Cybercrime as-a-service , Fraud , Fraud Management & Cybercrime

Russian Pleads Guilty to Operating Kelihos Botnet

Peter Levashov's Botnets Spread Spam, Banking Trojans and Ransomware
Russian Pleads Guilty to Operating Kelihos Botnet
Peter Levashov in an undated photo (Photo: Maria Levashov)

Russian national Peter Levashov, 38, who was arrested in Spain last year and extradited to the U.S. in February, has admitted to a two-decade crime spree that included running multiple botnets that harvested online credentials while also pumping out spam, banking Trojans and ransomware.

Levashov - aka "Petr Levashov," "Peter Severa," "Petr Severa" and "Sergey Astakhov" - has pleaded guilty to controlling and operating botnets, including Storm, Waledac and Kelihos, as well as harvesting victims' online credentials and personal details, from the late 1990s until the time of his arrest.

The Russian national pleaded guilty before U.S. District Judge Robert N. Chatigny on Wednesday to one count each of causing intentional damage to a protected computer, conspiracy, wire fraud and aggravated identity theft.

"Levashov disseminated spam and distributed other malware, such as banking Trojans and ransomware, and advertised the Kelihos botnet spam and malware services to others for purchase in order to enrich himself," the Justice Department says in a statement. "Over the course of his criminal career, Levashov participated in and moderated various online criminal forums on which stolen identities and credit cards, malware and other criminal tools of cybercrime were traded and sold."

Arrested in Spain

Levashov, of St. Petersburg, Russia, was arrested on April 7, 2017, in Barcelona - reportedly while on vacation with his wife and son - based on a criminal complaint and arrest warrant issued in Connecticut federal court.

Some initial media reports - many using Russian state media propaganda arm RT, formerly known as Russia Today, as their only source - suggested that Levashov's arrest tied to the alleged Russian government interference in the 2016 U.S. presidential election. But the Justice Department, in a statement, quickly dismissed that suggestion, saying his arrest was purely a criminal matter (see The US Presidential Election Hacker Who Wasn't).

At the time of Levashov's arrest, prosecutors say Kelihos was infecting at least 50,000 PCs.

On April 10, 2016, the Justice Department said it had made moves to permanently sinkhole all Kelihos-infected PCs.

Ten days later, a Connecticut federal grand jury indicted Levashov, charging him with multiple offenses tied to the botnet activities. That indictment formed the basis of the U.S. extradition request to Spain.

"We are grateful to Spanish authorities for his previous arrest and extradition," says Assistant Attorney General Brian A. Benczkowski of the Justice Department's criminal division.

The Justice Department also thanked the University of Alabama at Birmingham, threat intelligence firms ThreatStop and Cloudmark, anti-spam project SpamHaus, technology giant Cisco, as well as Cambridge University for having "provided invaluable assistance in the investigation and prosecution of Mr. Levashov."

Top 10 Spammer

Spamhaus had previously said it suspected Severa - later confirmed to be one of Levashov's aliases - of running both the Waledac and Kelihos botnets.

Source: Spamhaus

Before his arrest, Spamhaus ranked Severa seventh on its worst spammers list, saying he "writes and sells virus-spamming spamware and botnet access" and that he is "one of the longest operating criminal spam-lords on the internet."

"Levashov used the Kelihos botnet to distribute thousands of spam emails, harvest login credentials, and install malicious software on computers around the world," said U.S. Attorney John H. Durham of the District of Connecticut in a statement. "He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold. For years, [he] lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users."

The FBI appears to have been tracking the alleged operator of Kelihos for some time. In 2008, the Justice Department accused "Peter Severa, age unknown, of Russia" of collaborating with Alan M. Ralsky as part of a "complicated stock spam pump and dump scheme." A related complaint accused Severa of violating U.S. fraud and wiretapping statutes.

Excerpt from Levashov's plea agreement.

Levashov faces between 101 to 121 months in prison and a fine of between $25,000 and $250,000, based on the "defendant's guide calculation," according to his plea agreement, while under federal prosecutors' calculation, he faces 121 to 151 months in prison and a fine of $35,000 to $350,000. Those recommendations are not binding on the court.

"Mr. Levashov is one of the brightest and most intelligent people I have ever met. Although pleading guilty was never the first option, after a careful and thorough review of the discovery, it became clear that negotiating a favorable plea agreement was in Mr. Levashov's best interest," his attorney, Vadim A. Glozman, tells Information Security Media Group.

Levashov remains detained pending his sentencing, which Judge Chatigny scheduled for Sept. 6, 2019.

Levashov's attorney says they requested a year-long sentencing delay for two reasons. "First, we are still in dispute with the government regarding the restitution amount and several of the guideline enhancements as they relate to his stipulated conduct. Second, we are hoping to be able to bring his family, and potentially, character witnesses, to attend and testify at his sentencing," Glozman says.

"As a result, the originally scheduled sentencing date was simply to soon to be able to accomplish our objectives," the attorney adds. "Although the sentencing is set for a year from now, the judge will allow us ... to request a sooner date if we are able to line everything up sooner than expected."

Story updated on Sept. 14 with details from the Justice Department, Levashov's plea agreement and attorney Vadim A. Glozman.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.