How the feds caught a notorious credit card fraudster
The U.S. government announced on Wednesday that it had dismantled “Try2Check,” a credit card checking operation that allowed cybercriminals involved with the bulk purchase and sale of stolen credit card numbers to see which cards were valid and active.
Department of Justice prosecutors confirmed the indictment of Russian citizen Denis Gennadievich Kulkov, who is suspected of creating Try2Check in 2005. Kulkov is said to have made at least $18 million in bitcoin from the service, which not only victimized credit card holders and issuers, but also a prominent U.S. payment processing firm whose systems were exploited to conduct the card checks.
Try2Check took advantage of the unnamed company’s “preauthorization” service, whereby a business — such as a hotel — requests that the payment processing firm preauthorizes a charge on a customer's card to confirm that it is valid and has the necessary credit available. Try2Check impersonated a merchant seeking preauthorization in order to extract information about credit card validity.
In November 2018, the FBI and the U.S. Secret Service used an undercover online persona to load bitcoin into a Try2Check account. An agent then logged into that account and ran 20 newly created credit card numbers through Try2Check’s card checking system. These transactions appeared in the systems of the U.S. payment processing firm as if they were submitted by U.S. merchants for preauthorization, and contained unique identifying numbers corresponding to real merchants.
Not only did these transactions reveal the inner workings of Try2Check, but also the vast scale of the operation: The same IP addresses used to submit the credit card numbers for preauthorization had collectively submitted over 16 million credit card numbers for preauthorization over nine months between April and December 2018.
According to prosecutors, Try2Check processed at minimum tens of millions of card numbers every year.
While this undercover operation revealed the scope of Try2Check’s activity, uncovering the person behind it all was far more arduous. The FBI and U.S. Secret Service confirmed they had been investigating the service since 2013.
A photo of Denis Gennadievich Kulkov, the main suspect in the Try2Check credit card scheme, as pictured on a U.S. government "wanted" photo. Image Credits: State Department.
The decade-long probe largely centered around tracking Kulkov’s various online personas. For example, reviews of the Internet Archive revealed that the early versions of the Try2Check website, then known as “just-buy.it”, contained the name “Kreenjo” in its logo. At the same time, feds discovered that “Kreenjo” was also the name of a user who posted on internet forums frequented by cybercriminals.
In 2006, for example, a user named Kreenjo offered credit card checking services on an online cybercrime forum. The signature of the message contained the URL “check.just-buy.it,” which was a web address where Try2Check could be accessed at that time.
U.S. investigators continued to track the online presence of Kreenjo, who also went by the aliases of “Nordex” and “Nordexin”; the former had identified himself as “Denis from Samara,” a city in southwestern Russia, in messages sent to forum users, while the Nordexin moniker was discovered in records obtained from a unnamed crypto exchange.
These records showed that the registered user for that account supplied his passport, revealing the name “Denis Kulkov,” an address in Samara and an email address, referred to as “Nordexin Platform-1,” which ultimately unmasked Kulkov as the man behind the now-notorious Try2Check service.
Evidence linking Kulkov to Try2Check continued to grow: Travel documents obtained from Marriott International that linked Kulkov’s identity to the passport used to open his cryptocurrency account and images matching his passport photo were found on a publicly accessible Instagram profile belonging to “Denis Kulkov, Ferrari owner" and a Foursquare site that had “liked” various businesses in Samara, Russia.
As a result of this mounting evidence, a judge in May 2019 ordered the search of the Nordexin Platform-1 account.
The account contained images of webpages from Try2Check that were not publicly available, including screenshots of the site’s “administrator panel,” and a page that listed the bitcoin balance associated with each Try2Check user. It also contained multiple emails between Denis Kulkov and others, including his wife, who also provided travel documents to the Marriott hotel. One of these emails contained a picture of Kulkov holding up his passport. In another, he attempted to convert his cryptocurrency holdings into fiat currency, asking “What is the maximum amount which will not cause compliance suspicion?”
Ultimately, it wasn’t Kulkov’s attempts to convert his millions in crypto that was his undoing, but rather his failure to cover his sprawling online tracks.
The U.S. Department of State announced a $10 million reward offer for information leading to Kulkov’s arrest or conviction. If convicted, Kulkov faces 20 years’ imprisonment.