December 5, 2011

Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.

Oleg Nikolaenko

Oleg Y. Nikolaenko, a 24-year-old who’s been dubbed “The King of Spam,” was arrested by authorities in November 2010 as he visited a car show in Las Vegas. The U.S. Justice Department alleges that Nikolaenko, using the online nickname “Docent” earned hundreds of thousands of dollars using his “Mega-D” botnet, which authorities say infected more than half a million PCs and could send over 10 billion spam messages a day. Nikoalenko has pleaded not guilty to the charges, and is slated to appear in court this week for a status conference (PDF) on his case.

The Justice Department alleges that Nikolaenko spammed on behalf of Lance Atkinson and other members of Affking, an affiliate program that marketed fly-by-night online pharmacies and knockoff designer goods. Atkinson told prosecutors that one of his two largest Russian spamming affiliates used the online moniker Docent. He also said that Docent received payment via an ePassporte account under the name “Genbucks_dcent.” FBI agents later learned that the account was registered in Nikolaenko’s name and address in Russia, and that the email address attached to the account was 4docent@gmail.com.

According to my research, Docent also spammed for other rogue pharmacy programs. In fact, it’s hard to find one that didn’t pay him to send spam. In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.

According to the SpamIt records, Docent earned commissions totaling more than $325,000 promoting SpamIt pharmacy sites through spam between 2007 and 2010. The Docent in the SpamIt database also had his earnings sent to the same ePassporte account identified by the FBI. The Docent in the leaked chats never references himself as Nikolaenko, but in several cases he asks SpamIt coordinators to send documents to him at the 4docent@gmail.com address.

The chats between Docent and Stupin show a young man who is ultra-confident in the value and sheer spam-blasting power of his botnet. Below are the first in a series of conversation snippets between Docent and SpamIt co-administrator Dmitry Stupin. Before each is a brief note providing some context.

In the transcript that follows, Stupin tries to woo Docent to join SpamIt. Docent negotiates a much higher commission rate than is usually given to new spamming partners. The typical rate is 30 percent of each sale, but Docent is a known figure in the spamming underground, and argues that his botnet will bring such massive traffic to the SpamIt pharmacies that he deserves a higher 45 or 50 percent cut of the sales. This conversation was recorded on Feb. 1, 2007.

Stupin:  Hello! You have communicated with ICQ 397061228, I am writing regarding your case, Docent.

Docent: Which case?

Stupin:  Do you want to send spam regarding our partnerka [“partnerka” is Russian slang for a mix of private and semi-public affiliate groups that form to facilitate cybercrime activities].

Docent: Which exactly do you mean? I have not yet communicated with this 397061228.

Stupin: Here is the letter which recently came from  you: “It is usual spam,  GI bases, not opt-in. Big volume of emails. I mail a lot of [competing pharmacy] programs, Bulker, Mailien, SRX. I’m a member of most bulk forums. So if you need references, i can provide them. Usual traffic is 2k+ uniques. Also i need bulk-host.”

Docent: Yes, I got it. It’s just nobody IM’d me.

Stupin: ок) What kind of volumes of spam can you deliver? We are soon deploying our own “partnerka” for spam, we just do not have it right now.

Docent: Volumes are huge, 500 million + / day.

Stupin: Wow! Are you not accidentally on [Spamhaus] ROKSO List ?

Docent: Yes, it’s a list of idiots :), with the exception of a couple of people.

Stupin:  We do contract people for our spam campaigns, but only verified people. We are not publicly opened yet.

Docent:  I know someone who personally knows Desp [the nickname used by Stupin’s partner and SpamIt co-founder Igor Gusev].  And also we can collect references 🙂

Docent: Does your program accept Visa?

Stupin: Yes. Not only Visa. It would be fantastic if you provide your recommendations.  I will honestly depict our situation, we will not be able to sustain your volume of spam in addition our current traffic.  We can try to work with you in China or with new hosting platform, however hosts there are not tested.  If you are ok with that, I will send you several domains.

Docent: In any case, I will not switch the entire volume for you.

Docent: Regarding my Visa question… I actually meant MasterCard.

Stupin: We have MasterCard.   We’ll definitely not sustain the entire volume,  we can try little-by-little, checking each other out.

==

Approximately one week later…..

Stupin: Hey!  How about spamming for us?

Docent: What are the payment conditions?

Stupin: 30 [percent of sales] at the start, 35 if there are 5 order a day sustainable within minimum of 4 days, 40 if more than 10 orders a day.

