Oleg Koshkin - found Guilty -Kelihos Botnet

Jun 16, 2021

United States vs. Oleg Koshkin & Pavel Tsurkan

Late yesterday (June 15, 2021) a Federal Jury found Oleg Koshkin GUILTY1 -

https://ecf.ctd.uscourts.gov/doc1/04117404569

Oleg Koshkin, 41, formerly of Estonia, operated the websites “Crypt4U.com,” “fud.bz” and others. The websites promised to render malicious software fully undetectable by nearly every major provider of antivirus software. Koshkin and his co-conspirators claimed that their services could be used for malware such as botnets, remote-access trojans, keyloggers, credential stealers and cryptocurrency miners.

Case Background

Look I’m not going to try and search -hoping that someone actually archived my previous Twitter Threads - it’s become an exercise in futility and invokes rage. So you’ll have to take my word for it - I followed this case - intensely- for years.

On September 6, 2019, Oleg Koshkin was arrested in the Northern District of California pursuant to a federal criminal complaint. The Complaint charged him (and his co-conspirator) with conspiracy to intentionally cause damage to a protected computer.
Koshkin was ordered detained and was transported from the NDCA to the District of Connecticut. Koshkin’s co-conspirator, Pavel Tsurkan was also arrested the same day in Estonia and was also ordered detained pending extradition to the United States.

…Kelihos Botnet 4 billion spam emails per day…

On October 3, 2019, a federal grand jury sitting in Bridgeport, CT returned an indictment charging both Koshkin and Tsurkan with conspiracy and aiding and abetting intentional damage to a protected computer.

Koshkin was presented before a United States Magistrate Judge in Connecticut on November 1, 2019, and ordered detained pending trial. Tsurkan arrived in the United States on March 4, 2021 and was arraigned on March 5, 2021 - At that time, koshkin was released on a $200,000 bond.

DOJ-OPA Court Documents:

Criminal Complaint and Affidavit

Indictment

Tsurkan - Conditions of Release

Kelihos Botnet & Peter Yuryevich Levashov

On April 10, 2017 the Department of Justice announced it had dismantled the massive and pernicious Kelihos Botnet. The 2017 Press Release reads in part:

Kelihos malware targeted computers running the Microsoft Windows operating system. Infected computers became part of a network of compromised computers known as a botnet and were controlled remotely through a decentralized command and control system.

According to the civil complaint, allegedly operated the Kelihos botnet since approximately 2010. The Kelihos malware harvested user credentials by searching infected computers for usernames and passwords and by intercepting network traffic.

Defendant Levashov allegedly used the information gained from this credential harvesting operation to further his “illegal spamming operation which he advertised on various online criminal forums.” The Kelihos botnet generated and distributed “enormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price” (so-called “pump-and-dump” stock fraud schemes), work-at-home scams, and other frauds.

The Kelihos Botnet was also responsible for directly installing additional malware onto victims’ computers, including ransomware and malware that intercepts users’ bank account passwords. And friends my little gift to you - HAPPY READING

The NJCCIC Threat Profile

Original Release Date: 2016-12-28 - to help you better understand how persuasive and pernicious the Kelihos Botnet was - the NJCCIC stated, in part:

Discovered in December 2010, Kelihos, also known as Hlux, exploited the Windows OS to form a peer-to-peer botnet of 45,000 computer systems capable of sending approximately 4 billion spam emails per day. In September 2011, Microsoft targeted and dismantled Kelihos. A few months later, in January 2012, a second version of the Kelihos botnet was discovered – this one dubbed Kelihosh or Version 2 – and it was comprised of 110,000 infected systems. In addition to sending spam, this version added the capability to steal Bitcoin wallets and mine Bitcoin.
November 2016, Kelihos was discovered spreading the Troldesh/Shade ransomware variant through spam emails that contained a malicious link. When clicked, the link would download a zipped malicious JavaScript file or Word document that would then install the ransomware. Kelihos has also been used to distribute other ransomware variants such as Wildfire/Hades Locker, CryptFIle2, and MarsJoke, as well as banking Trojans Panda, Zeus, Nymaim, and Kronos. It has also been used to send money mule spam to American recipients and dating spam to Polish recipients.

-ends scene and walks away giddy because this case was one that I intensely followed and it reassures that our justice system is rock solid and Jurors are truly the backbone of our judicial system. And now you deserve this gif that I reserve only for Malware and Botnets going tango down & their operators being found GUILTY… <snort>