Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Bridge threat protection and cyber risk management
Operationalize a zero trust strategy
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Defend the endpoint through every stage of an attack
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
The most trusted cloud security platform for developers, security teams, and businesses
Leverage complete visibility and rapid remediation
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Security for cloud file/object storage services leveraging cloud-native application architectures
Advanced cloud-native network security detection, protection, and cyber threat disruption for your single and multi-cloud environments.
Visibility and monitoring of open source vulnerabilities for SecOps
As your organization continues to move data and apps to the cloud and transform your IT infrastructure, mitigating risk without slowing down the business is critical.
Expand the power of XDR with network detection and response
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis
Stop threats with comprehensive, set-it-and-forget-it protection
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
Add market-leading security to your cloud service offerings – no matter which platform you use
Increase revenue with industry-leading security
Discover the possibilities
We work with the best to help you optimize performance and value
Content has been added to your Folio
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
By: Cedric Pernet Read time: ( words)
Save to Folio
In recent years, cybercriminals have become increasingly professional — fraudsters have consistently been improving their skills, making less crucial mistakes, and creating various “as-a-service” businesses to help lower-skilled threat actors launch scams and attacks, allowing the latter to run full cybercrime operations.
There are different types of cybercrime services that exist today, including malware-as-a-service, where cybercriminals develop and sell malware services to other malicious actors; the service also includes creating and spreading malware types such as ransomware on compromised hosts. Meanwhile, other services require the use of multiple social media accounts to be successfully carried out, such as misinformation, spamming, and malware propagation. Indeed, it’s not uncommon for cybercriminals to send thousands of spam messages using thousands of accounts on social media platforms. But how do they manage to automate all of it?
Recently, we came across a service that, while it is not necessarily illegal, facilitates cybercrime operations that rely on large-scale social media spamming: the Kopeechka service. In Russian, “kopeechka” means “penny.”
The service has been active since the beginning of 2019 and provides easy account registering services for popular social media platforms, including Instagram, Telegram, Facebook, and X (formerly Twitter). We also noted that registrations on chat sites aimed at minors were available via Kopeechka.
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
How social media platforms secure their account creation processes
Most social media platforms have taken active steps to strengthen their accounts creation security. Since a lot of cybercriminals create accounts on social media platforms for use in their illegal operations, social media companies are trying to minimize the risk of having malicious actors on their platforms — an effort that starts with the account creation process.
Different security measures exist to protect platforms against the creation of fraudulent accounts, such as the following:
Depending on the targeted social platform, cybercriminals would need unique email addresses, unique phone numbers, and non-suspicious IP addresses to successfully create accounts on their own.
Although some social media platforms use CAPTCHAs to stop automated registration, this doesn’t pose a considerable roadblock for cybercriminals, as different services now exist that allow malicious actors to bypass CAPTCHAs in an automated way. The same goes for IP address-checking services, as cybercriminals can use residential proxies to bypass these measures.
Cybercriminals can therefore bypass CAPTCHAs and IP address reputation-checking tools using automated scripts. However, they still need one valid email and possibly a phone number for each account that they want to create. This is where Kopeechka comes in.
Kopeechka does not provide access to email inboxes, but it provides access to emails received from social media platforms. The service has been designed so that the mailbox account is still controlled by Kopeechka and not by any third-party user.
Kopeechka offers two types of different emails: email addresses that use their own domains, and those that are hosted on more popular email hosting services.
Kopeechka indicates the number of valid emails that it currently has in stock, as seen in Table 1. Interestingly, the majority are Hotmail and Outlook inboxes, which are Microsoft-related inboxes.
We suspect that these email addresses are either created by Kopeechka actors themselves or possibly compromised email inboxes, as we’ve previously seen these actors post messages in underground communities’ compromised email threads. Kopeechka also purchases email accounts, which can be seen in Figure 1.
The service also provides several email addresses hosted in 39 domains that it owns at the time of writing.
