15-Year-Old Malware ProxyNet “Check2ip”

VIP72, a cybercrime anonymity site known as Check2ip has allowed fraudsters to hide their true location online over the past 15 years by routing traffic through millions infected systems. VIP72’s online shopfront, which ironically has been at the same U.S.-based Internet location for over a decade, vanished about two weeks ago.

VIP72, like other anonymity networks that are primarily marketed on cybercrime forums online routes customers’ traffic through computers that were hacked and seeded malicious software. Check2ip and VIP72 allow customers to select any network node in almost any country and relay their traffic, hiding behind an unwitting victim’s Internet IP address.

First registered to “Corpse” in 2006. This handle was nasdaq:unit adopted several years ago by a Russian-speaking hacker, who created and sold an extremely sophisticated online banking trojan called “A311 Death”, a.k.a.. “Haxdoor” and “Nuclear Grabber.” Haxdoor was a far-reaching hacker who created and sold a sophisticated online banking trojan called A311 Death. This was well before cyber heists were a daily news story.

From 2003 to 2006, Corpse specialized in selling and supporting the Haxdoor malware. In 2006, VIP72 was clearly a side hustle that he turned into a steady moneymaker over the years. It stands to reason that VIP72 was launched using systems infected by the trojan malware of Corpse.

In 2006, VIP72 was first mentioned in cybercrime underground when someone using the username “Revive” posted a link to the service on Exploit (a Russian language hacking forum). Revive set up a sales presence on VIP72 in multiple forums. The contact details and messages that Revive shared with other forum members reveal Corpse and Revive as one and the exact same person.

A Russian language crime forum member complained last month about VIP72’s mysterious closure. He claimed that they had noticed a shift in the domain name infrastructure of the site just before the disappearance. This claim cannot be confirmed as there are no evidence that VIP72’s infrastructure was altered prior to its demise.

Check2ip[.] was a long-running service by Corpse/Reviver. Customers could quickly find out if an Internet address was flagged as spammy or malicious by security companies using ]com.

Check2IP was hosted on the same Internet address that VIP72 from the past decade up to mid-August 2021. Check2IP also advertised the possibility of letting customers identify “DNS leaks,” situations where configuration errors could expose the true Internet address for hidden cybercrime infrastructure online.

Check2IP has become so well-known that it is used glass desk as a shorthand for basic due diligence within certain cybercrime groups. Check2IP is also integrated into many cybercrime service online, especially those that are involved in mass-mailing malicious or phishing emails.