Alleged Kelihos botmaster and spam king extradited to US

Peter Yuryevich Levashov – a 37-year-old Russian computer programmer, accused by the FBI of developing the Kelihos botnet and using it to stuff inboxes with Viagra and Cialis spam; to steal bitcoin wallets and other financial data; and to spew malware, including banking Trojans and ransomware, worldwide – has been deported from Spain to the US town of New Haven, Connecticut.

The US Department of Justice (DOJ) announced the extradition on Friday. In its press release, the DOJ said that besides the spam, the malware, and the harvesting of victims’ personal information, Levashov allegedly also rented out Kelihos botnet spam and malware services.

Levashov allegedly hid behind the hacker names Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov to do the dirty work.

In April 2017, the US Department of Justice indicted Levashov on one charge each of damaging a protected computer, conspiracy, accessing protected computers to commit fraud, wire fraud, aggravated identity theft, and threatening to damage a protected computer; plus two counts of fraud in connection with email.

He had been arrested in Barcelona while vacationing with his family that same month.

In March 2010, Microsoft, working with other security researchers, went after another botnet called Waledac with a combination of legal and technical takedown maneuvers. (More recently, Microsoft again used the courts, sending lawyers to fight the [likely] Russian hacking group known as Strontium, Fancy Bear or APT28. It involved seizing domains that hosted the phishing sites used to steal credentials or for botnet command & control [C&C]).

Microsoft used the same takedown techniques with the Kelihos botnet, which shared a good deal of code with Waledac.

According to the indictment, Levashov allegedly tried hard to protect his anonymity.

He didn’t try hard enough. He allegedly used the alias Severa to run the Kelihos botnet, but court records show that investigators were surveilling his iCloud account since May 2016. According to the search warrant affidavit, server records, encrypted Jabber instant messages and online payments led investigators to Levashov.

Levashov had apparently used two servers, located in Luxembourg, that were linked to Kelihos. One was apparently used as a proxy, while one was used as a backend panel to provide status updates on the botnets. When law enforcement seized the servers, which were located in Luxembourg, they found frequent logins from Levashov’s account.

On the backend server, investigators also located subject mails of spam emails, such as “Very good way to reveal your intimate life,” “Attack your woman harder,” and “No amorous failure risk.” Other subject headers teased pump-and-dump stock manipulation scams, such as “This Company looks ready for a major run this week!” and “It is about to wake up and ROAR!”

Investigators also found an iCloud account registered in Levashov’s name, from an IP address that had often connected to the Luxembourg server. That’s what the affidavit was after: information including “login IP addresses associated with session times and dates” that could be associated with Levashov’s alleged logins to botnet-connected accounts.

The same day that the affidavit was filed, a court granted a search warrant, Apple was placed under a gag order that prevented it from sharing information about the case, and the investigation was put on hold until Levashov could be found in a country from which he could be extradicted.

That’s exactly what happened when he was arrested in Spain at the request of US law enforcement. It’s likely that the iCloud data, showing a running tab of IP addresses used to log into the account, gave investigators the heads-up that he was in Spain on vacation.

Levashov was arraigned on Friday.

Stay tuned to this case: as security journalist Brian Krebs reports, Levashov allegedly worked closely with other top spammers. If he pleads guilty, his arrest could lead to unveiling their identities.