U.S. Authorities Take Down Kelihos Botnet as Alleged Creator is Arrested in Spain
US authorities moved Monday to take down a global computer botnet behind the massive theft of personal data and unwanted spam emails, as Spain arrested the notorious Russian hacker who operated it.
US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners.
Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request.
A Spanish judge on Monday ordered him to be remanded in custody as Washington is expected to seek his extradition.
Spanish police said in a statement late Monday that the arrest was the result of a “complex inquiry carried out in collaboration with the American FBI.”
A US indictment unsealed Monday said Levashov, 36 and a native of St. Petersburg, had operated the Kelihos botnet since around 2010.
It was not the first time US officials have gone after him. In 2008 he was indicted as a Russia-based partner of the leading US spammer, Alan Ralsky. Ralsky and others were jailed in that case but Levashov was never caught.
100,000 computers infected
The Kelihos network is made up of private computers around the world running on the Microsoft Window operating system. The computers are infected with malware that gives Levashov the ability to control them remotely, with the owners completely unaware.
According to the Justice Department, at times the number of computers in the network has topped 100,000, with between five and 10 percent of them in the United States.
Through underground networks, Kelihos sold the network’s services to others, who would use it to send out spam emails advertising counterfeit drugs, work-at-home scams, and other fraud schemes, the indictment said.
They were also used for illegal “pump-and-dump” stock market manipulation schemes, and to spread other malware through which hackers could steal a user’s banking account information including passwords, and lock up a computer’s information to demand huge ransoms.
The indictment called Levashov “one of the world’s most notorious criminal spammers.”
The Spamhaus Project, which documents spam, botnets, malware and other abuse, listed him as seventh on its “10 Worst Spammers” list and “one of the longest operating criminal spam-lords on the internet.”
“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting US Assistant Attorney General Kenneth Blanco in a statement.
Using legal ‘malware’ against botnet
Levashov’s arrest was unrelated to investigations into Russian interference in last year’s US presidential election, US officials said.
Earlier, the suspect’s wife had earlier told Russia Today that his arrest was connected to the election hacking case.
A Spanish court specializing in international cases will rule on whether he will be sent to the US.
The US has 40 days to present evidence backing Levashov’s extradition, which the suspect opposes.
In parallel with the arrest, US justice authorities announced an extraordinary move to bring down the Kelihos network, obtaining warrants that allows it to install its own malware-like programs on computers in the network to intercept its operation.
Such a move appeared to be the first ever application of controversial new investigative powers which took effect late last year.
The Justice Department explained that its programs would be able to redirect Kelihos-infected computers into substitute servers in order to halt the network’s operation.
In doing so, it can record the private IP or internet protocol addresses of the computers and provide them to internet service providers to help customers eliminate the infections, the department explained.
In a warrant that permitted investigators to “infect” botnet computers in order to block Kelihos, investigators pledged to guard the privacy of computer owners.
“This operation will not capture content from the target computers or modify them in any other capacity except limiting the target computers’ ability to interact with the Kelihos botnet,” the warrant said.
