{ "id": "3989a07d-688e-4b26-8431-a5bb52997839", "created_at": "2026-05-01T03:09:40.459573Z", "updated_at": "2026-05-01T03:10:50.750781Z", "deleted_at": null, "sha1_hash": "af2ee598b3241f67bad8134332cde47082df54d1", "title": "How Russian Spam King Peter Levashov Was Arrested, and His Kelihos Botnet Dismantled", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38080, "plain_text": "How Russian Spam King Peter Levashov Was Arrested, and His\r\nKelihos Botnet Dismantled\r\nBy Garrett M. Graff\r\nPublished: 2017-04-11 · Archived: 2026-05-01 02:18:03 UTC\r\nOne of the world’s most notorious spammers appears to have been tripped up by a basic cybersecurity no-no,\r\naccording to the FBI: He used the same log-in credentials to both run his criminal enterprise and also log into sites\r\nlike iTunes.\r\nThe Justice Department announced Monday that it had successfully targeted a man prosecutors called “one of the\r\nworld’s most notorious criminal spammers,” a Russian hacker known as Peter Yuryevich Levashov, also known as\r\nPeter Severa, or “Peter of the North.” Levashov had long run the Kelihos botnet, a global network of infected\r\ncomputers that collectively flooded email inboxes worldwide with spam, stole banking credentials from infected\r\nusers, and spread malware across the internet.\r\nSpanish authorities arrested Levashov, who normally resides in St. Petersburg, Russia, while he was on vacation\r\nwith his family. Rumors had swirled over the weekend, sourced only to a vague report on the Russian propaganda\r\nnetwork RT, that he’d been involved in that country’s meddling with the 2016 US presidential election, but there\r\nwas no hint of that in Monday’s Justice Department complaint, which focused instead on Levashov’s role in\r\ndeveloping and running one of the internet’s most pernicious and longest-running botnets. Levashov's operation\r\nhad infected as many as 100,000 computers worldwide, roughly five to ten percent of which were inside the\r\nUnited States.\r\nProsecutors described Kelihos as a sophisticated malware variant that harvested user credentials from victim\r\ncomputers, and was used to send massive quantities of spam emails. The complaints and court orders associated\r\nwith the case also laid out details of how Levashov operated his business, offering a million spam messages\r\npromoting “legal” products such as “adult, mortgage, leads, pills, replics [i.e., counterfeit goods], etc.” for just\r\n$200, while that price went to $300 per million messages for “Job spam,” that is, messages that attempted to\r\nrecruit job seekers into fraudulent positions, including “money mules” who would help launder stolen money and\r\ngoods. According to the Justice Department, Levashov also offered to deploy his network on behalf of online\r\nfraudsters to execute phishing attacks for $500 per million messages.\r\nAs part of the operation, security researchers and the FBI teamed up to dismantle the Kelihos botnet itself,\r\ntargeting three domains used to run the network—gorodkoff.com, goloduha.info, and combach.com---and\r\nredirecting traffic from infected computers to new servers controlled by authorities and the ShadowServer\r\nFoundation, a volunteer anti-cybercrime group, a process that’s known in cybersecurity circles as “sink-holing.”\r\nCracking Down\r\nThe arrest of Levashov---and the complex, sophisticated assault on his long-running botnet---marked another\r\nvictory in the US government’s rising war against Russian aggression in cyberspace, coming just weeks after\r\nhttps://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/\r\nPage 1 of 2\n\nanother Justice Department indictment charged both Russian criminals and intelligence officer with conspiring to\r\nhack Yahoo’s user database.\r\nIt also, for the time being at least, perhaps marked the end of one of the most powerful spam networks on the\r\ninternet, a global network of malware-infected computers that had proven uniquely difficult to dismantle,\r\nreappearing multiple times and evolving even as its chief output---multitudes upon multitudes of unwanted junk\r\nemails advertising Viagra, adult entertainment, and, at worst, phishing emails that spread even more malware---\r\ncontinued unabated for the better part of a decade.\r\n“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous\r\nand deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our\r\neveryday lives,” said Kenneth Blanco, the acting assistant attorney general overseeing the Justice Department’s\r\ncriminal division.\r\nThe case also marks one of the first times that the Justice Department has acknowledged using what’s known as\r\n“Rule 41,” a controversial change to federal criminal procedures that took effect last December and allows the\r\ngovernment to seek powerful search warrants to investigate cybercrime no matter where infected computers might\r\nbe physically located. (The Justice Department, though, was quick to caution Monday that it didn’t actually use\r\nwarrants to penetrate any infected computer, merely to help attack the botnet nationwide.)\r\nSource: https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/\r\nhttps://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/" ], "report_names": [ "fbi-took-russias-spam-king-massive-botnet" ], "threat_actors": [], "ts_created_at": 1777604980, "ts_updated_at": 1777605050, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af2ee598b3241f67bad8134332cde47082df54d1.pdf", "text": "https://archive.orkl.eu/af2ee598b3241f67bad8134332cde47082df54d1.txt", "img": "https://archive.orkl.eu/af2ee598b3241f67bad8134332cde47082df54d1.jpg" } }