Kirllos and the 1.5 Million Stolen Accounts posted by Rick Howard

Filed in: Kirllos Facebook

A couple weeks ago, iDefense got a lot of press for reporting an anomaly found while conducting research on the criminal buying and selling of PII (Personal Identifiable Information). A hacker named "Kirllos" claimed that he had 1.5 million Facebook accounts to sell. That was interesting enough. Most underground sellers of PII don't sell in bulk like that. It causes too much attention; which this did. As the press would say, it had legs. It seems like every press outlet in the world picked up the story; which was not a story really, it was more of an observation.

The second anomaly was with Kirllos himself. iDefense analysts had high confidence that he was at least a native Russian speaker based on his language skills used in the forums and it was likely that he lived in Eastern Europe. The reason this is an anomaly is that we have not seen many Russian speakers selling Facebook accounts. They tend to stick to their own regional sites like the VKontakte social networking site that is popular in Russia, Belarus and Ukraine. This is not to say that Russians do not sell Facebook accounts, it is just that it does not occur too often and definitely not in that volume.

So there you are; two pieces of data that don't really mean that much but kind of makes you say hmmmm, that is interesting. To be clear, we never said that these were valid accounts. We made no effort to prove it. The thing that was interesting to us was the volume advertised and the location of origin. At first glance, Kirllos seemed like a valid seller at the time. Before the press got a hold of him, he was a seller in good standing on the forum where we noticed him.


Enter Facebook.

The Facebook security team reached out to me after reading the press accounts. As one might suspect, they were all over this Kirllos fellow. They had been following him for some time and knew exactly what his capabilities were. I use the word "were," the past tense, on purpose. This entire episode crippled Kirllos' fledging carrier using the Kirllos alias. Once the iDefense "observation" hit the press, many other underground buyers, including the Facebook security team, attempted to contact him to buy the accounts. Kirllos ignored them. Either he did not have the accounts to sell or he was afraid that law enforcement was onto him. Most likely, it was both. Regardless, many underground forums banned Killros from the space.

Facebook's assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners. Awesome!

The bad news is that iDefense's reporting on a simple "observation" created quite a media frenzy for Facebook. Unfortunately, even though iDefense never claimed to have verified the accounts as real, most stories suggested that they were.

The good news for iDefense is that we now have a new security research collaboration partnership with Facebook. I look forward to exchanging information with Facebook's security team in the future. As Rick says in my favorite movie, "Louis, I think this is the beginning of a beautiful friendship."

(1 Comment)