In the US, two men were charged for allegedly being involved in the administration of a darknet marketplace called WWH Club.
US federal authorities have filed charges against Kazakhstan’s Alex Khodyrev and Russian citizen Pavel Kublitskii for allegedly operating the darknet marketplace WWH Club. The indictment from Tampa, Florida, accuses the defendants of conspiracy to commit access device fraud and wire fraud. Despite the arrests, the WWH Club is still active.
The duo is accused of facilitating cybercrime between 2014 and 2024 as the main administrators of WWH Club and various other sister sites that served as darknet marketplaces, forums, and training centers. Specifically, the two are said to have played central roles in WWH Club, such as managing the platform’s infrastructure, enforcing rules, and directing users to engage in fraudulent activities. To evade law enforcement, they allegedly employed tactics such as cryptocurrency mixing and decentralized server networks.
WWH-Club serves as a criminal hub on the darknet and makes its living by buying and selling stolen credit card data, personal information and malware. According to Flashpoint WWH-Club is considered one of the largest Russian-speaking carding forums. The forum serves as an entry platform for larger and more established forums such as Exploit and XSS.
WWH-Club also offers training for aspiring cyber criminals and operates an escrow service to protect illegal transactions. The defendants’ sphere of influence allegedly extended far beyond WWH-Club to several other darknet platforms. In a press release The U.S. Attorney’s Office for the Middle District of Florida’s September 6 filing states:
“Members of WWH Club and its sister sites used the marketplaces to buy and sell stolen personally identifiable information (PII), credit card and bank account details, as well as computer passwords and other sensitive information. On the forums of WWH Club and its sister sites, users discussed, among other things, best practices for committing fraud, conducting cyberattacks, and evading law enforcement.”
WWH-Club: Cross between Ebay and Reddit
By 2023, more than 353,000 accounts were registered on the darknet marketplace WWH-Club, most of which were involved in cybercrime, from trading personally identifiable information (PII) and banking data to discussing tactics to evade the police. The Russian-language cybercrime forum compared an FBI agent to “a cross between eBay and Reddit that exists solely for the purpose of promoting and facilitating crime”.
WWH Club served as a training ground for aspiring cybercriminals
However, the WWH Club is not only a darknet marketplace, it also offers an opportunity for further training. Aspiring cybercriminals are offered courses in the areas of fraud and cybercrime. The operators generate income through their own escrow service, course fees and the sale of advertising space. The stated cost of the courses alone ranged from 10,000 to 60,000 rubles (approximately $110 to $664 on September 7, 2024), plus $200 for training materials.
These alleged criminal activities promoted a luxurious lifestyle for the operators. Authorities seized high-end vehicles such as a 2023 Mercedes-Benz G63 AMG and a 2020 Cadillac CT5 sports sedan. The duo’s lavish lifestyle, from spending money to luxury purchases, caught the attention of the IRS.
Although Kublitskii and Khodyrev apparently had no legal income, they indulged in a luxurious lifestyle, including a $50,000 cash deposit into a bank account, a luxury rental apartment in Sunny Isles Beach, and extravagant spending on tourist attractions. Khodyrev’s cash purchase of a 2023 Chevrolet Corvette for $110,000 also caused a stir. says the court documents.
Khodyrev, a Kazakh national, and Kublitskii, a Russian national, were arrested while living in Miami. The two have been in the United States for the past two years. They applied for asylum in the United States in December 2022. If convicted, the two face up to 20 years in prison.
FBI agent infiltrated WWH club to uncover the scam
Court documents show that in January 2023, an undercover FBI agent signed up to the website, paying about $1,000 in Bitcoin to attend a training course offered by the platform. Topics offered included selling confidential information, DDoS and hacking services, credit card skimming, and brute force programs. Criminal complaint states:
“The training was conducted via a chat function on the forum to a class of approximately 50 students; the various instructors delivered the training in text format rather than audio format. It was obvious that the purpose of the training was to educate individuals on how to obtain and use stolen credit card information and PII to generate fraudulent profits.”
DigitalOcean provides crucial investigative clues
But DigitalOcean, a US cloud computing provider, also played a crucial role in the investigation. A search warrant in 2020 forced the company to hand over data on the WWH Club’s activities. A copy of the website’s main server provided the crucial evidence in the case.
The charges follow an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after it was discovered that the WWH Club’s primary domain (www-club[.]ws]) resolved to a DigitalOcean IP address. The finding enabled the FBI to issue a federal search warrant against the cloud computing provider.
Flashpoint conducted its own investigation. You share with:
“Despite their arrests, WWH-Club remains online and active. Moreover, WWH-Club and its other administrators seem to be trying to distance themselves from Kublitskii and Khodyrev – claiming they are only moderators and have no administrative rights to the forum. This contradicts the details published in the official criminal complaint.
Flashpoint has also discovered that the WWH Club has deleted the alleged accounts of Kublitskii and Khodyrev and offers its current members the ability to change their usernames. This may be a countermeasure to obscure any potential follow-up investigation.”