Stupin: Payments via wire, Webmoney, Fethard, e-passport. When 40% – payments are done by request, otherwise – two times a month.

Docent: Hmm, 40% can be given right away to right people.

Stupin: If you are indeed as good as you say – you will not stay on 30% for long.

Docent: I am not going to switch on entire traffic. 🙂

Stupin:  I understand.

Docent: And 30 % is not cool, when other [affiliate programs] pay 45% )) However, your sites are indeed looking good.

Stupin: Who is paying you 45? If you show us statistics screen – we will give you 40 right away, if there is traffic there.

Docent: Where do you host?

Stupin: In Russia. Backup hosting is in China.

Docent: Has anyone spammed your Russian host?

Stupin: We work there for more than a year.  However, we have not tested it with large volumes.

Docent: OK, we’ll try later. I will be ready next week to switch traffic.

Docent: Now I need to get money from those people )

===

One week later….

Stupin: Hello! Do  you want to spam for us?

Docent: Hi. with pleasure, but later.

Stupin: We have just added xanax, valium, and Ambien.

Stupin: Hi! Am I interrupting anything?

Docent: Hello. No.

Stupin: Does “Bulker” [another pharmacy affiliate program] have a problem with billing?

Stupin: Do you want to work with us?

Docent: what do you mean?

Stupin: What do you mean what do I mean?

Docent: By asking me about balker having problems with billing?

Stupin: I heard, that he had a problem with order processing.

Docent: It’s not been going too well….

Stupin: Who do you work with right now?

Docent: How did you get information that I was somehow linked to balker?

Stupin: аа, I thought you worked with him, he is an authority.

Docent: Yes, I worked with him. And?

Stupin: I want to steal you.

Stupin: all Spammers are absolutely ecstatic about us, we now want to recruit spammers). How can we make you interested? 🙂

Docent: By good conditions (terms).

Stupin: What kind of terms do you want?

Docent: Well, give me sweeter conditions, and I am yours )

Stupin: We will not give more than 40%) but no charges.

Docent: And refunds? and why can’t you give more than 40?

Stupin: Whatever is on balance – is yours, no fees (charges).

Stupin: Because we want to eat as well.

Docent: How often do you pay? and where are the hosts?

Stupin: If more than 300-500 / a day – we pay whenever requested.

Stupin: Hosts – are in Russia.

Docent: OK. make an account. We’ll see.

Stupin: Invite code – QIHL5480,  register on – http://spamit.com/register.php

Docent: Cool domain 🙂

Stupin: Yep!)

Stupin: We have not yet completed the design, design is going to be absolutely cool.

Docent: Yes you have fantastic designs on all projects.

Docent:   Login: docent

Stupin: I set it at 40 [percent].

==

February 21, 2007

Docent: I will start a small test today. what kind of terms do you offer?

Stupin: 40%, visa & mastercard, private domains, controlled pills.

Docent: Controlled pills are Vicodin & Phentermine ?

Stupin: No, phentermine is only herbal( everything is being sold anyway without them.

Two days later, Docent is signed up with SpamIt, but has not yet started spamming for the affiliate program directly. In this chat, however, he obtains referral codes on behalf of two other spammers who want to join SpamIt; all of the affiliates he brings in will pay a portion of their commissions to Docent as a referral fee.

Stupin: I have bad news – we will have to turn off controlled,  someone got arrested there,  everything is getting turned off there(

Docent: Where has someone got arrested?

Stupin: Some supplier. Many Russians were sending via him.

Docent: Where do you ship from?

Stupin: From India, like everyone else.

Docent: It is strange that someone has got arrested in India.

Stupin: Well this one was tremendously illegal

Stupin: Only heroin is worse)

Docent: Not for India…

Docent: Is xanax illegal ?

Stupin: Yes

Docent: Vicodin is worse. Xanax is not very illegal.

Stupin: http://en.wikipedia.org/wiki/Xanax     Legal status     Schedule IV(US)

Docent: ))) Well, aaccording to US laws even spam can lead to 1000 years of imprisonment.

Stupin: Only schedule V is worse.

Docent: Especially is large volumes ). And from bots. 🙂

Stupin: Vicodin –  It is in Section III.

Docent: But nobody is selling it. because people can get really high from it.  But nobody can get high from xanax. All generic are selling it.

Stupin: ))))    it’s already a separate issue.

Docent: When are you going to put xanax back ?

Stupin: We do not have a date yet.

Docent: Pity )

Docent: Ok, good thing that you accept MasterCard ))

Stupin: Do you know if anyone like balker still has xanax? by the way where there should I send invites to?

