The Ghost in the Market: Unmasking “Fly,” the Secret Architect of the Infamous Russian Market

For over a decade, Russian Market has stood as a pillar of the cybercrime underground, a sprawling bazaar where stolen digital identities, browser cookies, and remote access credentials are sold by the thousands. While competitors like Genesis Market have fallen to law enforcement, Russian Market has remained untouchable. Now, a new investigative report by Intrinsec has pierced the veil of anonymity surrounding the platform, linking its infrastructure to a persistent threat actor known as “Fly.”

The report, released in December 2025, details a complex web of historical domain registrations, cryptocurrency trails, and forensic artifacts that connect “Fly” (also known as “Flyded”) to the very foundations of the marketplace.

Russian Market is unique in its longevity. “Active since 2014, the marketplace has risen in popularity and sells logs from all over the world, with around 60 000 units per week at its peak”. Despite its infamy, its leadership has remained a ghost—until now.

Intrinsec researchers traced the platform’s origins back to its earliest promotional campaigns. They discovered that a user named “Fly” was instrumental in its initial rise.

“We cannot determine with certitude that ‘FLY’ is a Russian Market administrator, but we can confirm that he has links to the platform and was the first user to promote the marketplace publicly via the username ‘FLYDED’, which was also the previous name of Russian Market”.

This user has maintained a decade-long presence on cybercrime forums and Telegram channels, often buying and selling illicit access in lockstep with the marketplace’s evolution.

The investigation took a forensic deep dive into the marketplace’s aging infrastructure. By querying historical Whois records for domains like flyded[.]com and russianmarket[.]gs, researchers uncovered critical email addresses: TimeToHardWork[@]outlook.com and Verybigman[@]yahoo.com .

These identifiers provided a rare glimpse into the operator’s history. The email TimeToHardWork was found in a data leak from BTC-E, a now-defunct cryptocurrency exchange notorious for money laundering.

“BTC-E was a cryptocurrency trading platform primarily serving Russian users, and funds from the exchange were used for the war in Donbass under the control of the FSB”.

Perhaps the most intriguing discovery was a piece of malware from 2015 named SystemInfoUtility.exe. Researchers linked this file to the same email addresses associated with the Russian Market domains.

This executable appeared to be a “prototype of a stealer,” designed to harvest system information and patch Windows files to enable multiple Remote Desktop Protocol (RDP) sessions. Deep within the file’s metadata and associated accounts, researchers found a potential real-world identity: “Alex Aske.”

“A malicious file acting stealer-like from 2018 was associated with these mail addresses and a user named ‘AlexAske'”. While the name may be a pseudonym, the Google+ profile linked to the email suggests a Russian-based developer who was active during the marketplace’s formative years.

The strongest link between “Fly” and the Russian Market empire lies on the blockchain. Intrinsec mapped the marketplace’s payment infrastructure, identifying a sophisticated “node” system used to launder incoming payments.

By analyzing transactions, researchers found that a wallet explicitly shared by “Fly” on Telegram received funds directly from Russian Market’s payment funnel.

“Finally, using on-chain analysis, we were able to link the user ‘Fly’ to Russian Market’s bitcoin infrastructure, as a specific wallet received funds from wallets associated with the marketplace”.

The investigation further revealed that “Fly” utilized illegal mixing services like Bitzlato and non-KYC exchanges to wash these funds, cementing the connection to illicit financial flows.

The survival of Russian Market highlights the resilience of modern cybercrime operations. As Intrinsec notes, “The longevity and constant output of this marketplace is remarkable, but also a symptom that fighting cybercrime can sometimes be arduous”.

By unmasking the historical and financial ties of “Fly,” this report offers law enforcement and defenders new actionable intelligence against one of the web’s most enduring criminal bazaars.

Related Posts:

• Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
• MirrorFace: Unmasking the Chinese Cyber Espionage Group Targeting Japan
• The Doppelgänger Playbook: Russian Information Operations Unveiled (June-July 2024)
• Unmasking Meltdown: Alarming CPU Flaws Revealed