What makes a hacker tick?
A 27-year-old hacker in Ukraine named Bassterlord helps to shed some light on the matter.
He’s been a member of some of the most infamous hacking crews of our time, and he explained, through an interpreter, how he worked his way up from spammer to initial access broker — breaking into networks and selling that access to other cybercriminals.
A mentor to other hackers and the author of two ransomware manuals, Bassterlord has made a name for himself since joining the cyber underworld in 2019.
Then, in March, he announced his “retirement,” a claim security researchers largely view as misleading. Researcher Jon DiMaggio of the threat intelligence firm Analyst1 is releasing a report about him this week, and he gave the “Click Here” podcast an exclusive first look, which helped inform the discussion.
“Click Here”: What would you like us to call you?
Bassterlord: Let’s just simply use the name Ivan. It’s a pretty popular name, and I’m more used to it.
OK. So let me just try and understand. How do we describe you?
Let’s put it this way: an extortionist, retired.
Retired extortionist. OK. You’ve worked for lots of different hacking groups. Can you give us a little list of the ones you’ve worked for?
Since 2019, I worked for REvil, but I didn’t have access to the panel. After the contest [Note: Bassterlord says he participated in a summer contest put on by LockBit, which sought research papers on all things cybercrime], somebody contacted me and offered [for me] to work for LockBit, but at the same time, I was working for Abaddon and I also worked for Ransom X.
And what do you think your specialty is?
I would describe myself as a searcher for access or access broker. My way of getting access is through exploits or brute-force attacks. My team is engaged in VPN and corporate server brute-force attacks.
How did you get into this work?
Since childhood, I took an interest in hacking. I was always curious and interested in the various forums, but never used them. At the beginning of 2019, I didn’t know anything about ransomware, and I was just a regular human being. What really propelled me to move to the dark side of the internet was one case that happened with my mom. It’s personal, but I’ll still try to talk about it.
[Note: Bassterlord lives in the Donbas region of eastern Ukraine, where fighters linked to Russia invaded in 2014.]
One night, a powerful shelling started. My mother had kidney stone disease and had an attack because of the nervous stress. Nobody could come to the rescue at that point. There was no chance to call 9-1-1 or anything like that. And only one thing helped. I saw the neighbor driving from around the corner. I simply came up, laid on the hood and said, “Help get us to the hospital. I will give you anything.”
We brought my mother to the hospital and purchased medicine for credit. Obviously, I had no money at that time. So, [as] I was going home, I thought that this debt actually will have to be repaid. And at the same time, the Ukrainian jet fighters were flying overhead to bomb the neighboring town. I returned home, went to the forum and wrote my first ad on XSS [a Russian-language hacking forum]. I highlighted that I need money, and I’m not afraid of work in any country of the world.
What response did you get?
So, one man approached me through this. As it turned out, his nickname ended up being “National Hazard Agency.” He offered me work on spam. They paid, I think, $300 a month. This was just enough money to cover the expenses, or at least for some time. But as I found out later, this man happened to be one of the REvil founders. I understood the concept of what he was doing, and I asked him to teach me. He agreed, although he initially never planned it. At that particular moment, he was working on the Pulse Secure VPN. This actually was a topic of my [LockBit contest] article when I described the exploits of Pulse Secure, for which I’m being hated by many until this day.
Hated because you revealed how it worked?
Well, specifically revealed the principle of work because that was the principle utilized by many groups at that time.
And did you win money for that?
I had a consolation prize, and I actually had a proposition to get into a partnership problem with LockBit. Everybody got a consolation prize, approximately the amount of $1,000.
Did the $1,000 seem like a lot of money at the time, given that you didn’t have a lot of money?
Clearly.
And I had heard that you were a graphic designer before you started doing that.
That’s true. And that was my unofficial work. I was involved in drawing for clothes suppliers in the Russian Federation.
How did you get the idea for the ransomware manual?
The first part of the manual was the contest article. I simply wanted to make more money and win the contest, but I still didn’t win it at that time. It took me literally two weeks to compose the text.
Why did you write a second one?
The second one I wrote for a person trying to purchase a new method of zero-days. So initially, he offered $200,000, but then he refused to pay, and I had to actually put the manual on the web for everyone to look at it. And also, I needed money at that point.
So, if I barely know how to code and have your manual, could I launch a ransomware attack just using the manual?
If you had both versions of the manual.
And there’s a cybersecurity company called Prodaft. They got a copy of your manual. How did you hear about that?
I learned about it from somebody on the forum, from his message. He wrote that the manual was published by this company.
How do you think Prodaft got your manual?
I think one of the clients, one of the buyers, decided to return $10,000. They paid for it, and they sold it to the cybersecurity company.
[Note: Prodaft threat researcher Juan Ignacio Nicolossi denied this claim, saying, “We don’t give money to criminals.” Nicolossi said Prodaft “gained visibility into [Bassterlord’s] server and was able to extract [the manual].” In a follow-up email, the company said it does not use offensive tactics and insights are gathered from open-source intelligence and the work of security analysts.]
