{
	"id": "1afe1d6f-8519-4a1a-adb7-536f7ad7c512",
	"created_at": "2026-04-06T03:36:43.435929Z",
	"updated_at": "2026-04-10T03:20:56.078545Z",
	"deleted_at": null,
	"sha1_hash": "7a1b474cd0e8dd25337efe34f5b3b65ec220c21e",
	"title": "Justice Department Announces Actions to Dismantle Kelihos Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38584,
	"plain_text": "Justice Department Announces Actions to Dismantle Kelihos\r\nBotnet\r\nPublished: 2017-04-10 · Archived: 2026-04-06 03:14:12 UTC\r\nThe Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global\r\nnetwork of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate\r\nmalicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and\r\ninstalling ransomware and other malicious software. \r\nActing Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division, Acting U.S.\r\nAttorney Bryan Schroder for the District of Alaska, Assistant Director Scott Smith for the FBI’s Cyber Division\r\nand FBI Special Agent in Charge Marlin Ritzman of the AnchorageDivision made the announcement.\r\n“The operation announced today targeted an ongoing international scheme that was distributing hundreds of\r\nmillions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to\r\nthousands of Americans, and spreading ransomware throughout our networks.   The ability of botnets like Kelihos\r\nto be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans,\r\ndriving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting\r\nAssistant Attorney General Blanco.  “Our success in disrupting the Kelihos botnet was the result of strong\r\ncooperation between private industry experts and law enforcement, and the use of innovative legal and technical\r\ntactics. The Department of Justice is committed to combatting cybercrime, no matter the size or sophistication of\r\nthe scheme, and to punish those who are engaged in such crimes.”\r\n“Cybercrime is a worldwide problem, but one that infects its victims directly through the computers and personal\r\nelectronic devices that we use every day,” said Acting U.S. Attorney Bryan Schroder for the District of\r\nAlaska.  “Protecting the American people from such a worldwide threat requires a broad-reaching response, and\r\nthe dismantling of the Kelihos botnet was such an operation.  We are lucky that we have talented FBI agents and\r\nfederal prosecutors with the skillsets to help protect Americans from this pervasive cybercrime.”\r\n“On April 8, 2017, we started the extraordinary task of blocking malicious domains associated with the Khelios\r\nbotnet to prohibit further infections,” said FBI Special Agent in Charge Ritzman. “This case demonstrates the\r\nFBI’s commitment to finding and eradicating cyber threats no matter where they are in the world.”\r\nKelihos malware targeted computers running the Microsoft Windows operating system.  Infected computers\r\nbecame part of a network of compromised computers known as a botnet and were controlled remotely through a\r\ndecentralized command and control system.  According to the civil complaint, Peter Yuryevich Levashov\r\nallegedly operated the Kelihos botnet since approximately 2010.  The Kelihos malware harvested user credentials\r\nby searching infected computers for usernames and passwords and by intercepting network traffic.  Levashov\r\nallegedly used the information gained from this credential harvesting operation to further his illegal spamming\r\noperation which he advertised on various online criminal forums.  The Kelihos botnet generated and distributed\r\nenormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0\r\nPage 1 of 3\n\norder to fraudulently increase their price (so-called “pump-and-dump” stock fraud schemes), work-at-home scams,\r\nand other frauds.  Kelihos was also responsible for directly installing additional malware onto victims’ computers,\r\nincluding ransomware and malware that intercepts users’ bank account passwords.\r\n             As with other botnets, Kelihos is designed to operate automatically and undetected on victims’ computers,\r\nwith the malicious code secretly sending requests for instructions to the botnet operator. In order to liberate the\r\nvictim computers from the botnet, the United States obtained civil and criminal court orders in the District of\r\nAlaska.  These orders authorized measures to neutralize the Kelihos botnet by (1) establishing substitute servers\r\nthat receive the automated requests for instructions so that infected computers no longer communicate with the\r\ncriminal operator and (2) blocking any commands sent from the criminal operator attempting to regain control of\r\nthe infected computers.\r\nIn seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant\r\nto recent amendments to Rule 41 of the Federal Rules of Criminal Procedure.  A copy of this warrant along with\r\nthe other court orders are produced below.   The warrant obtained by the government authorizes law enforcement\r\nto redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those\r\ncomputers as they connect to the server.  This will enable the government to provide the IP addresses of Kelihos\r\nvictims to those who can assist with removing the Kelihos malware including internet service providers.  \r\nThe efforts to disrupt and dismantle the Kelihos botnet were led by the FBI’s Anchorage Office and New Haven\r\nOffice; Senior Counsel Ethan Arenson and Harold Chun, and Trial Attorney Frank Lin of the Computer Crime and\r\nIntellectual Property Section; and Assistant U.S. Attorneys Yvonne Lamoureux and Adam Alexander of the\r\nDistrict of Alaska.  Critical assistance was also provided by foreign partners, and invaluable technical assistance\r\nwas provided by Crowd Strike and The Shadow server Foundation in executing this operation.\r\nThe details contained in the civil complaint and related pleadings are merely accusations, and the defendant is\r\npresumed innocent unless and until proven guilty.\r\nThe Government has and will continue to share samples of the Kelihos malware with the internet security\r\ncommunity so that antivirus vendors can update their programs to detect and remove Kelihos.  A number of free\r\nand paid antivirus programs are already capable of detecting and removing Kelihos, including the Microsoft\r\nSafety Scanner\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0\r\nPage 2 of 3\n\n, a free product.\r\nThe documents filed by the Government as well as the court orders entered in this case are available online at the\r\nfollowing web address: www.justice.gov/opa/documents-and-resources-related-us-v-peter-yuryevich-levashov\r\nSource: https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0"
	],
	"report_names": [
		"justice-department-announces-actions-dismantle-kelihos-botnet-0"
	],
	"threat_actors": [],
	"ts_created_at": 1775446603,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a1b474cd0e8dd25337efe34f5b3b65ec220c21e.pdf",
		"text": "https://archive.orkl.eu/7a1b474cd0e8dd25337efe34f5b3b65ec220c21e.txt",
		"img": "https://archive.orkl.eu/7a1b474cd0e8dd25337efe34f5b3b65ec220c21e.jpg"
	}
}