A Russian programmer has been arrested in Spain for supposed involvement in the numerous hacks. Some sources are also indicating that his arrest is connected to the hacks which disrupted the U.S. president elections last autumn.
Spanish press reported that Pyotr Yuryevich Levashov, 32 and a native of St. Petersburg, was arrested on April 7 in Barcelona airport and is currently in custody, according to a spokeswoman for Spain’s National Court, who spoke anonymously. One legal source says that the United States requested Levashov’s extradition, but that request is still being mulled over by the Spanish national criminal court. The US has 40 days to provide evidence.
Spanish news website El Confidencial writes that Levashov’s arrest warrant really was signed by US authorities because of the hacking of the Democratic National Committee, which helped Donald Trump’s campaign and eventually allowed him to become the President of US. Levashov’s wife Maria told Russian broadcaster RT (formerly Russia Today) that the arrest was indeed based on those accusations. Maria said that armed police entered their apartment in Barcelona at night, holding her and her friend locked in a room for two hours while they questioned Levashov.
She said that when she talked to her husband on the phone from the police station, he told her he was accused of created a malware that was “linked to Trump’s election win.”
Yet the official sources insist that this is not the case and say Levashov was arrested because of massive hacking and nothing else. AFP quoted an official who said that this situation was “not tied to anything involving allegations of Russian interference with the US election”.
Cybersecurity experts, including Brian Krebs, have been interested in Levashov, or, as he was better known among hackers – “Peter Severa” for a long time. He was the moderator for the spam subsection of many Internet groups and served as the linchpin connecting malware writers with spam networks. He’s № 7 among the Top 10 Worst Spammers according to Spamhaus, a spam and malware tracking group, and was reportedly in charge of numerous criminal ops that paid malware writers and spammers to install “fraud antivirus” programs. Severa is allegedly behind the Waladec spam engine, which has managed to compromise between 70,000 and 90,000 PCs and was able to produce about 1.5 billion spam messages every day. He also has been managing the spam operations of a big US spammer, Alan Ralsky. Ralsky and others were sent to jail, but Levashov was never captured.
His prices increased with the illegality of the operation. For legal ads he charged $200 per one million spam emails. For scams and phishing attacks, it was $500 per million. To help someone with a stock manipulation, he demanded a deposit of $5,000-$10,000 to share his list of 25 million traders. He also wanted 5% of the gains made on the stock.
The US case is currently sealed and the Department of Justice declines to give additional information. The U.S. Embassy in Spain refused to comment. Russian Embassy spokesman Vasily Nioradze confirmed the arrest but didn’t say whether Levashov was a programmer. He also didn’t comment on the U.S. extradition order.
According to a statement from the US Justice Department, now the US authorities are trying to take down Levashov’s huge botnet, which was used to send hundreds of millions of spam emails per year. Kelihos is a global-scale network of Windows private computers, which were deployed to run spam attacks advertising various fake schemes, work-at-home scams and counterfeit drugs, but also for illegal stock market manipulation schemes and to collect passwords to online and financial accounts and infect devices with ransomware and other viruses. The PCs were infected with virus that gave Severa the ability to control them remotely without knowledge of their owners. Levashov has supposedly been operating this botnet since 2010. Sometimes the number of computers in the network was over 100,000, with between 5% and 10% of them in the US. Through underground networks the botnet’s services were also sold to other cybercriminals. FBI was able to link Levashov to Kelihos, because he used the same IP to operate the botnet that he used to gain access to his email and other online accounts in his real name, including Apple iCloud and Google Gmail accounts.
The success in dismantling Kelihos was the result of joint efforts of private industry experts CrowdStrike and Shadowserver Foundation and law enforcement and the use of innovative legal and technical methods. FBI Special Agent in Charge Ritzman says, that the operation against Kelihos started on April 8 when they started blocking harmful domains connected to the botnet to prevent further infections. US authorities obtained warrants that allow them to take control of the PCs in Kelihos by changing the virus to intercept its operation. That will direct the botnet traffic to sinkhole servers set up by authorities. Though this action will give them access to personal computers, investigators promised to protect the privacy of computer owners and not to capture content from those computers or change them. It’s probably safe to assume that Kelihos is done, even though the operation will take some time.