Cyber Crime
How Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate Cybercrime
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
In recent years, cybercriminals have become increasingly professional — fraudsters have consistently been improving their skills, making less crucial mistakes, and creating various “as-a-service” businesses to help lower-skilled threat actors launch scams and attacks, allowing the latter to run full cybercrime operations.
There are different types of cybercrime services that exist today, including malware-as-a-service, where cybercriminals develop and sell malware services to other malicious actors; the service also includes creating and spreading malware types such as ransomware on compromised hosts. Meanwhile, other services require the use of multiple social media accounts to be successfully carried out, such as misinformation, spamming, and malware propagation. Indeed, it’s not uncommon for cybercriminals to send thousands of spam messages using thousands of accounts on social media platforms. But how do they manage to automate all of it?
Recently, we came across a service that, while it is not necessarily illegal, facilitates cybercrime operations that rely on large-scale social media spamming: the Kopeechka service. In Russian, “kopeechka” means “penny.”
The service has been active since the beginning of 2019 and provides easy account registering services for popular social media platforms, including Instagram, Telegram, Facebook, and X (formerly Twitter). We also noted that registrations on chat sites aimed at minors were available via Kopeechka.
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
How social media platforms secure their account creation processes
Most social media platforms have taken active steps to strengthen their accounts creation security. Since a lot of cybercriminals create accounts on social media platforms for use in their illegal operations, social media companies are trying to minimize the risk of having malicious actors on their platforms — an effort that starts with the account creation process.
Different security measures exist to protect platforms against the creation of fraudulent accounts, such as the following:
- Email address validation. When registering, a user needs to prove that the provided email address exists. This is generally done with a code confirmation, where the user receives a unique URL or a code via email. Once they select this link or type the code, their account is validated.
- Phone number verification. The goal here is to compel the user to provide a real phone number that can be validated by the social media platform, typically by sending a text message with a code that the user needs to type in on the platform.
- CAPTCHA protection. Although there are different types of CAPTCHAs, the goal is always the same: to verify that a user is a real person and not a bot. Typically, users need to answer a question that cannot be answered by automated solvers.
- IP address reputation. The goal here is to establish whether the user’s IP address is clean and does not come from a proxy, a virtual private network (VPN), or any other anonymizing solution.
Depending on the targeted social platform, cybercriminals would need unique email addresses, unique phone numbers, and non-suspicious IP addresses to successfully create accounts on their own.
Although some social media platforms use CAPTCHAs to stop automated registration, this doesn’t pose a considerable roadblock for cybercriminals, as different services now exist that allow malicious actors to bypass CAPTCHAs in an automated way. The same goes for IP address-checking services, as cybercriminals can use residential proxies to bypass these measures.
Cybercriminals can therefore bypass CAPTCHAs and IP address reputation-checking tools using automated scripts. However, they still need one valid email and possibly a phone number for each account that they want to create. This is where Kopeechka comes in.
A look at the Kopeechka service
Kopeechka does not provide access to email inboxes, but it provides access to emails received from social media platforms. The service has been designed so that the mailbox account is still controlled by Kopeechka and not by any third-party user.
Kopeechka offers two types of different emails: email addresses that use their own domains, and those that are hosted on more popular email hosting services.
Kopeechka indicates the number of valid emails that it currently has in stock, as seen in Table 1. Interestingly, the majority are Hotmail and Outlook inboxes, which are Microsoft-related inboxes.
We suspect that these email addresses are either created by Kopeechka actors themselves or possibly compromised email inboxes, as we’ve previously seen these actors post messages in underground communities’ compromised email threads. Kopeechka also purchases email accounts, which can be seen in Figure 1.
The service also provides several email addresses hosted in 39 domains that it owns at the time of writing.
The pricing for Kopeechka (Figure 2) versus popular domains (Table 1) are different, with popular services being more expensive than the former (Kopeechka domains cost RUB₽0.05 or USD$0.0005 at the time of writing, while some popular domains can cost up to RUB₽1 or USD$0.01 at the time of writing).
How does Kopeechka work?
Kopeechka provides its customers with both a web interface and an API.
It’s evident in Figure 3 that the web interface allows users to easily create social media accounts using purchased email addresses, while the API makes it easier for users to create multiple social media accounts automatically.
