Network News

X My Profile
View More Activity

EstDomains: A Sordid History and a Storied CEO

In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.

Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.

tsastsin.jpg

It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.

A Feb. 6 story from Eesti Päevaleht -- "Estonian Daily," one of Estonia's two major dailies - explains the backstory. I couldn't find any version of this story that had ever been published in English, so I had it professionally translated by Koit Ojamaa, a former Estonian citizen who now lives near the Washington D.C. area.

Mr. Ojamaa translates:

Tartu County Court just found a man working as the acting manager of an IT company guilty of entering illegal data into card payment systems of Internet stores for the purpose of material gain, creating forged documents, using forged documents, and money laundering.

The court sentenced 27 year old Vladimir Tsastsin to three years imprisonment of which 6 months and 11 days must be served , according to Tartu County Court press office.

Since Tsastsin already spent that much time in pretrial detention, it will be counted as time served.

The remaining time was suspended with parole for three years beginning from the time of sentencing.

In addition, the property which Tsastsin acquired through criminal activity was confiscated: money in his bank account, two cars, and a computer.

Tsastsin has to pay court costs totally over 23,000 kroons. [$2,300]

According to the indictment, in November 2001, Vladimir Tsastsin opened bank accounts using many different names at Eesti Ühispank and forwarded data to an accomplice, who hacked into the payment systems of Internet retail businesses in order to alter payment data.

Due to this false information, the bank incorrectly credited over 1.3 million kroons to many bank accounts.

In 2002, using the same scheme, he attempted to use a Hansapank credit card to defraud the bank of nearly 1.4 million kroons in his own as well as under a dummy name. Thanks to steps taken by bank employees, the bank did not suffer any losses.

In order to hide the ownership and source of the money obtained through fraud, the defendant transferred funds among many different personal accounts from which he made cash withdrawals.

As a result of computer fraud and money laundering, Tsastsin obtained 609,890 kroons in cash belonging to others.

Tsastsin is also accused of falsifying names, personal data, and signatures in the fall of 2001 in order to set up accounts and to utilize financial services in a foreign bank.

Tsastsin confessed to forging documents and to using forged documents, but denied all other charges.

In e-mail exchanges with Security Fix, Tsastsin declined to comment on the above article, except to call it "yellow journalism." He also declined to discuss or even acknowledge his incarceration. However, Security Fix found more or less the same statements about Tsastsin on the Estonia Ministry of Justice's own Web site.

At any rate, I wondered why would a company like EstDomains keep a chief executive on who was sent to prison for cyber fraud? Tsastsin is quoted in a Rove Digital press releases as late as July 2008.

I asked that very question of Hillar Aarelaid, team director of the Estonian Computer Emergency Response Team (CERT Estonia). Aarelaid maintains that Tsastsin long ago ceded control of EstDomains to organized cyber criminals in Russia.

"To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services," Aarelaid said.

Indeed, for years EstDomains appeared to be the registrar of choice for the infamous Russian Business Network. You could hardly look up malicious Web site hosting nasties like CoolWebSearch and other spyware programs without finding records that traced back to EstDomains.

That is, until the RBN's disappearing act late last year, when this publication and others began exposing RBN's ties to child pornography and financial fraud Web sites.

While the RBN may have faded into the background, experts say EstDomains still remains among the top registrars for spam and scam Web sites, as well as child pornography. Working with several security experts who help law enforcement officials track down child porn sites, Security Fix identified at least two Web sites registered through EstDomains that are currently selling access to child porn.

Tsastsin said he would investigate the child porn claims, and terminate any other reported sites that violate the company's abuse agreement.


"Our projects are totally legitimate and they are not involved in any shady activities. As we have thousand of domain names it is nearly impossible to trace all activity on all of them, so the best manner to trace some shady domain is the abuse report," Tsastsin wrote. "As soon as we get one, we deal with it very seriously. Moreover, we investigate the account, which contained the abusive domain, and in case of any suspicious domain's disclosure, we suspend the whole account, and after that we are looking for possible connections to other accounts, which we suspend as well. That is our policy and we follow it strictly."

Tsastsin called claims that EstDomains is somehow involved with Russian organized crime "rubbish." Konstantin Poltev, registry liaison with EstDomains, also scoffed at the accusation.

"I sincerely hope that you will chose Google for your further investigation and gather the information without using the sources you have indicated as reliable," Poltev wrote to Security Fix. "I assume that the independent investigation shall definitely show you that the person, who granted us the 'cybercrime registrar' title, has made a mistake."

For his part, Aarelaid said he hopes security experts can keep the pressure on registrars like EstDomains to increase their costs and potentially to put them out of business.

"If the total cost of ownership goes up -- and upstream [Internet backbone] providers stop routing for them, they may go to another place, move to a new project," he said. "These guys are not evil, they are just after big and easy money. If your investment is returning 10,000 percent and then it starts to eat money, it's not big and easy anymore."

Last week, within hours of our feature on cyber fraud routed through Internet service provider Atrivo (a.k.a. Intercage) -- EstDomains' ISP -- two of Atrivo's largest backbone providers abruptly dropped all direct connectivity to the company, leaving it with just one major upstream provider. On Sunday, that remaining provider -- Boca Raton, Fla. based WVFiber, said it would sever ties with Atrivo by Thursday at the latest.

