Security Experts:

Connect with us

Hi, what are you looking for?



Alleged Kelihos Botnet Author Arrested in Spain

A Russian national arrested by the Spanish police last week is believed to be the programmer behind the infamous Kelihos spam botnet.

A Russian national arrested by the Spanish police last week is believed to be the programmer behind the infamous Kelihos spam botnet.

The man, Pyotr Levashov, was arrested in Barcelona, Spain, while on vacation, supposedly on an arrest warrant issued by United States authorities. The arrest has been already confirmed by the Russian embassy in Madrid, but no official details on why he was detained have been provided.

While mainstream media initially reported that the arrest might be tied to an interference in last year’s U.S. election, it appears that Levashov was actually arrested for his involvement in the development and running of a large spam botnet.

In December 2016, the U.S. officially attributed election hacks to Russian threat groups, and also announced a series of sanctions against Russian nationals, also related to the election hacks. The attribution report, however, failed to achieve its purpose, security experts argued.

According to Reuters, Russian television station RT claimed a connection between Levashov’s arrest and the cybercriminal interference with the U.S. election, but a U.S. Department of Justice official has already confirmed that the arrest doesn’t have “an apparent national security connection.”

A NYTimes article also notes that Levashov doesn’t have an apparent connection to the election hacks, but that he is one of the most wanted spammers worldwide. Also known as Peter Severa, he is believed to be responsible for a long-running computer spam business.

Pyotr Levashov, who also uses the aliases Peter Severa and Peter of the North, is supposedly connected to the Waledac and Kelihos spam botnets, Brian Krebs reports. As he points out, Levashov is present on Spamhaus’ global Top 10 Worst Spammers.

Capable of sending around 1.5 billion spam messages a day, Waledac was taken down in 2010, but Kelihos emerged the same year, featuring many code similarities with the previous threat. However, the new malware variant wasn’t considered as part of the Waledac family, as it was a new and separate spam botnet.

Kelihos is currently one of the largest spam bots out there, and has been able to withstand several takedown attempts by security companies. Last year, the botnet was observed tripling its size overnight, and is currently placed first in Check Point’s Top 10 malware threats. Earlier this year, it also displayed worm-like distribution capabilities.

According to Krebs, while there is ample evidence tying Levashov to Waledac/Kelihos, the man is also believed to be connected to a series of criminal operations where malware authors and spammers were paid to install “fake antivirus” software that would display an overwhelming amount of alerts to victims, in an attempt to force them into buying bogus software.

Levashov is said to have made more money renting the spam botnets to other cybercriminals than running the email-blasting operations on his own. Reportedly, he would demand $300 per million messages promoting auction and employment scams, and $500 per million phishing emails. Recently, the Kelihos botnet was observed distributing ransomware.

Related: Lithuanian Man Arrested Over $100 Million Email Scam

Related: Briton Arrested Over Deutsche Telekom Hacking

Related: Italian Siblings Arrested Over Long-running Cyber Espionage Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...