Cyber True Crime: The Affiliate Part 5

Welcome back to Part 5 of the Cyber True Crime series The Affiliate. In past blogs, we covered the history of NetWalker, how a RaaS ransomware gang functions, how Sebastien Vachon Desjardins, or the Affiliate, attempted to hide his criminal activity through international servers and in our last blog the organizations he targeted in his attacks. In this installment, we’ll begin to unravel how the FBI began tracking the Affiliate down through the international servers and his multiple email addresses.

If you missed Part 1, click here.

If you missed Part 2, click here.

If you missed Part 3, click here.

If you missed Part 4, click here.

SERVERS

What does it take to track down a cybercriminal, especially one that uses multiple methods to conceal their identity? Well, like most criminals, it takes making a mistake here or there that helps authorities begin to understand who they are, where they may be operating from and how to catch them.

As we covered in Part 3, the Affiliate made a number of such mistakes. The first mistake he made that helped the FBI begin to track him down was selecting countries to house his international servers that had Mutual Legal Assistance Treaties with the United States.

As FBI investigators continued to research Poland Server #1, they found that around the times of the attacks on the first two targeted organizations, Poland Server #1 had unauthorized access to their networks. Of the 12 builds found on Poland Server #1, 2 could be associated with the targeted organizations #1 and #2.

Picture of FBI Agent Jacket and Arm

It was Poland Server #2 that really helped investigators connect the international servers to the Affiliate and determine his identity. Through the discovery of a file named “2png,” investigators found screenshots of several files, which, according to their metadata, the Affiliate had created or modified around June of 2020.

Poland Server #2 also housed information directly connected to locating the Affiliate. Around June of 2020, Google Chrome’s autofill function showed that the server had saved Vachon Desjardins’ home address in Gatineau, Quebec. Poland Server #2 also contained data of a package Vachon was tracking to his home address which we’ll come back to later.

Delivered package at front door of house

The web history data on Poland Server #2 provided details as to when the Affiliate became registered on the cybercriminal forum, Hack Forums, where the position for a NetWalker affiliate had been advertised. This server also linked the Affiliate to two email addresses that were responsible for uploading the data stolen from the third and fourth targeted organizations on the NetWalker Blog.

The Bulgaria Server gave FBI investigators essential information into the inner workings of the NetWalker ransomware gang. It contained transactional information on other affiliates, such as when they had been active, how many builds they had generated and that the criminal organization had amassed more than $38 million US dollars in ransom payments. The affiliate this series focuses on had been active since April 13, 2020 and was ranked first among affiliates for Bitcoin earned from ransom payments – more than $15 million US. The FBI also believe that he ranks second in number of builds created with 144 builds.

EMAILS

The Poland Servers housed most of the information needed for connecting the Affiliate with the multiple email addresses used to upload the data of targeted organizations. For the purposes of this blog, we’ll only focus on three email accounts: two using pseudonyms and his personal email featuring his full legal name.

And this is where the Affiliate made a number of small mistakes that ultimately lead FBI investigators right to his doorstep.

Around the time that the third organization was targeted by the Affiliate, investigators found that he was logged into an email account using a pseudonym referencing a moniker used by Gerald Brofloski, a fictional animated character from the TV series South Park on Poland Server #1. A search warrant for that email account was granted and authorities were able to trace it back to Vachon Desjardins. One of the ways authorities were able to connect the email account to the Affiliate was an email sent from this address to an email address bearing his legal name.

Shortly after the pseudonym account’s creation, the account received an email from the Google store noting that an order the Affiliate placed for a Google Home Mini had been shipped to his home address. FBI officials were able to verify that this was Vachon Desjardins’ home address as it matched the address saved by Google Chrome on Poland Server #2. Under this account the accused had also conducted multiple searches for fast food restaurants near his residence in Gatineau, Quebec, further confirming where FBI officials could find him.

Small boxes and model passenger plane on laptop keyboard

Poland Server #1 also helped FBI authorities identify a third email address that could be traced back to the Affiliate. Google provided information that Vachon had registered an email address under the pseudonym Gerald Brofloski, a major indicator that this was Vachon Desjardins as he had used the moniker Brofloski uses in his other email account.

In August of 2020, a search warrant was signed and access to Vachon Desjardins’ personal email was given to FBI investigators. Unfortunately for the Affiliate, this email account contained personal identifiable information such as a photo of him holding his Quebec driver’s license. Vachon Desjardins’ personal email account also contained communications from the Banque Nationale du Canada that listed his name and his known address, and a bill from Bell Canada containing similar information.

Close up pcture of computer screen showing there are 20 new messages

Additionally, FBI investigators, as recorded in an unsealed document, describe an email sent from Vachon’s personal email account to his government employee email account. The email contained a link to his resume, which stated that he’s held positions at Public Works and Government Services Canada since 2010. This matches a claim Vachon had made in 2016 on Hack Forums under the pseudonym “Syrius01” that he worked as an IT technician for the Government of Canada. Once the government learned of his side hustle as a ransomware affiliate, his position was terminated.

The Affiliate’s personal email account also linked him to the ransom payment from targeted organization #5.

Stay tuned for Part 6 of The Affiliate where we continue to unravel how Sebastien Vachon Desjardins got caught.

THE MORE YOU KNOW

Understanding what motivates criminals, who they are and how they work is a vital part of building a more resilient organization. It helps make cybersecurity more real for everyday people and helps individuals and organizations develop plans to better protect themselves from cyber threats. Please consider sharing this series to help more people understand 21st-century crime and how to protect themselves.










Previous
Previous

Multi-Factor Authentication (MFA): What it is and Why We Should Use it

Next
Next

Cyber True Crime: The Affiliate Part 4