For social media platforms that are not currently known to Kopeechka, users can use Kopeechka’s API.
All these processes can be fully automated, which could allow cybercriminals to create potentially hundreds of accounts or more in just a few seconds, as long as they have enough money in their Kopeechka account.
No access to actual mailboxes
Kopeechka does not actually provide access to the actual mailboxes. When users request for mailboxes to create social media accounts, they only get the email address reference and the specific email that contains the confirmation code or URL. This is crucial for the Kopeechka service, as it allows Kopeechka actors to use one single email address for multiple registrations on different social media platforms, as seen in Figure 5.
How SMS comes into play
Certain social media platforms include an account validation step that requires a phone number that they will use to send a text message containing a unique code. The user would then need to enter the code on the platform to register successfully.
To solve this problem, Kopeechka enables its user to choose from 16 different online SMS services. As with all of its services, Kopeechka provides video tutorials alongside descriptions of each service and how each works.
Kopeechka’s marketing and customer service
In addition to advertising its services, Kopeechka fosters customer loyalty by constantly communicating with its users and providing transparency on anything happening to the service, including networking problems and bug notifications. Kopeechka provides tips, full tutorials, and even compensation to its customers.
In this block quote, Kopeechka actors communicated with their customers regarding a recently fixed bug and offered compensation for customer losses.
Bad news
Unfortunately, we had a serious bug that allowed us to re?over accounts instagram.com people they didn't belong to.
-The bug was in the SENDER parameter when ordering a letter.
We created this parameter a long time ago so that customers could receive emails from sites whose sender does not match the URL itself. At that time, we could not have thought that someone would look for vulnerabilities in the parameters and select them for abuse.
-We fixed this bug.
The sender time parameter will not affect anything at all, because whatever you enter into it, the service will see NULL.
-We apologize to those who have lost their instagram accounts.
If you are one, write to support [https:// t.me/{Telegram shortcut}. All cases will be considered individually, compensation for your losses is possible.
-Lossess from other sites have been noticed. The bug is completely fixed, such situations will not happen again.
All in all, Kopeechka seems to take a professional approach in handling customer communications, appearing to use a customer relationship management (CRM) tool called Bitrix24 for its sales, marketing, and project management needs. Our reason for believing that Kopeechka uses this software is that Bitrix24 uses one subdomain per customer, and we discovered an existing “kopeechkastore.bitrix24.ru” subdomain that has been active since at least 2019.
Kopeechka also provides online videos, frequently asked questions (FAQs), and dedicated pages describing how the service works. Our analysis of its infrastructure revealed more hidden gems for customers, which we did not see being advertised anywhere else and is probably only accessible from the user’s internal interface.
An example of a hidden gem for customers is the platform’s customer training center, which allows customers to test their account creation and logging skills. This gives users the ability to try the service for free.
Kopeechka also offers a regular expression testing platform, which allows it to get better at matching texts from emails, in case users want to subscribe to a special service that has a format that Kopeechka does not know or cater to yet.
Automating, collaborating with other Russian online services
For users who want to automate the account registration process but are not skilled enough to use the API, Kopeechka encourages them to use a third-party Russian service called ZennoPoster, which has been active since 2011. We have reason to believe that this web task automation tool is owned by a certain Mikhail Evgenievich Kulikov.
ZennoPoster allows users to automatically execute browser actions by working like a script that performs one action after another on a browser. Kopeechka users can thus use ZennoPoster as an automatic registration system.
Several online topics explain how to use ZennoPoster together with Kopeechka to register accounts on different social media platforms. One such example is the use of both ZennoPoster and Kopeechka to create an account on “mylove.ru,” a Russian dating website.
ZennoLab, the maker of ZennoPoster, sells dozens of automated tasks related to interacting with social media platforms and other online websites. One of these automated tasks is a script for X (formerly Twitter), which will go through an X account and send messages to all its followers. As a result, this account could then be used to send spam.
ZennoLab also has CAPTCHA recognition and proxy hunting or checking services.
It should be noted that Kopeechka encourages its users to use the ruCaptcha CAPTCHA-solving service by offering a 5% refund:
Kopeechka also has an affiliate program for developers and users. While developers who use the Kopeechka API in their software can get 10% of sales, users who persuade more people to use Kopeechka via an affiliate link can earn 10% of the amount each new user spends on Kopeechka. Users who upload used emails will also get a certain percentage of the emails’ sales.