The pricing for Kopeechka (Figure 2) versus popular domains (Table 1) are different, with popular services being more expensive than the former (Kopeechka domains cost RUB₽0.05 or USD$0.0005 at the time of writing, while some popular domains can cost up to RUB₽1 or USD$0.01 at the time of writing).
How does Kopeechka work?
Kopeechka provides its customers with both a web interface and an API.
It’s evident in Figure 3 that the web interface allows users to easily create social media accounts using purchased email addresses, while the API makes it easier for users to create multiple social media accounts automatically.
For social media platforms that are not currently known to Kopeechka, users can use Kopeechka’s API.
All these processes can be fully automated, which could allow cybercriminals to create potentially hundreds of accounts or more in just a few seconds, as long as they have enough money in their Kopeechka account.
No access to actual mailboxes
Kopeechka does not actually provide access to the actual mailboxes. When users request for mailboxes to create social media accounts, they only get the email address reference and the specific email that contains the confirmation code or URL. This is crucial for the Kopeechka service, as it allows Kopeechka actors to use one single email address for multiple registrations on different social media platforms, as seen in Figure 5.
How SMS comes into play
Certain social media platforms include an account validation step that requires a phone number that they will use to send a text message containing a unique code. The user would then need to enter the code on the platform to register successfully.
To solve this problem, Kopeechka enables its user to choose from 16 different online SMS services. As with all of its services, Kopeechka provides video tutorials alongside descriptions of each service and how each works.
Kopeechka’s marketing and customer service
In addition to advertising its services, Kopeechka fosters customer loyalty by constantly communicating with its users and providing transparency on anything happening to the service, including networking problems and bug notifications. Kopeechka provides tips, full tutorials, and even compensation to its customers.
In this block quote, Kopeechka actors communicated with their customers regarding a recently fixed bug and offered compensation for customer losses.
Bad news
Unfortunately, we had a serious bug that allowed us to re?over accounts instagram.com people they didn’t belong to.
-The bug was in the SENDER parameter when ordering a letter.
We created this parameter a long time ago so that customers could receive emails from sites whose sender does not match the URL itself. At that time, we could not have thought that someone would look for vulnerabilities in the parameters and select them for abuse.
-We fixed this bug.
The sender time parameter will not affect anything at all, because whatever you enter into it, the service will see NULL.
-We apologize to those who have lost their instagram accounts.
If you are one, write to support [https:// t.me/{Telegram shortcut}. All cases will be considered individually, compensation for your losses is possible.
-Lossess from other sites have been noticed. The bug is completely fixed, such situations will not happen again.
All in all, Kopeechka seems to take a professional approach in handling customer communications, appearing to use a customer relationship management (CRM) tool called Bitrix24 for its sales, marketing, and project management needs. Our reason for believing that Kopeechka uses this software is that Bitrix24 uses one subdomain per customer, and we discovered an existing “kopeechkastore.bitrix24.ru” subdomain that has been active since at least 2019.
Kopeechka also provides online videos, frequently asked questions (FAQs), and dedicated pages describing how the service works. Our analysis of its infrastructure revealed more hidden gems for customers, which we did not see being advertised anywhere else and is probably only accessible from the user’s internal interface.
An example of a hidden gem for customers is the platform’s customer training center, which allows customers to test their account creation and logging skills. This gives users the ability to try the service for free.
Kopeechka also offers a regular expression testing platform, which allows it to get better at matching texts from emails, in case users want to subscribe to a special service that has a format that Kopeechka does not know or cater to yet.
Automating, collaborating with other Russian online services
For users who want to automate the account registration process but are not skilled enough to use the API, Kopeechka encourages them to use a third-party Russian service called ZennoPoster, which has been active since 2011. We have reason to believe that this web task automation tool is owned by a certain Mikhail Evgenievich Kulikov.
ZennoPoster allows users to automatically execute browser actions by working like a script that performs one action after another on a browser. Kopeechka users can thus use ZennoPoster as an automatic registration system.
Several online topics explain how to use ZennoPoster together with Kopeechka to register accounts on different social media platforms. One such example is the use of both ZennoPoster and Kopeechka to create an account on “mylove.ru,” a Russian dating website.
