Suspected mastermind behind massive Kelihos botnet Petyr Levashov nabbed in botnet takedown operation.

The cybercrime underground is abuzz with the news that the infamous alleged spammer and Kelihos botnet operator Pyotr Levashov was arrested this weekend in Barcelona while on holiday there.

Levashov, a Russian citizen, was arrested by Spanish authorities via US cybercrime charges, and as part of a US Department of Justice takedown effort of the Kelihos botnet made up of tens of thousands of infected bots that distributed spam, stole login credentials, and installed ransomware and other malware. DoJ said it began blocking malicious domains tied to Kelihos on April 8.

The DoJ announced his arrest today as part of an effort to disrupt and take down Kelihos. "The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks," said Acting Assistant Attorney General Kenneth Blanco.

Levashov's arrest sparked alarm and chatter online among other big players in the Russian cyber underground concerned about their own unmasking and possible indictment or arrest. Vitali Kremez, director of research at Flashpoint, says his firm has witnessed some underground players planning to tighten up their own operations, and that their chatter also confirmed that Levashov is also known by the alias Peter Severa. Levashov/Severa is listed by Spamhaus as one of the 10 Worst Spammers in the world.

"We've been looking into him for quite some time," Kremez says. "He's one of the most wanted and prolific spammers who's ever operated in the Russian underground."

A source close to the case said Levashov's indictment will be unsealed tomorrow.

Not only is he behind spam and malware-rigged email campaigns, but Levashov also is tied to click-fraud and distributed denial-of-service operations. He's considered a spam service provider to various underground attackers. "He's been operating underground the past 20 years successfully evading prosecution," Kremez says.

Levashov was indicted in 2009 but not extradited to the US for operating the Storm botnet, a predecessor to Kelihos that was then the world's largest spamming botnet. He faced charges for spam to promote pump-and-dump penny stock schemes.

Adding to the intrigue surrounding his apprehension this weekend after nearly two decades of allegedly operating as one of the world's most prolific spammers and botnet operators, the AP reports that Levashov also may have ties to Russia's hacking and leaking of information in an attempt to interfere with the outcome of the 2016 US presidential election.

His wife was quoted by Russian state media outlet RT that her husband later told her by phone that he was arrested in connection with malware "linked to Trump's election win."

Given the notoriously grey area between cybercriminals and the Russian government, security experts say it's not a big stretch that Levashov could have had a hand in the hacking activities by Russia last year to influence the US presidential election. But there's no indication thus far of his involvement.

Flashpoint's Kremez says Levashov indeed has ties to the Russian government, but can't conclude that he was involved in the US election hacking operation. Levashov previously has been linked to pro-Russian government groups distributing spam including hacktivist group CyberBerkut. "He would be the perfect cybercriminal for hire with his email filters and other tradecraft to deliver email" spam campaigns, Kremez says.

Both Kelihos and CyberBerkut have operated pro-Russian government online campaigns spreading anti-Ukraine and pro-Russian rhetoric. CyberBerkut recruited pro-Russian government "cyberwarriors" to target Ukrainian websites in a distributed denial-of-service effort called Help Your Homeland, Kremez notes, and also is known for strategic leaks of information aimed at shaping public perception.

"And it's likely his botnet was also involved in the distribution of email spam linked to Russia's interference in the" US presidential campaign, he says.

If Levashov ultimately were to be investigated for any ties to the US election, it wouldn't be the first time he's dabbled in election-influence hacking. In 2012, his Kelihos botnet was used to send spam emails to Russian citizens with political messages and links to phony news stories about the then-presidential opponent to Vladmir Putin, Mikhail Prokhorov.

"The lines between criminals and nation-state in Russia are more blurred than places elsewhere. Levashov has been known to play on both sides of the line. In 2012, he used his spamming capabilities to slander Putin's opponents in the presidential election," says John Bambenek, manager of threat intelligence systems at Fidelis Cybersecurity.

But Bambenek isn't sold on Levashov's involvement in the US presidential campaign hacks. "The hacking of DNC and John Podesta's email wouldn't be terribly heavy lifts for him, but they're not really in his wheelhouse" of operations since those were more social media-centric campaigns, he says.

Headless Botnet

The good news is that the Kelihos takedown could result in less spam and malware-laden email in the short-term. "We may see less spam emails being distributed," Kremez predicts.

Levashov's arrest may not kill Kelihos in the long run - botnet disruptions often are temporary as botnets get reinvented - but it does have a chilling effect on cybercriminals, at least in the short-term. "Every arrest has people thinking, taking a step back," Fidelis' Bambenek says. "In some cases, they make improvements, in some cases, they make different decisions" to evade authorities, he says.

The fact that one of the most wanted cybercriminals in the world dared to venture outside of Russia and risk arrest and extradition in Spain suggests he may have become overly confident and complacent about his immunity to law enforcement.

"We've known about this guy for a long time. He has operated fairly openly since 1999. I know the Russian authorities had been informed about his operations," Kremez notes. Levashov may have even wrongly assumed the Russian government would protect him outside of Russia, he says.

Levashov faces wire fraud charges.

Related Content:

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights