On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month. The malware used in the Target breach included the text string “Rescator,” which also was the handle chosen by the cybercriminal who was selling all of the cards stolen from Target customers. Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.
Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang’s.
Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine. Efforts to confirm my reporting with that individual ended when they declined to answer questions, and after I declined to accept a bribe of $10,000 not to run my story.
That reporting was based on clues from an early Russian cybercrime forum in which a hacker named Rescator — using the same profile image that Rescator was known to use on other forums — claimed to have originally been known as “Helkern,” the nickname chosen by the administrator of a cybercrime forum called Darklife.
KrebsOnSecurity began revisiting the research into Rescator’s real-life identity in 2018, after the U.S. Department of Justice unsealed an indictment that named a different Ukrainian man as Helkern.
It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach. For starters, the text string “Rescator” was found in years later clues target breach