Docent: Yes he still has it.

Stupin: How many do you need?

Docent: Give me a couple, I will invite a couple of people.

Stupin: 1STZ1R2, DRKMTWS6U [invited codes to SpamIt.com]

Stupin: Up to 16.6% of profit we pay for referrals.

Docent: How is it calculated?)) Meaning the percentage? it is funny formula “up to 16.6” )) I have never seen that))

Stupin: 5% off referral’s turnover, everywhere else it is 5% of profit, if referral has 30%, we have – 16.6%, if 40% –  only 12% from his profit.

Docent: ааh. That is cool.

Docent: 1STZ1R2 put 40% right away for this invite )

Stupin: Who is it?

Docent: He is good. I do not have bad friends.

Stupin: See, I have not seen you in action, and I do not know him)

Docent: Just trust me.

Stupin: What’s his login on spamdot?

Docent: We’ll say – 50 sales a day.

Stupin: I have done whatever you asked me.

Docent: I will invite one more person this evening… He spams very well.

Docent: Has he registered himself yet using this invite?

Stupin: Not yet.

Stupin: Bulker said that they did not have controlled [drugs].

Stupin: They did not work honestly, they screwed us up two times with processing. They also used our pictures of pills without our consent.

Docent: They also shave of a lot [“shaving” means to undercount sales/commissions]. I have stopped spamming for them a long time ago. However, I do not like my current partner. He screwed me over $50к. And he does not admit it, bastard.  I hope, everything is going to go well with you.

Stupin: We have already been doing SE “partnerka” business for 1.5 years.  Nobody has been complaining.

Stupin: and $50k payments also happen.

Docent: Yes, I just know the roots of your “partnerka” )  I do not want to show all my cards, but I am sure that we will have a great partnership.

===

In the conversation below, recorded Nov. 23, 2007, Docent and Stupin discuss earnings of two SpamIt affiliates referred to the program by Docent. One of them, who uses the nickname “Cosma,” eventually becomes one of SpamIt’s all-time top earners. According to Microsoft, Cosma was the individual behind the Rustock spam botnet. The other referred affiliate is an American spammer who used the nicknames “Speedy” and “Lightspeed.”

Stupin: Hello, have you heard anything about ICQ 197152928 (speedy)? He’s not been responding on ICQ.

Docent: Was he selling SOCKS proxies?

Stupin:  No, he was spamming for us.  He wanted to be paid with ATM cards.  We can give them to him now. It was his main requirement to spam for us 🙂

Docent: Nickname sounds familiar.

Stupin: He was YOUR referral!

Docent: Do you have a good host now?

Stupin: We have 5 of them 🙂

Docent: Good? Not bot and very fast?

Stupin: 5 hosts. 3 of those ) (not bot and fast). Two in Europe and one in US with Chinese IP address.

Docent: From  Abdullah?)

Stupin: Only in US and one in Europe. The other one is our own.

Docent: Your own…You are growing ).  Desp [Gusev] has to be happy.

Stupin: Yes he is ecstatic. By the way, you have a Balance: $1333.11

Docent: hmm. Where from?

Stupin: From Cosma and from Speedy. We have the largest referral payments.

Docent: How many % ?

Stupin: 12.5

Docent: Very good. Is Cosma sending now?

Stupin: Yes, he’s just started.

Docent: What kind of volume does he have a day?

Stupin: Ask him.

Docent: Haha. it can be calculated from referrals. how many sales does he do for you?

Stupin: I cannot tell you, he may not want you to know.

Docent: He should not care, besides, I will not tell him that you told me, lol)

Stupin: Sorry, no way.

Docent: Fine)

Docent: Is he making 2k profit?

Stupin: Again, ask him, I cannot tell you.

Docent: Why speedy is not in my Referrals?

Stupin: His login is Lightwave.

Docent: Give me a good host. I will spam for you.

Stupin: Do you have large databases?

Docent: Damn! Surely large!

Stupin: ок, how many domains?

Docent: 10

Stupin: ок

Docent: I will not start today for sure, since I am going out drinking.

Docent: I will start late night, if I am in proper condition, or on Sunday.

Stupin: Support will send that to you.

Docent: I’ve calculated Cosma’s profits ))

Docent: He was making 5k on average on herbal products.

Stupin: He has started just a few days ago. He is not working in full capacity.


22 thoughts on “Chats With Accused ‘Mega-D’ Botnet Owner?

  1. Neej

    Docent: Nickname sounds familiar.

