Tales of the Cyber Underground: LessPay, Cybercriminals’ Hot New Virtual Currency?

Tales of the Cyber Underground: LessPay, Cybercriminals’ Hot New Virtual Currency?
Tales of the Cyber Underground: LessPay, Cybercriminals’ Hot New Virtual Currency?

Troels Oerting, director of the year-old anti-cybercrime division, told me they put together a daily report on these unregulated monetary systems every day for its partners, one of which is the UK’s National Cyber Crime Unit (NCCU). Oerting’s revelation cast my mind back to an interview with NCCU chief Andy Archibald late 2013, when he said his unit would find ways to exploit the traceability of Bitcoin. They both believe they can exploit weaknesses in today’s cryptocurrencies.

But cybercriminals have adapted quickly. As Dogecoin and countless other emergent Bitcoin-like currencies have shown, it’s not beyond the realms of possibility to quickly create a new kind of anonymous transaction mechanism and have it in wide usage in a short time. Underground forum owners and their customers have caught on. Some have created their own forum-specific payment systems so that they don’t have to rely on Bitcoin, which, whilst it may have grown in popularity upon the decline of Liberty Reserve, has had its promise of anonymity repeatedly called into question.

Introducing LessPay

Whilst all this has been going on, another digital currency has been gaining traction on the forums too: LessPay. Analysts at RSA, the security arm of EMC, told me criminals are adopting LessPay across various forums. It claims to offer total anonymity and comes with a nice-looking shopping cart interface, to make the experience of buying hacking tools that bit more enjoyable.

LessPay was first brought to the attention of the digital criminal community back in May 2013, but only as an idea amongst users of Russian underground forums. The LessPay site’s WHOIS records indicate the creators actually kicked things off back in 2012. It then became a reality in August 2013, again on a much-used Russian site. One of the more respected users of that site declared: “LessPay is here to replace Perfect Money.” He or she suggested a slew of Perfect Money accounts had been blocked and so a new solution was needed. Initial uptake was cautious, but it then expanded to become the standard way to pay on a handful of the most popular credit card data stores.

It appears the promises of anonymity have paid off, but perhaps its most important feature is the purported inability for accounts to be blocked. As for its inner workings, the currency relies, much like Bitcoin, on a handful of exchanges where people can turn their regulated currency into LessPay coins, which are worth around $1 each right now. Users are charged a one per cent fee per transaction. There is little transparency around the protocol, however, which could deter those who want to know the ins and outs of the system as they do with Bitcoin.

Meet the LessPay Conductor

A Latvian resident called Sergei Visotsky claims to be the front-end developer of LessPay. He even promotes the fact on the public internet, describing LessPay as a UK-based bank, which is hardly believable, especially considering the language used on Visotsky’s site and on the currency’s own web pages. “LessPay is the bank who is based in England. My main tasks were to develop front-end from PSD [Photoshop Document] template for this bank website. This bank use flat UI. Flat UI at this time is a trend in web design”, Visotsky says.

And here’s how Visotsky describes himself on LinkedIn: “I am a front-end developer who likes writing clear, elegant, beautiful code. I prefer HTML5 and CSS3 most of all. I think great works will change our life.” Well, LessPay may change some people’s lives, both for the better and for the worse. He claims to have been behind another online payment system too, PayWay Web Kiosk, based out of Uganda. Again, his production is rudimentary at best.
Visotsky appears to have vacated his various social networking profiles, which haven’t included updates since November last year, nor was he contactable over Skype, despite my efforts. The site he created, ironically, contains anti-money laundering and anti-fraud disclaimers.

It’s unclear whether Visotsky was involved in the production of the code behind LessPay or whether he was simply contracted as a freelancer to carry out the website development. Cybercriminals, or anyone pushing out digital goods for suspicious purposes, often hire outsiders to do the tedious work of marketing their products. Either way, he helped the currency become more popular, regardless of the quality of the website he created.

Catch It If You Can

LessPay doesn’t yet appear to be quite as popular as WebMoney and Perfect Money, which both became more widely used after US law enforcement took Liberty Reserve down. But RSA sees LessPay as the “most promising” contender. “We've seen it being used in several [credit card data] stores. But it’s slowly being used in forums too. It's still nascent”, says RSA’s Daniel Cohen.

Indeed, it would appear no single currency will emerge as the true successor to Liberty Reserve. On both the policing and the criminal sides, there are some apparent problems with this state of proliferating virtual currencies. One wonders how digital sleuths will be able to continue to exploit weaknesses in cryptocurrency protocols if the criminals can simply move to or create a new one when they please.

But then one also wonders where the value lies in virtual currencies if there are so many of them, without any properly-governed central body to decide on what they are worth. Whilst giving themselves extra security in numbers, cyber crooks could also be devaluing their exploits.


What’s hot on Infosecurity Magazine?