Deer.io Operator Sentenced to 30 Months in Prison

In the spring of last year, Russian national Kirill Viktorovich Firsov, the operator of the now-defunct website creation platform Deer[.]io, was arrested at New York’s John F. Kennedy Airport. Authorities had recently shut down the platform, which was widely used by cybercriminals to sell access to stolen credentials, banking information, and hacked accounts, despite the company’s claims that it fought against such activity.

Deer.io had been operating since 2013, allowing anyone to set up their own online store for a monthly fee of 800 rubles, payable in bitcoin or through various online payment systems, including WebMoney. The service functioned similarly to WordPress, providing users with hosting and design for a fee. At the time, researchers from Digital Shadows noted that more than 1,000 stores were using the service, generating over 240 million rubles for their operators. Deer[.]io’s own figures claimed there were actually over 4,000 stores on the platform.

The problem was that, by 2016, researchers had discovered stores on Deer[.]io that should have been operating on the dark web. The platform’s rules (and Russian law) prohibited the sale of narcotics, hacking tools, scripts for any kind of cyberattack, carding and financial fraud services, DDoS services, and more. However, experts alleged that the platform’s administrators deliberately turned a blind eye to these violations. Digital Shadows reported that Deer[.]io was well-known among hackers and actively advertised on forums like Xeksek, AntiChat, Zloy, and Exploit.

Deer[.]io representatives strongly denied these accusations, insisting that the platform operated in accordance with Russian law and blocked stores selling drugs or bank accounts, as well as banning stores at the request of Roskomnadzor or other authorized Russian agencies.

Interestingly, after the publication of an article about Deer[.]io on our website, the platform’s operators threatened legal action against the publication. In the summer of 2019, the company suddenly demanded the removal of a 2016 article, claiming that the Digital Shadows report lacked a screenshot of the main site catalog page (which clearly showed that the top 10 stores were selling only stolen accounts). They argued that the screenshot was created by the publication itself, making the article “unsubstantiated and damaging to the company’s business reputation.”

After Firsov’s arrest, the U.S. Department of Justice stated that the platform had hosted over 24,000 stores and generated more than $17 million in revenue. Law enforcement officials wrote that, despite operators’ claims of hosting legitimate sites, Deer[.]io was used almost exclusively by cybercriminals.

Although Firsov claimed that most sales on the site involved Russian accounts, transactions totaling over $1.2 million were linked to stolen U.S. data, including usernames, current addresses, phone numbers, and Social Security numbers.

Court documents also revealed that FBI agents were able to purchase about 1,100 gaming accounts from a Deer[.]io store for less than $20 in bitcoin, as well as personal information on 3,650 individuals for a few hundred dollars in cryptocurrency. Using this information, investigators were able to identify names, birth dates, and Social Security numbers for several people living in San Diego County.

The crime to which Firsov ultimately pleaded guilty—unauthorized use of access devices—carries a maximum sentence of 10 years in prison and a fine of up to $250,000. However, during sentencing, District Judge Cynthia Bashant took into account that Firsov had already spent over a year in custody during the COVID-19 pandemic and would likely spend additional time in prison during deportation proceedings back to Russia. In the end, Firsov was sentenced to 30 months in prison.

It remains unclear exactly how the FBI linked Firsov to Deer.io, but it is known that he had a Twitter account where he posted about vulnerabilities and exploits.