Message left on Infraud forum

The US Department of Justice (DOJ) has charged 36 suspects for their role in Infraud, a cyber-criminal organization that has been involved in the acquisition, sale, and dissemination of stolen identities, stolen debit and credit card data, personally identifiable information (PII), financial and banking information, computer malware, and other.

Of the 36 suspects, the DOJ says law enforcement agencies across seven countries have already arrested 13 individuals.

Authorities crack down on Infraud carding portal

According to a DOJ indictment, the suspects ran or frequented an underground forum named Infraud, previosuly located at infraud[.]cc and infraud[.]ws, but moved to new, more secretive URLs since its creation, in October 2010.

Investigators say the forum was a common meeting place for cyber-criminals peddling stolen credit/debit card information obtained by breaching the online servers of various companies, or via PoS or ATM malware.

The Infraud forum evolved across the years from a basic "carding forum" for dumping "fullz" to a central hub where many cyber-criminals involved in online fraud met to exchange or learn new techniques, advertise their own carding shops, or sell adjacent hardware (equipment), software (malware), or services that aided other cyber-criminals.

Infraud forum had a strict hierarchy

Infraud had a similar members hierarchy seen on Dark Web marketplaces such as AlphaBay or Hansa Market, with administrators (4DMini57r470rz), super-moderators (Super
MODER470R5), and moderators (M0d3r4
70r2) ruling over regular users such as vendors (known as Professors or Doctors), VIP members (Fratello Masons), and regular members (Phr4Ud573r).

Each user category had a strict set of rules it needed to abide by. Access to the Infraud community and all its benefits was restricted to only manually-approved users, with administrators regularly removing inactive users or members who violated community rules.

The Infraud's community's leader was a man named Svyatoslav Bondarenko ("Obnon," "Rector," "Helkern,") 34, of Ukraine, which was also an administrator of the now-defunct carding forum.

The other 35 suspects charged by the DOJ, varying from moderators to lowly users, include:

Amjad Ali aka “Amjad Ali Chaudary,” aka “RedruMZ,” aka “Amjad Chaudary,” 35, of Pakistan;
Roland Patrick N’Djimbi Tchikaya aka “Darker,” aka “dark3r.cvv,” 37, of France;
Miroslav Kovacevic aka “Goldjunge,” 32, of Serbia;
Frederick Thomas aka “Mosto,” aka “1stunna,” aka “Bestssn,” 37, of Alabama;
Osama Abdelhamed aka “MrShrnofr,” aka “DrOsama,” aka “DrOsama1,” 27, of Egypt;
Besart Hoxha aka “Pizza,” 25, of Kosovo;
Raihan Ahmed aka “Chan,” aka “Cyber Hacker,” aka “Mae Tony,” aka “Tony,” 26, of Bangladesh;
Andrey Sergeevich Novak aka “Unicc,” aka “Faaxxx,” aka “Faxtrod” of the Russian Federation;
Valerian Chiochiu aka “Onassis,” aka “Flagler,” aka “Socrate,” aka “Eclessiastes,” 28, of Moldova;
John Doe #8 aka “Aimless88;”
Gennaro Fioretti aka “DannyLogort,” aka “Genny Fioretti,” 56, of Italy;
Edgar Rojas aka “Edgar Andres Viloria Rojas,” aka “Guapo,” aka “Guapo1988,” aka “Onlyshop,” 27, of Australia;
John Telusma aka “John Westley Telusma,” aka “Peterelliot,” aka “Pete,” aka “Pette,” 33, of Brooklyn, New York;
Rami Fawaz aka “Rami Imad Fawaz,” aka “Validshop,” aka “Th3d,” aka “Zatcher,” aka “Darkeyes,” 26, of Ivory Coast;
Muhammad Shiraz aka “Moviestar,” aka “Leslie” of Pakistan;
Jose Gamboa aka “Jose Gamboa-Soto,” aka “Rafael Garcia,” aka “Rafael101,” aka “Memberplex2006” aka “Knowledge,” 29, of Los Angeles, California;
Alexey Klimenko aka “Grandhost,” 34, of Ukraine;
Edward Lavoile aka “Eddie Lavoie,” aka “Skizo,” aka “Eddy Lavoile,” 29, of Canada;
Anthony Nnamdi Okeakpu aka “Aslike1,” aka “Aslike,” aka “Moneymafia,” aka “Shilonng,” 29, of the United Kingdom;
Pius Sushil Wilson aka “FDIC,” aka “TheRealGuru,” aka “TheRealGuruNYC,” aka “RealGuru,” aka “Po1son,” aka “1nfection,” aka “1nfected,” 31, of Flushing, New York;
Muhammad Khan aka “CoolJ2,” aka “CoolJ,” aka “Secureroot,” aka “Secureroot1,” aka “Secureroot2,” aka “Mohammed Khan,” 41, of Pakistan;
John Doe #7 aka “Muad’Dib;”
John Doe #1 aka “Carlitos,” aka “TonyMontana;”
David Jonathan Vargas aka “Cashmoneyinc,” aka “Avb,” aka “Poony,” aka “Renegade11,” aka “DvdSVrgs,” 33, of San Diego, California;
John Doe #2;
Marko Leopard aka “Leopardmk,” 28, of Macedonia;
John Doe #4 aka “Best4Best,” aka “Wazo,” aka “Modmod,” aka “Alone1,” aka“Shadow,” aka “Banderas,” aka “Banadoura;”
Liridon Musliu aka “Ccstore,” aka “Bowl,” aka “Hulk,” 26, of Kosovo;
John Doe #5 aka “Deputat,” aka “Zo0mer;”
Mena Mouries Abd El-Malak aka “Mina Morris,” aka “Source,” aka “Mena2341,” aka “MenaSex,” 34, of Egypt; and
John Doe #6 aka “Goldenshop,”aka “Malov.”

Infraud group structure

The DOJ indictment suggests members didn't know each other's real names and retained anonymity when doing business with each other.

Arrests were made in Australia, France, Italy, Kosovo, Serbia, the UK, and the US. Law enforcement agencies from Albania and Luxembourg also participated in the investigation.

The Infraud organization's name came from its forum motto: In Fraud We Trust! The law enforcement operation to take down Infraud was named Operation Shadow Web.