ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Peter Severa / Peter Levashov

Evidence Menu:

Peter Severa / Peter Levashov Index


Country: Russian Federation
State:
A professional spammer who writes and sells virus-spamming spamware and botnet access. Is probably involved in the writing and releasing of viruses & trojans. One of the longest operating criminal spam-lords on the internet. Works with many other Eastern Euro and US based botnet spammers. Was a partner of American spammer Alan Ralsky.


Peter Severa / Peter Levashov SBL Listings History
Current SBL Listings
Archived SBL Listings

MEDIA: How the FBI Took Down Russia’s Spam King—And His Massive Botnet


Garrett M. Graff Security
Date of Publication: 04.11.17.
Time of Publication: 10:38 am.


One of the world’s most notorious spammers appears to have been tripped up by a basic cybersecurity no-no, according to the FBI: He used the same log-in credentials to both run his criminal enterprise and also log into sites like iTunes.

The Justice Department announced Monday that it had successfully targeted a man prosecutors called “one of the world’s most notorious criminal spammers,” a Russian hacker known as Peter Yuryevich Levashov, also known as Peter Severa, or “Peter of the North.” Levashov had long run the Kelihos botnet, a global network of infected computers that collectively flooded email inboxes worldwide with spam, stole banking credentials from infected users, and spread malware across the internet.

Spanish authorities arrested Levashov, who normally resides in St. Petersburg, Russia, while he was on vacation with his family. Rumors had swirled over the weekend, sourced only to a vague report on the Russian propaganda network RT, that he’d been involved in that country’s meddling with the 2016 US presidential election, but there was no hint of that in Monday’s Justice Department complaint, which focused instead on Levashov’s role in developing and running one of the internet’s most pernicious and longest-running botnets. Levashov’s operation had infected as many as 100,000 computers worldwide, roughly five to ten percent of which were inside the United States.
Russian Hacks

Prosecutors described Kelihos as a sophisticated malware variant that harvested user credentials from victim computers, and was used to send massive quantities of spam emails. The complaints and court orders associated with the case also laid out details of how Levashov operated his business, offering a million spam messages promoting “legal” products such as “adult, mortgage, leads, pills, replics [i.e., counterfeit goods], etc.” for just $200, while that price went to $300 per million messages for “Job spam,” that is, messages that attempted to recruit job seekers into fraudulent positions, including “money mules” who would help launder stolen money and goods. According to the Justice Department, Levashov also offered to deploy his network on behalf of online fraudsters to execute phishing attacks for $500 per million messages.

As part of the operation, security researchers and the FBI teamed up to dismantle the Kelihos botnet itself, targeting three domains used to run the network—gorodkoff.com, goloduha.info, and combach.com—and redirecting traffic from infected computers to new servers controlled by authorities and the ShadowServer Foundation, a volunteer anti-cybercrime group, a process that’s known in cybersecurity circles as “sink-holing.”
Cracking Down

The arrest of Levashov—and the complex, sophisticated assault on his long-running botnet—marked another victory in the US government’s rising war against Russian aggression in cyberspace, coming just weeks after another Justice Department indictment charged both Russian criminals and intelligence officer with conspiring to hack Yahoo’s user database.

It also, for the time being at least, perhaps marked the end of one of the most powerful spam networks on the internet, a global network of malware-infected computers that had proven uniquely difficult to dismantle, reappearing multiple times and evolving even as its chief output—multitudes upon multitudes of unwanted junk emails advertising Viagra, adult entertainment, and, at worst, phishing emails that spread even more malware—continued unabated for the better part of a decade.

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Kenneth Blanco, the acting assistant attorney general overseeing the Justice Department’s criminal division.

The case also marks one of the first times that the Justice Department has acknowledged using what’s known as “Rule 41,” a controversial change to federal criminal procedures that took effect last December and allows the government to seek powerful search warrants to investigate cybercrime no matter where infected computers might be physically located. (The Justice Department, though, was quick to caution Monday that it didn’t actually use warrants to penetrate any infected computer, merely to help attack the botnet nationwide.)

While the newly unsealed case against Levashov sprawled internationally and included agents from multiple FBI field offices, as well as numerous international partners, it’s hard to miss the fingerprints of Special Agent Elliott Peterson—a veteran of the FBI’s crack cyber squad in Pittsburgh who transferred recently to the Anchorage Field Office, where Monday’s announcement was made.

It perhaps marks the end of one of the most powerful spam networks on the internet.

To defeat Kelihos technically, Peterson worked closely with two Crowdstrike engineers, Brett Stone-Gross and Tillman Werner, who traveled to Alaska last week. The three men had also teamed up in Pittsburgh in 2014 to defeat the GameOver Zeus botnet, built by Evgeny Bogachev, who today is America’s most wanted hacker, with a $3 million reward for his capture. (That case, involving Russian hackers, botnets, and bank theft, was the subject of WIRED’s April cover story.)

Both Werner and Stone-Gross had long battled Kelihos. Stone-Gross had come into the botnet’s source code years ago and had worked to dismantle it since, and Werner had previously “sink-holed” an earlier variant of the network live onstage during a security conference in 2012, only to see it bounce back even more sophisticated and resilient later on.

As for the tenuous election hacking connection, it may have stemmed from rumors online that Levashov may have ties to Russian security forces or intelligence agencies, relationships that would be consistent with other high-profile, powerful Russian hackers. That alleged affiliation wouldn’t be unusual; Bogachev’s GameOver Zeus botnet was deployed to help gather intelligence on Ukrainian targets during Russia’s invasion of Crimea in the spring of 2014, and, more recently, the March Yahoo indictment documented ties between one well-known hacker, Alexsey Belan, and Russian officials with the FSB, its domestic intelligence agency that succeeded the KGB. This indictment, though, doesn’t mention the presidential campaign whatsoever.
A Digital Trail

According to court documents, the investigators tracking Levashov figured out this spring that there was a brief window to possibly arrest him while he was traveling with his family in Spain—a country that’s proven a strong US ally on cybercrime, and previously been the site of arrest of Russian hackers on vacation. Indeed, there are hints that the operation might have been moved up to coincide with the opportunity to arrest the hacker; the original date on the search warrant was crossed out and moved up by two weeks.

Levashov, who for years has been featured on SpamHaus’s list of the most notorious spammers and currently occupies the sixth spot on its list, has long operated beyond the arm of US law enforcement. He was indicted more than a decade ago in Michigan for email and wire fraud for using spam as part of a penny-stock pump-and-dump scheme. Later, in 2009, DC prosecutors again indicted him for computer fraud, stemming from his operation of the “Storm” botnet, a predecessor to his later development of Kelihos.

Investigators eventually linked Levashov to Kelihos by painstakingly matching IPs and log-in credentials on sites like FourSquare, Apple, and Google. Whether, if, and how long it might take to extradite the spam king from Spain to the United States remains an open question; while US law enforcement have had recent success in getting friendly foreign governments to arrest suspected Russian criminals abroad, they’ve been less successful in returning all of those suspects to US soil. Other cases in Thailand and Austria have been tied up in court for extended periods of time.

Regardless of which country has him for now, Levashov remains in custody. That’s a relief for authorities, and to spam-besieged inboxes and vulnerable computers around the world.


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK12093/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2017 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy