Russian Who Aided Kelihos Botnet Receives 4-Year SentenceProsecutors: Kelihos Infected Approximately 200,000 Computers
A Russian national has been sentenced to 48 months in prison for aiding a botnet scheme that infected victims' devices with malicious Kelihos malware and ransomware, according to the U.S. Justice Department.
Oleg Koshkin, 41, was convicted by a U.S. federal jury on June 15 of one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse. He was arrested in Berkeley, California, in September 2019 and has been detained since then (see: Russian Convicted of Aiding Kelihos Botnet Operator).
Koshkin operated the websites Crypt4U.com, fud.bz and others, which all offered services used to hide the Kelihos malware from antivirus software. The websites promised to render malicious software fully undetectable by almost all of the major providers of antivirus software.
He was convicted of aiding Peter Levashov, the operator of the Kelihos botnet, in causing damage to 10 or more protected computers, prosecutors say.
Koshkin and co-defendant Pavel Tsurkan said that the malware could be used for crypting botnets, remote access Trojans, keyloggers, credential stealers and cryptocurrency miners, the Justice Department says.
"The defendant provided a critical service used by cybercriminals to evade one of the first lines of cybersecurity defense - antivirus software," says Kenneth A. Polite Jr., assistant attorney general of the Justice Department’s criminal division. "Cybercriminals depend on services like these to infect computers around the world with malware, including ransomware."
Co-defendant Tsurkan, arrested Sept. 6, 2019, in Estonia and extradited to the United States on March 4, 2021, is charged with conspiring to cause damage to 10 or more protected computers and aiding and abetting Levashov in causing damage to protected computers, an offense that carries a maximum term of 10 years in prison.
Tsurkan, who was released on a $200,000 bond, is awaiting sentencing.
Koshkin and Levashov worked together to develop a system that would allow Levashov to crypt the Kelihos malware multiple times each day.
"Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates," prosecutors said.
The botnet was then used to send spam emails, harvest bank account credentials and conduct distributed denial-of-service attacks as well as distribute ransomware and other malicious software, the court was told.
"Kelihos relied on the crypting services provided by Crypt4U from 2014 until Levashov’s arrest in April 2017; and just in the last four months of that conspiracy, Kelihos infected approximately 200,000 computers around the world," the prosecutors say.
Levashov was arrested by the Spanish National Police in April 2017 and extradited to the United States. In September 2018, he pleaded guilty to causing intentional damage to a protected computer, conspiracy, wire fraud and aggravated identity theft.
In the 2017 indictment against Levashov, the prosecutors said that the Kelihos botnet distributed hundreds of millions of fraudulent emails per year, intercepted credentials to online and financial accounts belonging to thousands of Americans and spread ransomware throughout their networks (see: Russian Pleads Guilty to Operating Kelihos Botnet).
The Levashov indictment alleges that he participated in and moderated online criminal forums on which stolen identities and credit cards, malware and other tools of cybercrime were traded and sold.
The indictment also alleges that Levashov paid Koshkin $3,000 per month for his services, and that at the time of Levashov's arrest, Kelihos had infected at least 50,000 computers, including computers in Connecticut.
Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management and compliance solutions, tells ISMG: "This is a classic example of today’s cyberthreat environment - highly sophisticated cybercriminals operating at scale and deploying attackware through affiliates and botnets. It’s good news that the two criminals have been taken out of circulation, although it’s only a temporary sentence. It is very likely they won’t be the last to take advantage of online vulnerabilities, so we must stay vigilant."