1(520) 261-1728

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Badass Russian techie outsmarts FSB, flees Putinland all while being tracked with spyware

#### [Security](/security/)**14** Badass Russian techie outsmarts FSB, flees Putinland all while being tracked with spyware=========================================================================================**14** Threatened with life in prison, Kyiv charity worker gives middle finger to state spies————————————————————————————–[Connor Jones](/Author/Connor-Jones ‘Read more by this author’) Fri 6 Dec 2024 // 12:32 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware) [](https://twitter.com/intent/tweet?text=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&summary=Threatened%20with%20life%20in%20prison%2c%20Kyiv%20charity%20worker%20gives%20middle%20finger%20to%20state%20spies) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A Russian programmer defied the Federal Security Service (FSB) by publicizing the fact his phone was infected with spyware after being confiscated by authorities.Kirill Parubets was detained in Russia for 15 days after being accused of sending money to Ukraine, during which time the man was beaten and subjected to aggressive efforts to recruit him as an FSB informant on his contacts in Ukraine.According to his account of the story, published with his consent by [Toronto University’s Citizen Lab](https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/) and First Department legal organization, he says he was threatened with life imprisonment if he failed to comply with the recruitment drive. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1NKTNLKBFgr2WSMoEj48gAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)In order to secure release, he agreed but before he was indoctrinated he and his wife fled the country. Always keep a second passport, if possible. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1NKTNLKBFgr2WSMoEj48gAAABE&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1NKTNLKBFgr2WSMoEj48gAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)First Department’s [account](https://dept.one/story/parubets/) revealed that Parubets was working as a systems analyst in 2020, a job that didn’t require him to attend an office, so as a self-identifying ethnic Ukrainian, the Russian citizen decided to live in Kyiv.After Russia’s [invasion](https://www.theregister.com/2024/09/24/russia_malware_ukraine_attacks/) of the country in 2022, however, Russian citizens found it impossible to renew their residence permits so he and his wife Lyubov then attempted to obtain Moldovan and Romanian citizenship, but had to return to Russia to collect personal documents. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1NKTNLKBFgr2WSMoEj48gAAABE&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)’There were no problems entering Russia,’ said Parubets. ‘We arrived by car through Georgia, through Verkhniy Lars along the Black Sea and then we lived peacefully in Moscow. I was slowly collecting papers and continued working at the same time.’Then on April 18 earlier this year, six masked men armed with machine guns stormed the Parubets’ home, ordered them to the floor, separated them into different rooms, and asked questions about the money transfers.Kirill confirmed he was involved in charity work when living in Kyiv and that he did make transfers related to this work — an act Russia designated as treason shortly after its invasion began.His Oukitel WP7 Android device was confiscated and he was forced to surrender the password before he and his wife were detained.’Judging by how confidently they acted in the apartment, I got the impression that they had been there before, or there was wiretapping, because they knew what was where, what to look for and where,’ he said. ‘They very quickly found a phone, a laptop, the most important documents related to Ukraine. In general, they knew where and what was there.’ ![Combination of critical infrastructure and some soldiers](https://regmedia.co.uk/2024/09/19/shutterstock_infra_combo.jpg?x=174&y=115&crop=1)Despite Russia warnings, Western critical infrastructure remains unprepared—————————————————————————READ MOREAfter agreeing to work for the agency, the FSB returned his device at its Lubyanka headquarters but Russia’s finest didn’t do a great job of hiding their tracks. Parubets quickly noticed an odd-looking notification reading ‘Arm cortex vx3 synchronization,’ which isn’t a typical message to receive.’I picked up the code and saw that it was some kind of spy thing,’ said Parubets. ‘I was very interested in information security and knew that there was such a spy module called Monokle. According to the description, it was very similar to it.’After outsmarting the authorities and fleeing Russia, a bruised Parubets worked with investigators to conclude that during his time in detention, a [trojanized version](https://www.theregister.com/2023/10/06/golddigger_android_trojan_vietnam_attacks/) of the legitimate Cube Call Recorder app was installed on his phone. The app had many hallmarks of spyware — specifically the Monokle family.Various additional features were detected on the app, including the ability to track a device’s precise location when not in use, record video and the device’s screen, log inputs, install additional packages, send and read SMS messages, and read messages from other messaging apps.Many of these features were contained in a single class (com.android.twe1ve) which is specific to [Monokle](https://www.theregister.com/2019/07/24/monokle_android_snoopware/) — a spyware family that dates back to 2019 and was swiftly linked to Russian use.* [Russian court fines Google $20,000,000,000,000,000,000,000,000,000,000,000](https://www.theregister.com/2024/10/29/russian_court_fines_google/)* [Ransomware hangover, Putin grudge blamed for vodka maker’s bankruptcy](https://www.theregister.com/2024/12/05/putin_ransomware_stoli_group/)* [Happy birthday, Putin — you’ve been pwned](https://www.theregister.com/2024/10/08/russia_state_news_shutdown/)* [Putin really wants Trump back in the White House](https://www.theregister.com/2024/09/18/russia_putin_trump_white_house/)’This case illustrates that the loss of physical custody of a device to a hostile security service like the FSB can be a severe risk for compromise that will extend beyond the period where the security services have custody of the device,’ said The Citizen Lab. ‘In this case, the target noticed several odd behaviors on their device after he was released from detention, such as an unfamiliar and suspicious notification and the presence of an app that he had not installed. However, not every attempt to infiltrate and monitor a device is likely to result in such visible alerts.’We encourage members of civil society that have lost physical custody of their device to a security service, especially a technically competent service in an authoritarian state like Russia, to seek expert assistance when the device is returned to them. Any person whose device was confiscated and later returned by such services should assume that the device can no longer be trusted without detailed, expert analysis.’ ® [Sponsored: Where do European SMEs start when it comes to conquering the world?](https://go.theregister.com/tl/3112/shttps://www.theregister.com/2024/11/25/where_do_european_smes_start/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware) [](https://twitter.com/intent/tweet?text=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&summary=Threatened%20with%20life%20in%20prison%2c%20Kyiv%20charity%20worker%20gives%20middle%20finger%20to%20state%20spies) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Russia](/Tag/Russia/)* [Spyware](/Tag/Spyware/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Russia](/Tag/Russia/)* [Spyware](/Tag/Spyware/) ### Narrower topics* [Roscosmos](/Tag/Roscosmos/)* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/)* [EMEA](/Tag/EMEA/)* [Europe](/Tag/Europe/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware) [](https://twitter.com/intent/tweet?text=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Badass%20Russian%20techie%20outsmarts%20FSB%2c%20flees%20Putinland%20all%20while%20being%20tracked%20with%20spyware&summary=Threatened%20with%20life%20in%20prison%2c%20Kyiv%20charity%20worker%20gives%20middle%20finger%20to%20state%20spies) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/badass_russian_techie_outsmarts_fsb/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **14** COMMENTS #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Russia](/Tag/Russia/)* [Spyware](/Tag/Spyware/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [Russia](/Tag/Russia/)* [Spyware](/Tag/Spyware/) ### Narrower topics* [Roscosmos](/Tag/Roscosmos/)* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [APAC](/Tag/APAC/)* [EMEA](/Tag/EMEA/)* [Europe](/Tag/Europe/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Severity of the risk facing the UK is widely underestimated, NCSC annual review warnsNational cyber emergencies increased threefold this yearCyber-crime3 days -| 18](/2024/12/03/ncsc_annual_review/?td=keepreading) [#### Ransomware hangover, Putin grudge blamed for vodka maker’s bankruptcyStoli Group on the rocks in the USSecurity1 day -| 28](/2024/12/05/putin_ransomware_stoli_group/?td=keepreading) [#### Russia arrests one of its own — a cybercrime suspect on FBI’s most wanted listThe latest in an unusual change of fortune for group once protected by the KremlinCyber-crime4 days -| 54](/2024/12/02/russia_ransomware_arrest/?td=keepreading) [#### An easy route to AI-enhanced productivityHow the integration of Google Gemini across Google Workspace turbo charges existing apps with AI powerSponsored Feature](/2024/10/07/an_easy_route_to_aienhanced/?td=keepreading) [#### Sweden’s ‘Doomsday Prep for Dummies’ guide hits mailboxes todayFirst in six years is nearly three times the size of the older, pre-NATO versionSecurity18 days -| 39](/2024/11/18/sweden_updates_war_guide/?td=keepreading) [#### America’s drinking water systems have a hard-to-swallow cybersecurity problemMore than 100M rely on gear rife with vulnerabilities, says EPA OIGPublic Sector17 days -| 20](/2024/11/19/us_drinking_water_systems_cybersecurity/?td=keepreading) [#### Britain Putin up stronger AI defences to counter growing cyber threats’Be in no doubt: the UK and others in this room are watching Russia’Security11 days -| 26](/2024/11/26/uk_ai_security/?td=keepreading) [#### Interpol nabs thousands, seizes millions in global cybercrime-busting opInfosec in brief Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and moreSecurity5 days -| 7](/2024/12/01/interpol_cybercrime_busting/?td=keepreading) [#### Another ‘major cyber incident’ at a UK hospital, outpatients asked to stay awayThird time this year an NHS unit’s IT systems have come under attackCyber-crime10 days -| 53](/2024/11/26/third_major_cyber_incident_declared/?td=keepreading) [#### Perfect 10 directory traversal vuln hits SailPoint’s IAM solutionUpdated 20-year-old info disclosure class bug still pervades security softwarePatches3 days -| 6](/2024/12/03/sailpoint_identityiq_vulnerability/?td=keepreading) [#### Russia gives life sentence to Hydra dark web kingpin after seizing a ton of drugsNo exaggeration — literally a ton. Plus, 15 co-conspirators also put behind barsCyber-crime3 days -| 27](/2024/12/03/russia_hydra_sentencing/?td=keepreading) [#### RansomHub claims to net data hat-trick against Bologna FCCrooks say they have stolen sensitive files on managers and playersCyber-crime6 days -| 2](/2024/11/30/bologna_fc_ransomhub/?td=keepreading)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 52 – Finance And Insurance

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

Blog: The Register Security

Software Discovery: Security Software Discovery

Software Discovery

Associated Indicators:

Search

Popular Posts

Categories

Archives

Tags

Follow Us