a research associate and editorial assistant at Transitions Online. He's also a freelance journalist and photographer based in Prague. Find him on twitter at @joshboissevain.
  • Twitter feed loading...