Careful What You Wish For: The NewProfilePic App

Social media users have been abuzz about the ability to create a portrait-like image using the Newprofilepic app. “It really brings out the best in you!” they say. Then, one day, the buzz takes a turn – “You haven’t heard? The Newprofilepic app is Russian and sends all of your data back to Russia, I saw it in The Daily Mail!”

Do you freak out? Do you bury your head in the sand? Do you reset all of your passwords, fire your staff, burn your tax records, and set up a new shell company in Madagascar (which, I hear, is beautiful this time of year)?

Then you remember your old trustworthy friend – Snopes. You know, the one you go to when you hear the insane bits of news from the latest celebrity trials, or the billionaires whose tweets cause rumbles in the stock market, or the tale about the man who was paralyzed after eating 413 chicken nuggets.

Snopes, in a communication with a spokesperson for the parent company of Newprofilepic, Linerock Investments (pho.to), says that one of the company’s domains was originally registered in Russia because the developers registered it, and that the owner of the company resides in Florida. So that’s that! Snopes saves the day yet again?

Not so fast. A quick search in the web archive of the domain pho.to shows that the website’s contact information included email addresses at the vicman.net domain. That domain currently redirects to the phot.to site, but if you browse directly to vicman.net/index.html, you reach the company’s old website.

VicMan Software website, looks like something out of the late 1990s…

The company’s About page says the “​​company was established in 2001 by Victor Sazhin…as a hobby business…[that] has developed several unique technologies for digital imaging.” It mentions it was restructured in 2005 in order to bring products to market. It is headquartered in Moscow, Russia and Alexandria, VA.

A search on Open Corporates [opencorporates[.]com] for Vicman Software reveals a company that was incorporated in Virginia on 21 October 2005 and was dissolved on 1 March 2022.

Sazhin is listed as an officer, along with Dmitri Dubograev and Yuri Bakay. Sazhin is also listed as an officer at a company registered as Filipark Estates, Inc. in Florida, presumably a residential property company.

Bakay is the founder of Mindcruncher, LLC located in Fairfax, VA, a company that helps Russian “companies to enter [the] American market successfully.” [source: https://mindcruncher[.]com]

Dubograev is a lawyer who runs a femida[.]us, a law firm headquartered at the Alexandria, VA address listed in the registration for Vicman Software. The firm has “unique experience addressing legal issues arising from commercializing and marketing of innovative technologies and hi-tech products developed in the former Soviet Union.” [source: https://femida[.]us/about]

Presumably, Sazhin sold his company, or received investment and restructured in March 2022.

Does he still work there? On February 20, 2022, four days prior to the start of the conflict between Russia and Ukraine, he posted the following:

[source: https://www.facebook[.]com/photo?fbid=10158745406390488&set=a.10153356273360488]

Sazhin indicates in this post that he lives in Moscow, and he mentions his company’s name, Photo Lab. A search through publicly available Russian corporate records reveals Victor Victorovich Sazhin has three currently operating companies: Vikman Development LLC, Informer Development LLC, and Photolab Development, LLC, all in the Moscow region.

Presumably, Vikman Development is related to the original company and Photolab is the successor company. No further information was immediately available on Informer Development, LLC, though the name seems rather suspicious. Research into the contracts any of these companies might have with the Russian government or government controlled entities may be telling.

Assuming there are no contracts with the Russian government. What then? Photo Lab’s representative insists that no user data is retained. This should be good enough, right?

Mr. Sazhin’s lawyer Dmitriy Dubograev explains this beautifully:

[In Russia,] contracts are needed for the most part to cover your back and show them to state and tax authorities. The state stands as the enemy, against whom these companies try to defend themselves with paperwork.

In the U.S., your rights are just what you could secure to yourself in the course of contract negotiation. It is not the state that will impinge upon your rights.

[source: https://www.dw[.]com/en/russia-tightens-internet-controls-makes-it-easier-to-spy-on-citizens-critics-say/a-18690498]

In 2015, the Russian government enacted a requirement that all Russian companies store the data of Russian citizens on servers in Russia.

[source: https://www.sciencedirect[.]com/science/article/abs/pii/S0267364917303369#:~:text=According%20to%20the%20Russian%20legislation,data%20have%20to%20be%20stored.]

Most companies do not partition their user data by country of origin, as that would be cost-prohibitive. Beginning in 2018, the Russian government has required all internet services to retain user data for at least a year.

[source: https://www.sciencedirect[.]com/science/article/abs/pii/S0267364917303369#:~:text=According%20to%20the%20Russian%20legislation,data%20have%20to%20be%20stored.]

We assess that it is likely that the Newprofilepic application retains user data for at least a year, on servers in Russia, and that it is possible that one of the many companies associated with Victor Sazhin may have contracts with the government to sell this data, but that would require further investigation.

A good threat intelligence team tries to understand the human and the technical aspects of a perceived threat and how it affects you and your bottom line and reputation.

It’s hard, but the result is rewarding. Snopes provides a valuable service but like many organizations, they don’t have deep research and analysis capabilities. Stick with them for the chicken nuggets, celebrities, and tweets, but when in depth analysis is required, it’s best to rely on skilled intelligence analysts.

About Nisos®

Nisos is The Managed Intelligence Company™. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.