EstDomains: A Sordid History and a Storied CEO
In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.
The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.
Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.
It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.
A Feb. 6 story from Eesti Päevaleht -- "Estonian Daily," one of Estonia's two major dailies - explains the backstory. I couldn't find any version of this story that had ever been published in English, so I had it professionally translated by Koit Ojamaa, a former Estonian citizen who now lives near the Washington D.C. area.
Mr. Ojamaa translates:
Tartu County Court just found a man working as the acting manager of an IT company guilty of entering illegal data into card payment systems of Internet stores for the purpose of material gain, creating forged documents, using forged documents, and money laundering.
The court sentenced 27 year old Vladimir Tsastsin to three years imprisonment of which 6 months and 11 days must be served , according to Tartu County Court press office.
Since Tsastsin already spent that much time in pretrial detention, it will be counted as time served.
The remaining time was suspended with parole for three years beginning from the time of sentencing.
In addition, the property which Tsastsin acquired through criminal activity was confiscated: money in his bank account, two cars, and a computer.
Tsastsin has to pay court costs totally over 23,000 kroons. [$2,300]
According to the indictment, in November 2001, Vladimir Tsastsin opened bank accounts using many different names at Eesti Ühispank and forwarded data to an accomplice, who hacked into the payment systems of Internet retail businesses in order to alter payment data.
Due to this false information, the bank incorrectly credited over 1.3 million kroons to many bank accounts.
In 2002, using the same scheme, he attempted to use a Hansapank credit card to defraud the bank of nearly 1.4 million kroons in his own as well as under a dummy name. Thanks to steps taken by bank employees, the bank did not suffer any losses.
In order to hide the ownership and source of the money obtained through fraud, the defendant transferred funds among many different personal accounts from which he made cash withdrawals.
As a result of computer fraud and money laundering, Tsastsin obtained 609,890 kroons in cash belonging to others.
Tsastsin is also accused of falsifying names, personal data, and signatures in the fall of 2001 in order to set up accounts and to utilize financial services in a foreign bank.
Tsastsin confessed to forging documents and to using forged documents, but denied all other charges.
In e-mail exchanges with Security Fix, Tsastsin declined to comment on the above article, except to call it "yellow journalism." He also declined to discuss or even acknowledge his incarceration. However, Security Fix found more or less the same statements about Tsastsin on the Estonia Ministry of Justice's own Web site.
At any rate, I wondered why would a company like EstDomains keep a chief executive on who was sent to prison for cyber fraud? Tsastsin is quoted in a Rove Digital press releases as late as July 2008.
I asked that very question of Hillar Aarelaid, team director of the Estonian Computer Emergency Response Team (CERT Estonia). Aarelaid maintains that Tsastsin long ago ceded control of EstDomains to organized cyber criminals in Russia.
"To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services," Aarelaid said.
Indeed, for years EstDomains appeared to be the registrar of choice for the infamous Russian Business Network. You could hardly look up malicious Web site hosting nasties like CoolWebSearch and other spyware programs without finding records that traced back to EstDomains.
While the RBN may have faded into the background, experts say EstDomains still remains among the top registrars for spam and scam Web sites, as well as child pornography. Working with several security experts who help law enforcement officials track down child porn sites, Security Fix identified at least two Web sites registered through EstDomains that are currently selling access to child porn.
Tsastsin said he would investigate the child porn claims, and terminate any other reported sites that violate the company's abuse agreement.
"Our projects are totally legitimate and they are not involved in any shady activities. As we have thousand of domain names it is nearly impossible to trace all activity on all of them, so the best manner to trace some shady domain is the abuse report," Tsastsin wrote. "As soon as we get one, we deal with it very seriously. Moreover, we investigate the account, which contained the abusive domain, and in case of any suspicious domain's disclosure, we suspend the whole account, and after that we are looking for possible connections to other accounts, which we suspend as well. That is our policy and we follow it strictly."
Tsastsin called claims that EstDomains is somehow involved with Russian organized crime "rubbish." Konstantin Poltev, registry liaison with EstDomains, also scoffed at the accusation.
"I sincerely hope that you will chose Google for your further investigation and gather the information without using the sources you have indicated as reliable," Poltev wrote to Security Fix. "I assume that the independent investigation shall definitely show you that the person, who granted us the 'cybercrime registrar' title, has made a mistake."
For his part, Aarelaid said he hopes security experts can keep the pressure on registrars like EstDomains to increase their costs and potentially to put them out of business.
"If the total cost of ownership goes up -- and upstream [Internet backbone] providers stop routing for them, they may go to another place, move to a new project," he said. "These guys are not evil, they are just after big and easy money. If your investment is returning 10,000 percent and then it starts to eat money, it's not big and easy anymore."
Last week, within hours of our feature on cyber fraud routed through Internet service provider Atrivo (a.k.a. Intercage) -- EstDomains' ISP -- two of Atrivo's largest backbone providers abruptly dropped all direct connectivity to the company, leaving it with just one major upstream provider. On Sunday, that remaining provider -- Boca Raton, Fla. based WVFiber, said it would sever ties with Atrivo by Thursday at the latest.
Tsastsin says he's not too concerned if Atrivo drops offline. "If the Intercage will nevertheless be cut off from the Internet, it won't affect EstDomains much. Our infrastructure is so compact and well-organized so we can easily move to another location in less than 24 hours. So we see no sense in pressing Intercage as it will be better for all of us to solve the problems and to get rid of problematic customers together."
In a blog post last month about the relationship between EstDomains and Atrivo, anti-spam organization Spamhaus.org suggested law enforcement action against the two entities was long overdue.
"We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh," Spamhaus wrote. "The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users currently being targeted by the malware gangs operating from Atrivo/Intercage will be, for a while, safer."
September 8, 2008; 4:14 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Web Fraud 2.0
Save & Share: Previous: A Superlative Scam and Spam Site Registrar
Next: Microsoft Patches Eight Security Holes
Posted by: Richard Clarke | September 8, 2008 4:26 PM | Report abuse
Posted by: George Francis | September 8, 2008 5:06 PM | Report abuse
Posted by: Garth @ Knujon.com | September 8, 2008 5:55 PM | Report abuse
Posted by: roflem | September 9, 2008 5:22 AM | Report abuse
Posted by: Ron | September 9, 2008 7:20 AM | Report abuse
Posted by: @Garth | September 9, 2008 7:22 AM | Report abuse
Posted by: Garth @ Knujon | September 9, 2008 9:16 AM | Report abuse
Posted by: Ken L | September 9, 2008 3:41 PM | Report abuse
Posted by: Pete from Arlington | September 9, 2008 4:02 PM | Report abuse
Posted by: Garth @ Knujon.com | September 9, 2008 4:21 PM | Report abuse
Posted by: bobince | September 9, 2008 7:50 PM | Report abuse
Posted by: yourntoo | September 9, 2008 8:45 PM | Report abuse
Posted by: Pete in Arlington | September 10, 2008 1:17 PM | Report abuse
Posted by: mhenriday | September 10, 2008 4:51 PM | Report abuse
Posted by: Garth @ KnujOn | September 15, 2008 11:51 AM | Report abuse
Posted by: Garth @ Knujon | September 15, 2008 11:58 AM | Report abuse
The comments to this entry are closed.