Kopeechka activities in cybercriminal underground forums
Advertising the service in underground forums
Since its creation in February 2019, Kopeechka has always advertised its services. For every update, Kopeechka regularly updates its advertisement threads in cybercriminals forums.
Currently, Kopeechka has about 1,000 subscribers on its Russian Telegram channel and 440 subscribers on its English Telegram channel.
Looking for exploits and more
On top of advertising in cybercriminals underground forums, it appears that Koppechka actors are also interested in finding exploits. We’ve seen a number of profiles using the Kopeechka name in different forums showing an interest in using exploits and ways to break into accounts. On many of these forums, threat actors only share content to those who reply to relevant threads, making it easy to identify what Kopeechka actors are interested in. In addition, Kopeechka actors sometimes ask questions about products or services advertised in such forums.
In June 2022, a user posted an advertisement in a forum about an exploit that can supposedly bypass Gmail. A Kopeechka-named user replied in March 2023 asking about the exploit and inquiring if it is still up to date.
On another forum, a Kopeechka-named user replied to threads on how to crack social media accounts including Spotify, Netflix, Steam, as well as threads about using Black Bullet and a free web-testing software called OpenBullet, which we reported on in 2021.
In 2020, Kopeechka actors also posted in a forum requesting for help in producing “a batch of documents, not for widespread use, with a protection that is approximately the same as on diplomas.” While we have no idea about the kind of documents they wanted to produce, the request is suspicious as the purpose behind it could have been to submit fake documents to fulfill requirements from various service providers or administrations.
What is Kopeechka being used for?
Kopeechka can be used for just about any service that would need to handle account registrations.
While investigating a recent massive cryptocurrency scam, we reported the abuse of the Mastodon social network, which suddenly saw hundreds of new accounts being created to promote fake cryptocurrency websites to Mastodon users. Brian Krebs discussed how the Kopeechka service was used to mass-register Mastodon accounts earlier this year.
Bots also use Kopeechka for easy account creation. We have seen code that enables the creation of social media accounts via the Kopeechka API, including scripts for Discord, Telegram, and Roblox accounts.
In addition, we found a Python script that could be used to create VirusTotal accounts, suggesting that some users might register these accounts for possibly testing malware detections.
Based on our observations, we believe that the long-established reputation of Kopeechka plays a role in its popularity with cybercriminals: Malicious actors appear to believe that a product or service is more reliable because of it.
The official Kopeechka API itself is made available at a large scale, allowing it to be integrated into any kind of code. It exists on most developers’ platforms, including Python Package Index (PyPI), NuGet, GitHub, and npm.
Conclusion
Kopeechka’s services can facilitate an easy and affordable way to mass-create accounts online, which could be helpful to cybercriminals. Kopeechka customers use the service to easily create a large number of accounts without the hassle of SMS and email verification.
While Kopeechka is mainly used for multiple accounts creation, it can also be used by cybercriminals who want to add a degree of anonymity to their activities, as they do not need to use any of their own email addresses to create accounts on social media platforms.
The Kopeechka problem can only be fought if email service providers come together and collaborate on strengthening their registration processes, an effort that can possibly be made via artificial intelligence, which could provide ways to detect automatic account registrations.
Indicators of Compromise (IOCs)
Kopeechka domains
- abynelil.wiki
- aturos.ink
- casiwo.info
- dekuwepas.media
- dynohoxa.com
- ecawuv.com
- ehivut.ink
- epuqah.team
- fehepocyc.pro
- gijurob.info
- helyraw.wiki
- hycehyxyxu.today
- hyjyja.guru
- ifufejy.com
- imenuvacoh.wiki
- izagipepy.pro
- jukeiot.xyz
- kumpa.xyz
- lahezi.world
- mafozex.xyz
- mecybep.com
- mikoeji.pro
- miuiqke.xyz
- mosolob.ru
- narara.su
- papogij.digital
- pylojufodi.com
- tugurywag.life
- udofyzapid.com
- umalypuwa.ru
- usizivuhe.ru
- vasujyzew.shop