Cyber Incident Victim: Rescator
Date:
May 2014
Location:
Ukraine
Summary
Rescator, a Ukrainian hacker, operated an underground marketplace specializing in the sale of stolen credit card data linked to major retail breaches, including those affecting Target, Home Depot, and Sally Beauty. The platform facilitated fraud by enabling searches of compromised cards by geographic criteria and processed transactions via direct Bitcoin payments without escrow protections. A rival hacker temporarily defaced the site, displaying a taunting message and media content. Rescator's operations involved uploading millions of card details to carding forums, and the individual behind the alias is suspected to be Andrey Hodirevski, though his direct involvement in hacking remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Rescator emerged as a prominent Ukrainian hacker specializing in the illicit trade of stolen credit card data, operating through his dedicated marketplace hosted at rescator.cm. The platform facilitated the sale of payment card details stolen from major U.S. retail breaches, including those affecting Target, Home Depot, and Sally Beauty, with over 5 million card records uploaded to the SWIPED carder marketplace. Rescator’s site allowed buyers to search stolen card data by geographic criteria such as zip codes, enabling criminals to conduct fraudulent transactions closer to victims’ locations to evade bank fraud detection systems. The marketplace operated without escrow protections common on darknet markets, requiring direct Bitcoin payments to sellers. In March 2014, Rescator’s platform experienced a temporary disruption when a rival hacker defaced the website, though service was subsequently restored. Security researchers identified Rescator by multiple aliases including Helkern and ikaikki, with his operations contributing to widespread financial fraud risks across regions including Minnesota and the United Kingdom.
A more significant defacement occurred in May 2014 when an unidentified hacker compromised Rescator’s domain (rescator.so, previously rescator.la), replacing its content with a taunting message directed at both the site’s users and cybersecurity journalist Brian Krebs. The attacker denounced the platform’s role in facilitating fraud, blackmail, and doxing, while criticizing Cloudflare’s DNS configuration. The defaced homepage displayed a YouTube video of Will Smith’s *Men in Black* alongside the hacker’s declaration that the fraud site was “gone now.” Brian Krebs, who had been monitoring Rescator’s activities, first documented this incident. At the time of reporting, the website remained offline with its defaced content visible. Investigations by outlets like Softpedia suggested Rescator might be linked to a Ukrainian individual named Andrey Hodirevski from Illichivsk, though his exact role—whether as a direct hacker or solely a data reseller—remained unconfirmed. The incident underscored the volatile nature of criminal marketplaces and their susceptibility to internal rivalries despite their operational scale.