ZennoLab, the maker of ZennoPoster, sells dozens of automated tasks related to interacting with social media platforms and other online websites. One of these automated tasks is a script for X (formerly Twitter), which will go through an X account and send messages to all its followers. As a result, this account could then be used to send spam.
ZennoLab also has CAPTCHA recognition and proxy hunting or checking services.
It should be noted that Kopeechka encourages its users to use the ruCaptcha CAPTCHA-solving service by offering a 5% refund:
Kopeechka also has an affiliate program for developers and users. While developers who use the Kopeechka API in their software can get 10% of sales, users who persuade more people to use Kopeechka via an affiliate link can earn 10% of the amount each new user spends on Kopeechka. Users who upload used emails will also get a certain percentage of the emails’ sales.
Advertising the service in underground forums
Since its creation in February 2019, Kopeechka has always advertised its services. For every update, Kopeechka regularly updates its advertisement threads in cybercriminals forums.
Currently, Kopeechka has about 1,000 subscribers on its Russian Telegram channel and 440 subscribers on its English Telegram channel.
Looking for exploits and more
On top of advertising in cybercriminals underground forums, it appears that Koppechka actors are also interested in finding exploits. We’ve seen a number of profiles using the Kopeechka name in different forums showing an interest in using exploits and ways to break into accounts. On many of these forums, threat actors only share content to those who reply to relevant threads, making it easy to identify what Kopeechka actors are interested in. In addition, Kopeechka actors sometimes ask questions about products or services advertised in such forums.
In June 2022, a user posted an advertisement in a forum about an exploit that can supposedly bypass Gmail. A Kopeechka-named user replied in March 2023 asking about the exploit and inquiring if it is still up to date.
On another forum, a Kopeechka-named user replied to threads on how to crack social media accounts including Spotify, Netflix, Steam, as well as threads about using Black Bullet and a free web-testing software called OpenBullet, which we reported on in 2021.
In 2020, Kopeechka actors also posted in a forum requesting for help in producing “a batch of documents, not for widespread use, with a protection that is approximately the same as on diplomas.” While we have no idea about the kind of documents they wanted to produce, the request is suspicious as the purpose behind it could have been to submit fake documents to fulfill requirements from various service providers or administrations.
What is Kopeechka being used for?
Kopeechka can be used for just about any service that would need to handle account registrations.
While investigating a recent massive cryptocurrency scam, we reported the abuse of the Mastodon social network, which suddenly saw hundreds of new accounts being created to promote fake cryptocurrency websites to Mastodon users. Brian Krebs discussed how the Kopeechka service was used to mass-register Mastodon accounts earlier this year.
Bots also use Kopeechka for easy account creation. We have seen code that enables the creation of social media accounts via the Kopeechka API, including scripts for Discord, Telegram, and Roblox accounts.
In addition, we found a Python script that could be used to create VirusTotal accounts, suggesting that some users might register these accounts for possibly testing malware detections.
Based on our observations, we believe that the long-established reputation of Kopeechka plays a role in its popularity with cybercriminals: Malicious actors appear to believe that a product or service is more reliable because of it.
The official Kopeechka API itself is made available at a large scale, allowing it to be integrated into any kind of code. It exists on most developers’ platforms, including Python Package Index (PyPI), NuGet, GitHub, and npm.
Kopeechka’s services can facilitate an easy and affordable way to mass-create accounts online, which could be helpful to cybercriminals. Kopeechka customers use the service to easily create a large number of accounts without the hassle of SMS and email verification.
While Kopeechka is mainly used for multiple accounts creation, it can also be used by cybercriminals who want to add a degree of anonymity to their activities, as they do not need to use any of their own email addresses to create accounts on social media platforms.
The Kopeechka problem can only be fought if email service providers come together and collaborate on strengthening their registration processes, an effort that can possibly be made via artificial intelligence, which could provide ways to detect automatic account registrations.
Kopeechka domains
Cedric Pernet
Sr. Threat Researcher
Try our services free for 30 days
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2023 Trend Micro Incorporated. All rights reserved