FBI Announces Takedown of Deer.io Platform

In early March 2020, U.S. law enforcement announced the arrest of Russian national Kirill Viktorovich Firsov, believed to be the operator of the website creation platform Deer.io. The tech magazine “Hacker” had reported on Deer.io as early as 2016. The platform, which had been operating since 2013, allowed anyone to launch their own online store for 500 rubles per month. It worked similarly to WordPress: users paid for hosting and design services.

Three years ago, researchers from Digital Shadows noted that more than 1,000 stores were using the service, generating over 240 million rubles for their operators. Deer.io’s creators claimed that the actual number of stores exceeded 4,000.

The problem was that, in 2016, researchers discovered stores on Deer.io that should have been operating on the dark web. The platform’s rules (and Russian law) prohibited the sale of drugs, hacking tools, scripts for any kind of cyberattack, carding, financial fraud, DDoS services, and similar activities. However, experts claimed that Deer.io’s administrators deliberately ignored such activity. According to Digital Shadows, the platform was well-known among hackers and actively advertised on forums like Xeksek, AntiChat, Zloy, and Exploit.

Deer.io representatives strongly denied these accusations, insisting to the media that the platform operated in accordance with Russian law and regularly blocked stores selling drugs or bank accounts, as well as those banned by Roskomnadzor or other Russian authorities.

Interestingly, after the “Hacker” article about Deer.io was published, the platform’s operators threatened legal action. In the summer of 2019, they suddenly demanded the removal of the 2016 article, claiming that the Digital Shadows report lacked a screenshot of the main site catalog page (which clearly showed that the top 10 stores sold only stolen accounts). They argued that the screenshot was made by the magazine itself, making the publication “unsubstantiated and damaging to the company’s business reputation.”

Deer.io Platform Seized by U.S. Authorities

Three weeks after Firsov’s arrest, the U.S. Department of Justice announced the seizure of the Deer.io website. The domain was confiscated by court order, and the homepage now displays a prominent seizure notice.

According to law enforcement, at the time of its shutdown, the platform hosted over 24,000 stores with combined revenues exceeding $17 million. Anyone could create a store for 800 rubles per month, paying in bitcoin or through various online payment systems, including WebMoney.

Investigators reported that on March 4, 2020, the FBI conducted a “test purchase” and bought about 1,100 gaming accounts from the store ACCOUNTS-MARKET.DEER.IS for less than $20, paying in cryptocurrency. After payment, they received login credentials for each account, including usernames and passwords.

Of these 1,100 accounts, 249 belonged to an unnamed company A, which confirmed that access to a username and password allowed full use of the account, including access to the user’s media library and often linked payment methods. This meant that criminals could use the linked payment method to make additional purchases.

The “test purchase” didn’t stop there. On March 5, 2020, the FBI bought about 999 personal data records from the store DEER.IO SHIKISHOP.DEER.IS (for about $170 in bitcoin), and another 2,650 records (for about $522 in bitcoin). Using this information, investigators were able to identify names, birth dates, and Social Security numbers of individuals living in San Diego County.

“Deer.io was the largest centralized platform that facilitated and enabled the sale of compromised social media accounts, financial data, personal information, and hacked computers. Taking down this criminal site is a major step toward reducing the trade in stolen data used to attack individuals and organizations in the U.S. and abroad,” summarized FBI Special Agent Omer Meisel.