Author of FastPOS malware revealed, pleads guilty

A 30-year-old Moldovan man admitted this month to creating the FastPOS malware.
Written by Catalin Cimpanu, Contributor

A 30-year-old Moldovan man pleaded guilty on Friday for creating FastPOS, a strain of malware designed to infect computers processing payment card data from Point-of-Sale (POS) systems.

Valerian Chiochiu, known in the hacking world as "Onassis" (after the Greek shipping magnate who married Jacqueline Kennedy), was part of the Infraud criminal organization.

Infraud was a hacking forum that was founded in 2010 and operated as a place for hackers to meet and exchange services. The forum first operated at infraud.cc and infraud.ws, and was primarily known as a place where hackers could sell or buy stolen payment card numbers, stolen identities, and buy, sell, or rent malware and DDOS attacks.

The forum operated under the slogan of "In Fraud We Trust" and had more than 11,000 registered members.

According to the US Department of Justice, Chiochiu sold the FastPOS malware on the forum, and then provided support for paying customers.

His "business" stopped when US authorities seized and took down the forum in February 2018. US authorities charged 36 members and arrested 13, but Chiochiu was not among the members in the first wave of arrests -- having been arrested at a later undisclosed date.

Image: DOJ

Last month, Sergey Medvedev (Infraud username "Stells"), one of the two Infraud administrators, pleaded guilty for his involvement in the forum.

Chiochiu now becomes the second Infraud member to plead guilty for his crimes and is scheduled to be sentenced on December 11, later this year.

The FastPOS malware

As for Chiochiu's creation, the FastPOS malware was first discovered by Trend Micro in 2016. In a PDF report released at the time, Trend Micro said the malware had three main components: (1) a memory scrapper that collected payment card data from the computer's RAM; (2) a keylogger for recording user key strokes; and (3) a self-updating mechanism.

At the time, Trend Micro said it believed it identified the FastPOS author on an online forum asking for help with their (keylogger component) code.


The FastPOS malware author seeking help on a coding forum.

Image: Trend Micro

Trend Micro also said it tracked down ads on hacking forums that were promoting the FastPOS malware, which at the time was being sold on the SwipeIt.pw portal. Trend Micro said the portal was hosted on the same server as the FastPOS command-and-control server, effectively linking the ads and Chiochiu's online persona to the FastPOS malware.


Ad for FsatPOS' SwipeIt.pw portal on hacking forums

Image: Trend Micro

FastPOS backend panel

Image: Trend Micro

According to Trend Micro, the FastPOS malware was distributed via multiple methods (hacked websites, VNC transfers), suggesting multiple clients had rented the tool, and made victims all over the world, not just the US.

Image: Trend Micro

The FBI's most wanted cybercriminals

Editorial standards