01
Dec 10

FBI Identifies Russian ‘Mega-D’ Spam Kingpin

facebooktwittergoogle_plusredditpinterestlinkedinmail

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.

According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.

Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.

According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.

Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.

Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.

“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.

After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.

Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.

While Mega-D may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.

A Spamit affiliate using the same “4docent@gmail.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.

A copy of the full complaint against Nikolaenko is available here (PDF).

Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.

Tags: , , , , , , , ,

22 comments

  1. Hello,
    can you please tell me in detail, how this spam business has been growing, n how it is carried out in underworld through pointing it on business.

  2. Christopher Mallick

    Well, this now makes sense. No wonder why Epassporte was shut down.

  3. No facebook piccy? :(

    Great article. Will be interesting to see if they can nail this guy.

    • Who are “they?” Does anyone imagine that the Russian govt has the slightest interest? If he doesn’t prey on Mother Russia and isn’t a serial pedophile like like the Muscovite black hat whose takedown was covered in this blog, he won’t be arrested on home turf, or if he is arrested it will be a dog and pony show.

      • Fully aware of this. Hence saying it would be interesting.
        The ‘they’ referred to the researchers and people who compiled the complaint.

      • An addendum says that he was picked up Dec. 2 in the US trying to go to a car show in Las Vegas.

  4. Always glad to hear about the spam bandits being restrained. The Canadian International Pharmacy Association members provide a safe service for people looking for prescription medications and we do not engage in any kind of spam. We strongly recommend that everyone verify the identify of an online pharmacy before placing an order. Sometimes, though, people haven’t taken that step and have fallen prey to the spammers once its too late. All measure to eliminate Spamit.com, Affking and Mega-D are strongly applauded by CIPA.

  5. So are un-friendly neighbour hood Spammer was using an e-passporte account for payment for his illegal activities while causing people grief. Well I have to say this is one time I am happy to see where the bad guys get screwed by the shady payment system they “Trusted” to recieve their funds from, sometimes irony can be sweet! I wonder if Spamit was paying other spammers in their employment the same way…the hope being maybe they got the shaft when e-passporte went down as well….well we can always dare to dream…lol.

  6. http://www.jsonline.com/news/crime/111273314.html has the latest info on our Russian spammer.

    Russian man ordered held in massive Internet spam case

    By Bruce Vielmetti of the Journal Sentinel

    Dec. 3, 2010 12:12 p.m.

    A 23-year-old Russian man charged with operating one of the world’s largest spam e-mail generators was ordered held without bond Friday at a hearing at federal court in Milwaukee.

    Oleg Nikolaenko is charged with violating the CAN-SPAM Act, by sending voluminous e-mails with altered header information. His attorney, Christopher Van Wagner, entered a not guilty plea on his client’s behalf.

    Assistant U.S. Attorney Erica O’Neil had asked that Nikolaenko be detained because he has no ties to the United States and would be at risk to return to Russia. He was arrested last month during a visit to Las Vegas.

    Van Wagner said his client’s wife is attempting get a visa to come and be present throughout the case, and suggested restrictions and conditions could be arranged to allow Nikolaenko to live under house arrest in Milwaukee if the complex case takes months and months to prosecute.

    A team of FBI agents and private Internet security experts tracked down a network of about 500,000 infected computers, called Mega-D, that they contend was controlled by Nikolaenko and used to help cyber hucksters sell bogus goods world wide.

  7. Just like with the McColo takedown, all this will do in the longer term is make the slimy spammers even more careful not to be vulnerable and we’ll be right back to where we were, and worse.

  8. Re: Arrest

    This is plainly a person w/ a self-destructive impulse. A cursory search query @ Interpol’s website “Nikoleaenko” turned up nothing. He could probably have visited quite a few car shows in quite a few countries without arrest. Evidently computer literacy and cleverness and common sense originate in different parts of the mind!

    To Nik: have fun in stir, dude.

    • Oops. The search was entitled ‘nikolaenko,’ @ Interpol’s website.

    • I see comments like these on a lot of places regarding people imprisoned, let’s me kinda know you know the person doesn’t want to be imprisoned so shouldn’t and that people cannot do anything about it but people do not want eachother imprisoned should avoid or run like anybody trying to hold another person against there will telling you it”s more complicated you should avoid.

  9. Yeah, you’ve got to wonder how much prenatal vodka exposure some of these guys have had. They just don’t seem to know when to lay low.

  10. Alex,

    Please drop me a line directly. I’d like a word. krebsonsecurity at gmail dot com.

    Thanks.


Read previous post:
Cybercrime Untouchables?

The text above was the lead for a story published April 3, 2006 in The New York Times. It described...

Close