Delving into the business of fake code-signing certificates

In early June 2023, cybersecurity expert Brian Krebs published an investigation into a Russian cybercriminal known as « Megatraffer« . He is one of the world’s biggest traffickers in code-signing certificates.

Before installing a program, an operating system will always check that it has a valid code-signing certificate. This certificate guarantees, among other things, that no one has altered or modified the software code since its creation, and that it will not weaken the OS or its components.

In its advertisements, Megatraffer explains why a stolen or falsified certificate makes it much easier for malware to spread. It points out that antivirus software targets unsigned software first and foremost, and that modern browsers rarely block the downloading of signed files. Recent versions of Windows even display a warning message if a user attempts to install any unsigned software.

Megatraffer launched this lucrative business on the Exploit forum in 2015. He has since extended it to most of the major Russian and English-speaking cybercriminal forums. In 2016, its prices were US$700 (€640) for a single-use certificate and US$1,900 (€1,738) for an « extended-use » certificate.

The cybercriminal is also said to offer his services to ransomware gangs. In February 2022, a leak revealed several years of internal discussions by Conti, the Russian ransomware champion (self-dissolved since then). This archive indicates that Megatraffer helped the group code its malware between July and October 2020.

Intel 471, an American threat intelligence company, has also been able to identify Megatraffer. By cross-referencing e-mail addresses, passwords and presences on forums and data leaks, researchers have established that he is Konstantin Evgenievich Fetisov. Born in 1982 and active in cybercrime since at least 2009, this Russian citizen is said to have actively participated in Spamit, the largest Russian pharmaceutical spam network of the early 2010s.