Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

One of World's Most Wanted and Prolific Alleged Spammers Arrested

Suspected mastermind behind massive Kelihos botnet Petyr Levashov nabbed in botnet takedown operation.

The cybercrime underground is abuzz with the news that the infamous alleged spammer and Kelihos botnet operator Pyotr Levashov was arrested this weekend in Barcelona while on holiday there.

Levashov, a Russian citizen, was arrested by Spanish authorities via US cybercrime charges, and as part of a US Department of Justice takedown effort of the Kelihos botnet made up of tens of thousands of infected bots that distributed spam, stole login credentials, and installed ransomware and other malware. DoJ said it began blocking malicious domains tied to Kelihos on April 8.

The DoJ announced his arrest today as part of an effort to disrupt and take down Kelihos. "The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks," said Acting Assistant Attorney General Kenneth Blanco.

Levashov's arrest sparked alarm and chatter online among other big players in the Russian cyber underground concerned about their own unmasking and possible indictment or arrest. Vitali Kremez, director of research at Flashpoint, says his firm has witnessed some underground players planning to tighten up their own operations, and that their chatter also confirmed that Levashov is also known by the alias Peter Severa. Levashov/Severa is listed by Spamhaus as one of the 10 Worst Spammers in the world.

"We've been looking into him for quite some time," Kremez says. "He's one of the most wanted and prolific spammers who's ever operated in the Russian underground."

A source close to the case said Levashov's indictment will be unsealed tomorrow.

Not only is he behind spam and malware-rigged email campaigns, but Levashov also is tied to click-fraud and distributed denial-of-service operations. He's considered a spam service provider to various underground attackers. "He's been operating underground the past 20 years successfully evading prosecution," Kremez says.

Levashov was indicted in 2009 but not extradited to the US for operating the Storm botnet, a predecessor to Kelihos that was then the world's largest spamming botnet. He faced charges for spam to promote pump-and-dump penny stock schemes.

Adding to the intrigue surrounding his apprehension this weekend after nearly two decades of allegedly operating as one of the world's most prolific spammers and botnet operators, the AP reports that Levashov also may have ties to Russia's hacking and leaking of information in an attempt to interfere with the outcome of the 2016 US presidential election.

His wife was quoted by Russian state media outlet RT that her husband later told her by phone that he was arrested in connection with malware "linked to Trump's election win."

Given the notoriously grey area between cybercriminals and the Russian government, security experts say it's not a big stretch that Levashov could have had a hand in the hacking activities by Russia last year to influence the US presidential election. But there's no indication thus far of his involvement.

Flashpoint's Kremez says Levashov indeed has ties to the Russian government, but can't conclude that he was involved in the US election hacking operation. Levashov previously has been linked to pro-Russian government groups distributing spam including hacktivist group CyberBerkut. "He would be the perfect cybercriminal for hire with his email filters and other tradecraft to deliver email" spam campaigns, Kremez says.

Both Kelihos and CyberBerkut have operated pro-Russian government online campaigns spreading anti-Ukraine and pro-Russian rhetoric. CyberBerkut recruited pro-Russian government "cyberwarriors" to target Ukrainian websites in a distributed denial-of-service effort called Help Your Homeland, Kremez notes, and also is known for strategic leaks of information aimed at shaping public perception.

"And it's likely his botnet was also involved in the distribution of email spam linked to Russia's interference in the" US presidential campaign, he says.

If Levashov ultimately were to be investigated for any ties to the US election, it wouldn't be the first time he's dabbled in election-influence hacking. In 2012, his Kelihos botnet was used to send spam emails to Russian citizens with political messages and links to phony news stories about the then-presidential opponent to Vladmir Putin, Mikhail Prokhorov.

"The lines between criminals and nation-state in Russia are more blurred than places elsewhere. Levashov has been known to play on both sides of the line. In 2012, he used his spamming capabilities to slander Putin's opponents in the presidential election," says John Bambenek, manager of threat intelligence systems at Fidelis Cybersecurity.

But Bambenek isn't sold on Levashov's involvement in the US presidential campaign hacks. "The hacking of DNC and John Podesta's email wouldn't be terribly heavy lifts for him, but they're not really in his wheelhouse" of operations since those were more social media-centric campaigns, he says.

Headless Botnet

The good news is that the Kelihos takedown could result in less spam and malware-laden email in the short-term. "We may see less spam emails being distributed," Kremez predicts.

Levashov's arrest may not kill Kelihos in the long run - botnet disruptions often are temporary as botnets get reinvented - but it does have a chilling effect on cybercriminals, at least in the short-term. "Every arrest has people thinking, taking a step back," Fidelis' Bambenek says. "In some cases, they make improvements, in some cases, they make different decisions" to evade authorities, he says.

The fact that one of the most wanted cybercriminals in the world dared to venture outside of Russia and risk arrest and extradition in Spain suggests he may have become overly confident and complacent about his immunity to law enforcement.

"We've known about this guy for a long time. He has operated fairly openly since 1999. I know the Russian authorities had been informed about his operations," Kremez notes. Levashov may have even wrongly assumed the Russian government would protect him outside of Russia, he says.

Levashov faces wire fraud charges.

Related Content:

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.