Feds make arrest in decade-long botnet probe
Peter Yuryevich Levashov, a Russian national, was arrested in Barcelona and charged with running a massive international spambot.
The Justice Department unsealed an indictment against Peter Yuryevich Levashov, an accused computer scammer who is charged with running spam botnets for more than a decade.
Levashov was arrested in Spain. It's not clear from the charging documents whether the U.S. had cooperation in his arrest from Russian authorities, and law enforcement officials involved with the case did not elaborate on how they snared the elusive suspect.
A representative from the Department of Justice did dispute European press reports, however, that suggested Levashov's arrest was linked to allegations of Russian influence on the 2016 U.S. elections.
Levashov, who has been charged twice previously in botnet cases, is alleged to be the controller of the Kelihos botnet, which has ensnared more than 100,000 computers worldwide at its most powerful. Currently, the FBI alleges that between 25,000 and 100,000 computers are infected with Kelihos malware, a persistent, hard-to-detect program that traps victim computers in a web of spam distribution and surreptitious data collection. The FBI estimates that between 5 and 10 percent of the botnet's computers are in the U.S.
According to charging documents unsealed April 10, the Kelihos botnet allegedly was used to sell prescription pharmaceuticals, engage in "pump-and-dump" stock schemes, distribute ransomware and peddle money-laundering schemes. Levashov made money renting his botnet to criminals who wanted reach and computing power for their phishing schemes and black market activity. According to charging documents, the Kelihos botnet offered gray-market advertising services for $200 per million emails delivered, while charging $300/million for dubious employment schemes and $500/million for phishing email sends.
FBI agents connected Levashov to the Kelihos botnet by examining the trail of email address registrations, mobile phone information and IP data that are linked both to the botnet and to Levashov individually, including records from Apple's iCloud service, Google's Gmail and the social media network Foursquare.
The FBI used the modified Rule 41 in its investigation, which gives federal law enforcement enhanced authority to conduct surveillance on computers linked to a botnet or other suspected computer crime using a single warrant. However, a Justice Department official said on an April 10 call with reporters that this was done "out of an abundance of caution" and that law enforcement did not search the hard drives of computers that were caught up in the Kelihos botnet.
As a result of the probe, infected computers are being steered to a site called a "sinkhole" that alerts the owners that their machines have been ensnared in a botnet and delivers antivirus and other security software designed to remove the Kelihos malware.
The Justice official said that investigators were seeing a decrease in the number of computers connected to the botnet, but it will be some time before the network is completely offline.