Tsastsin says he's not too concerned if Atrivo drops offline. "If the Intercage will nevertheless be cut off from the Internet, it won't affect EstDomains much. Our infrastructure is so compact and well-organized so we can easily move to another location in less than 24 hours. So we see no sense in pressing Intercage as it will be better for all of us to solve the problems and to get rid of problematic customers together."

In a blog post last month about the relationship between EstDomains and Atrivo, anti-spam organization Spamhaus.org suggested law enforcement action against the two entities was long overdue.

"We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh," Spamhaus wrote. "The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users currently being targeted by the malware gangs operating from Atrivo/Intercage will be, for a while, safer."

By Brian Krebs  |  September 8, 2008; 4:14 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Superlative Scam and Spam Site Registrar
Next: Microsoft Patches Eight Security Holes

Comments

Estonia is nowhere near the Balkans!

Posted by: Richard Clarke | September 8, 2008 4:26 PM | Report abuse

I think he means Baltics!

Posted by: George Francis | September 8, 2008 5:06 PM | Report abuse

If the person in question is the owner of EstDomains, their accreditation may be terminated under this clause:

"5.3 Termination of Agreement by ICANN. This Agreement may be terminated before its expiration by ICANN in any of the following circumstances:

5.3.2 Registrar:

5.3.2.1 is convicted by a court of competent jurisdiction of a felony or other serious offense related to financial activities, or is judged by a court of competent jurisdiction to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN reasonably deems as the substantive equivalent of those offenses; or

5.3.2.2 is disciplined by the government of its domicile for conduct involving dishonesty or misuse of funds of others.

5.3.3 Any officer or director of Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is judged by a court to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN deems as the substantive equivalent of any of these; provided, such officer or director is not removed in such circumstances."

REGISTRAR ACCREDITATION AGREEMENT:
http://www.icann.org/en/registrars/ra-agreement-17may01.htm

Posted by: Garth @ Knujon.com | September 8, 2008 5:55 PM | Report abuse

its good that you poke your investigative fingers into the russian cybercrime mafia! estdomains clearly is one of their associates and there are many others still to be dealt with!

Posted by: roflem | September 9, 2008 5:22 AM | Report abuse

Brain Nailed! this one spot on.

Posted by: Ron | September 9, 2008 7:20 AM | Report abuse

Directi's LogicBoxes still have the kill-switch.

Money or Ethics & Morals eh?

Posted by: @Garth | September 9, 2008 7:22 AM | Report abuse

Even if Directi pulled its logicboxes away from Est, they are still an ICANN accredited registrar. This is the key to the kingdom; logicboxes is just a horse they ride through the gate on.

Posted by: Garth @ Knujon | September 9, 2008 9:16 AM | Report abuse

One major problem to prosecuting these animals: Due to Georgia, the degree of cooperation between the U.S. and Russia is pretty low right now.

This is why the Estdomains folks feel so confident.

I can see the criminal gangs setting up shop in other US-unfriendly countries, such as Venezuela and Iran.

Posted by: Ken L | September 9, 2008 3:41 PM | Report abuse

@ Garth: ICANN? Come on! Haven't we been down this path before? I can remember other BK blogs where ICANN is really ICAN'T when it comes to positive regulatory action in these matters.

Posted by: Pete from Arlington | September 9, 2008 4:02 PM | Report abuse

Pete, here are all the facts in black and white. Ask ICANN exactly why no action has been taken. If you assume that someone will do nothing, you will usually be correct. Assume they will and then ask why they didn't.

Posted by: Garth @ Knujon.com | September 9, 2008 4:21 PM | Report abuse

Tsastsin's claims not to be "involved in any shady activities" are absolutely laughable. Esthost have been a (the?) central player in the Russian malware complex over the last five years or so.

Tsastsin is known on the Russian AWM boards where hacking and exploits are discussed, as 'scr'. There he promoted his/Esthost's operations... such as the original-and-still-the-worst MegaTDS, the most popular malware junction point of a few years ago - operated by one Vladimir Tsastsin.

Good catch on turning up the old credit card fraud stuff... we knew the proto-Esthost operation of old had a connection to carding, but that's pretty black-and-white.

Posted by: bobince | September 9, 2008 7:50 PM | Report abuse

Just wondering, what exactly is 'illegal data'? Is that kind of like 'illegal substances'? Where do these people come up with this stuff?

Posted by: yourntoo | September 9, 2008 8:45 PM | Report abuse

@ Garth: Did you? What did they say? I am "assuming" nothing, only remembering earlier blog posts where ICANN was doing nothing... when asked, mind you.

Posted by: Pete in Arlington | September 10, 2008 1:17 PM | Report abuse

But note that according to NetworkWorld, the Japanese network services provider Akamai found that Japan accounted for 30 % of all monitored Internet attack traffic in the second quarter of 2008. The US ranked second at 21.5 %, China third at 16.8 % (http://tinyurl.com/5qlgr2). So Russia - and Estland - are hardly the worst offenders....

Henri

Posted by: mhenriday | September 10, 2008 4:51 PM | Report abuse

Pete, no worries, this question wont die, it's going to become more public in the near future.

Posted by: Garth @ KnujOn | September 15, 2008 11:51 AM | Report abuse

EstDomains has issued a press release concerning the recent events. They are claiming innocence, but the claim is flawed from the start since they continue to profess that they are located in the U.S. when we all know it's not true.

From the release:
"EstDomains, Inc, a US-based domain name Registrar"

http://www.prweb.com/releases/2008/09/prweb1325214.htm

Time to tell the whole truth folks.

Posted by: Garth @ Knujon | September 15, 2008 11:58 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company