Cyber Threat Actor: Sergey Valerievich Kireev
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
Sergey Valerievich Kireev is an alias that has been associated with a threat actor observed conducting phishing operations aimed at cryptocurrency exchange users. The actor’s known activity includes a campaign that began on 15 August 2017, during which a fraudulent website was created to imitate the login page of a legitimate exchange platform. This spoofed site replicated the visual design, logos, and input fields of the authentic service, using a domain name that employed character substitution to produce a URL that closely resembled the legitimate address. The intention behind the visual mimicry was to deceive visitors into believing they were on the genuine site and to induce them to enter their authentication credentials. Parallel to the deceptive domain, the actor purchased search engine advertisements that promoted another fraudulent URL, which temporarily appeared above the official exchange’s listing in sponsored search results. These advertisements were crafted to attract users searching for the exchange, increasing the likelihood that they would click on the malicious link and be directed to a second phishing page. Both the spoofed website and the advertised domain were designed solely to harvest usernames, passwords, and other account details that could then be used to drain funds from compromised accounts. The malicious hosting infrastructure was traced to a domain registration record that listed an individual located in Russia as the registrant. After the fraudulent pages were identified by security researchers and reported to relevant authorities, the domains were taken offline and web browsers began flagging them as deceptive, limiting further victim exposure.
The incident demonstrates a clear financial objective, as the actor sought to steal user credentials and directly monetize the stolen assets, with at least one victim reporting the loss of funds from their exchange account. No publicly available information links Sergey Valerievich Kireev to a state‑sponsored program, a larger criminal syndicate, or any other threat group; attribution remains confined to the individual associated with the domain registration. The described phishing operation serves as the primary, and currently only, publicly reported campaign attributed to this alias, with no additional malware families, custom tooling, or subsequent activities disclosed in open sources. Consequently, the profile of Sergey Valerievich Kireev is limited to the observed use of deceptive websites, search‑engine advertising, and visual similarity techniques to target cryptocurrency platforms for financial gain.