So, when you wrote these manuals, did you write them as a mentor to help the community grow or was it purely for money?
It was strictly for financial profit because, at that point, I already had my own team who I trained.
And some people say that what is different about you in this world is that you try to help people with their skills. Do you think that’s accurate?
In some cases, yes. If the questions [other hackers ask] are composed correctly and they do not represent some stupid idea.
You like smart people who are trying to learn. So, you don’t like script kiddies?
Most of my team members are exactly that because they did not know anything about hacking when they came in. But I was the one who taught them.
How did you choose them?
Most of them I knew. Every one of those people I know in person and I completely trust them.
Does your crew have a name?
National Hazard Agency. This is to honor my teacher, Lalartu.
Do you consider him a friend?
The last thing I know about him is that he has some real business in Russia and he completely stepped away from his business.
I wanted to talk to you about stepping away, too. You announced that you’re retiring. How does your crew feel about that?
They completely mastered my part of it. And they were actually not against it, as my psychological condition substantially deteriorated lately.
Tell me more about that.
After REvil got arrested by FSB [Russia’s Federal Security Service], I received a call from a high-ranking FSB official who requested that I show up for interrogation. That, to some extent, caused some panic in me, but as it turned out, that summons was regarding something totally different. People from Luhansk [in Ukraine] had [committed] a terror act in Russia. And they thought people from the community knew about it. So, they started summoning people from the community.
And when they called you, did you worry that they realized that you were hacking?
Correct. That’s exactly what I was afraid of. I had to cover the tracks and leave the forum, making an official announcement to that effect.
You must have been relieved.
Well, my nervous stress was at capacity. After what happened with REvil, I started receiving various threats to my life and that started taking its toll on me, and I started having panic attacks.
Threats from other hackers?
I do not know from whom, but it looks like in the community many people started confusing me with “BorisElcin” from XSS. I don’t know what evil he did to them, but this confusion started taking a toll on me.
But the final accord to this was the following situation. At the time of the end of my career, I made enough money not to worry about anything and not to worry about ransomware at all. I needed to put the money that I earned into cash, and I was doing this in small amounts. It was just a regular trip to the bank, and nothing was signaling any trouble. I withdrew some amount of money [and was] on the way out of the bank. [A man] was approaching me, which happened right in view of the bank cameras. He said something like, ‘Well, did you take all the money or is [there] something left?’
Was he a bank manager or an employee? Or was it a stranger?
No, it was a man from the street. I got afraid that it might be some company that got upset with me. Or worse yet — gangsters, the mob.
Was it a lot of money you took from the bank? Was there any reason why he would know that you had this cash?
It was several million rubles [about $86,000 as of April 2023], and this is what caused the fear. Because nobody could know about this, as it turned out, it was simply a drunkard who tried to panhandle or approach me in front of the bank. Right after that, I started receiving threats from various cyber community members, and that made me exit and destroy all the tools of my virtual machine. It was piling up as a snowball, and at that point, I was actually being treated with medical remedies for panic attacks. So, in order to successfully complete this, I needed to wrap this whole thing up.
Where is your mom now? Does she know what you were doing?
She knows my whole story, and she lives in the next building block from me.
And is she feeling better?
Yeah, absolutely. At this point, the money that I made is absolutely sufficient to have a comfortable life here for my entire family.
Do you feel guilty about it?
No, not really. For the companies that were paying me, what I’m making is just pennies for them.
Because it was companies, and not people, you think it’s not as bad.
I think more yes than no. I think these companies have enough money to pay all their expenses, and I think people who work for them do not really suffer a lot.
Are you giving this up forever?
Well, at this point, my business is continued by eight people. One of them is in charge of XSS, and the other person is responsible for cooperation with LockBit and the panel. We have an agreement that I receive 20% and not participate in it, for the fact that I gave them the opportunity to do what they do.
So, you’re more like a manager now.
Let’s put it this way: I completely distanced myself from this business, and I’m making a passive percentage.
And are you going back to graphic design?
Um, no. I have other hobbies, But I’m not going to divulge them since I can deanonymize myself by doing this.
I understand. You’re living in the Russian-controlled part of Ukraine. Do you feel safe?
No. Several days ago, three HIMARS rockets hit the center of my town.
So, why are you not leaving with your mom?
We planned on doing this, but a little later, we had some document issues.
Where do you see yourself five years from now?
I’d like to create a family, and right now, my immediate plans are to construct a house in Russia.
I guess my last question is why are you talking to us?
Number one, before this, I gave an expanded interview to Jon [Dimaggio, of Analyst1], who basically got us together. I also think it’s a good idea, because this will proliferate information about my leaving.
Anything else?
This chat will eventually be removed, and there won’t be any materials. If you need to save anything from the materials, save it right now.
OK.
Have a good day.
This interview has been edited and condensed for clarity.
An earlier version of this story appeared on the “Click Here” podcast from Recorded Future News. Additional reporting by Sean Powers and Will Jarvis.