{
	"id": "bf9dcb92-f554-4191-b551-2c14ac6aae7d",
	"created_at": "2026-04-06T00:09:30.559393Z",
	"updated_at": "2026-04-10T13:12:14.0927Z",
	"deleted_at": null,
	"sha1_hash": "b57dd45cde5efb713d061562ddb26b99ed8e139d",
	"title": "DOJ moves to topple Kelihos, one of the world’s largest botnets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36390,
	"plain_text": "DOJ moves to topple Kelihos, one of the world’s largest botnets\r\nBy Patrick Howell O'Neill\r\nPublished: 2017-04-10 · Archived: 2026-04-05 13:08:45 UTC\r\nThe Department of Justice announced Monday an effort to take down a global network of over 100,000 enslaved\r\ncomputers under the control of Peter Yuryevich Levashov.\r\nLevashov, also known as Peter Severa, was known as one of the world’s most prolific and long-reigning kings of\r\nspam. A citizen of Russia, he was arrested in Spain earlier this week.\r\nThe network, known as the Kelihos botnet, has been in operation since 2010, targeting Microsoft Windows\r\nmachines for infection. The result was millions of spam emails, pump-and-dump schemes to illegally profit off\r\nstocks, mass password theft and the spreading of malware, according to the DOJ. Roughly 5 percent to 10 percent\r\nof Kelihos victims reside in the United States, according to the Justice Department.\r\n“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a\r\ndangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living\r\nand live our everyday lives,” said acting Assistant Attorney General Kenneth Blanco.\r\nLevashov was first indicted over a decade ago by U.S. authorities on charges of email and wire fraud for allegedly\r\nusing spam to promote profitable pump-and-dump penny stock schemes.\r\nHe was charged again in 2009 for allegedly operating the Storm botnet, another spam behemoth and a predecessor\r\nto Kelihos.\r\nThis week’s arrest was made possible because the FBI learned just last month that Levashov was going to leave\r\nhis home in Russia, a country without extradition to the United States, to spend several weeks in Spain. The\r\ndetails about how the FBI came into that information remain unknown.\r\nLevashov was connected to Kelihos by the FBI by connecting IP addresses used to operate the botnet that was also\r\nused by email and other online accounts under the name of Pete Levashov, a web programmer in Russia.\r\nLevashov regularly used the same addresses to commit crime. To connect the dots, the FBI obtained Levashov’s\r\nrecords from companies including Google, Apple, WebMonkey and Foursquare.\r\nThe operation against Kelihos is global in scale, according to the DOJ, who worked in concert with law\r\nenforcement around the world. The department cited the newly amended Rule 41 as the source of authorization for\r\nthe botnet’s disruption.\r\n“Let me emphasize that there was no entry into the computers to take information using this warrant,” a Justice\r\nDepartment official said during a call with reporters. “This was merely used as a disruption technique against this\r\nbotnet, it was not a search warrant against the computers that were part of the botnet.”\r\nhttps://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/\r\nPage 1 of 2\n\nThe FBI worked with CrowdStrike, a private security company, and Shadowserver Foundation, a volunteer group\r\nof information security experts, to deploy a sinkhole attack to sever the communication networks between\r\ncriminal directors and infected computers. The DOJ cautioned that, as is normal in offensives against large\r\nbotnets, the operation against Kelihos will not be 100 percent complete for some time to come.\r\n“This isn’t an operation where you can throw a switch and turn off the botnet,” a Justice Department official said.\r\n“There is a lag time. We’ll continue our operation to have the most impact we can on this particular botnet. So far\r\nthe signs are very good that we’ve had a significant disruption of this botnet.”\r\nYou can read the criminal complaint and application for a search warrant below:\r\n[documentcloud url=”http://www.documentcloud.org/documents/3549532-Signed-Application-for-Search-Warrant-Redacted-0.html” responsive=true sidebar=false text=false pdf=false]\r\n[documentcloud url=”http://www.documentcloud.org/documents/3549535-Dkt-1-Complaint-0.html”\r\nresponsive=true sidebar=false text=false pdf=false]\r\nSource: https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/\r\nhttps://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/"
	],
	"report_names": [
		"doj-kelihos-botnet-peter-levashov-severa"
	],
	"threat_actors": [],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b57dd45cde5efb713d061562ddb26b99ed8e139d.pdf",
		"text": "https://archive.orkl.eu/b57dd45cde5efb713d061562ddb26b99ed8e139d.txt",
		"img": "https://archive.orkl.eu/b57dd45cde5efb713d061562ddb26b99ed8e139d.jpg"
	}
}