    Stupin: He was YOUR referral!

    That made me laugh 😉

    I love these chat excerpts, they give an insight into the way these people work on a personal level.

    It doesn’t really assist me in any way (I merely take an interest in security matters but I don’t work in any related position) but it’s still very interesting.

  2. David Chasey

    A two person Broadway Play, lots of potential, as in the best thing since Waiting for Godot

  3. William

    One aspect of this shady business which I haven’t thought of before is where the drugs are actually coming from. According to Stupin, they were shipping Xanax from India. Has law enforcement been working on that part of the supply chain?

    1. Datz

      I don’t think anything can happen on that aspect in India. The LE are the most corrupt there that I have come across. And there is no real apparent benefit in closing down these drug factories in India.

  4. untapperedguru

    so much effort put into the workings of this …. i much rather take 9-5 and not worry about feds closing in on me…

    Kudos as always Krebs!!!

  5. Профессор

    Кребс, мне вот все интересно: а кто тебе эти мемуары на английский-то переводит? Что за редиска ) такая?

    1. Anonymous

      Да он сам по русски более менее шпрехает, так что вполне может и сам.

  6. Ed

    Indias drug record is appalling offtopic but the reason why antibiotics are failing and bacteria are getting resistant to them is because of the such relax legislation laws in india and people not taking the full prescription

    On context its fascinating how these people work

    why is their so little coverage of EVA pharmacy they seem the most public of the rouge spam pharmacys?

    1. BrianKrebs Post author

      “why is their so little coverage of EVA pharmacy they seem the most public of the rouge spam pharmacys?”

      because not much is known about Eva, compared to the truckloads of personal data that has been spilled about the proprietors of Glavmed/Spamit and Rx-Promotion.

      I’d welcome any information about Eva that readers would like to share.

      1. Ed

        I believe spamhaus has some info on them, relating to their parent company however spamhaus arnt exactly notorious for having truthal information.

        so long as it makes the spammer look bad

        1. AlphaCentauri

          AFAIK, Spamhaus is still lumping it all together as “Yambo Financials.” I’ve been following things several years and never seen any evidence of the Bulker.biz/Eva Pharmacy folks running refi sites as well as pharma (other than mailers dealing with both types of sponsors), but apparently Spamhaus has good evidence that they were associated in the past.

          1. nov

            Quote, “Bulker.biz is the organization which sponsors spammers to promote sites within what has been referred to as the Yambo Financials group of web properties. These include My Canadian Pharmacy, International Legal RX, Canadian Health&Care Mall, US Drugs and (new as of August 2009) Canadian Family Pharmacy.

            This was learned from postings on bulkerforum.biz by username “ebulker”, who would invite users to promote for their properties,” unquote.

            Mentioned on: spamtrackers.eu

  7. DavidM

    Hmm.. you know this has me wonderingabout Gusev’s ties to china? Didin’t are good friends at the RBN also move their IP’s to china blocks as well??? I have to wonder how closely tied into RBN Gusev might have been.

    Brian would you have any insight on that, I’m curious about this, and you would be the man in the know.

    BTW nice to see some light shed on this guys that are all tied into spammers, I have to wonder how well Gusev knows some of the Major spammers that are and have been hitting are in boxes for years

  8. george

    Fascinating story !
    This overconfident Docent seems to me not the brightest criminal. I wonder if he was only by himself in charge of all aspects of such a large botnet operation (maintaining, expanding, negotiating with “customers”, hosting “suppliers”, cashing in, etc.) or there were other shady figures in the Mega-D inner circle (yet) to be apprehended.

  9. bbaabbaabb

    выложи пожалуйста переписку на русском. спасибо.

  10. ms

    “Two in Europe and one in US with Chinese IP address.”

    The US host with the Chinese IP address was later identified in a German security vendor report and eventually forced offshore. Hope you might cover the problem of self-reported IP geolocation in your blog as I have tried (unsucessfullly) to caution colleagues about relying 100% on geolocation by IP.

  11. Jay

    How are these logs obtained anyway? Surely it’s not the two discussing parties that are being sniffed? So how are the chats leaked if neither person shares the conversation with anyone else?

    1. BrianKrebs Post author

      The chats weren’t leaked by the chatters. From the story above:

      “In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.”

  12. hello

    How is spamit.com domain not taken down by Network Solutions?

  13. Hayton

    Has anyone else noticed that in the comment above from “Профессор” (“Professor”) the name hides a link to spamit.com? Oh, and there’s a link to a porn site behind the name in the one about iPhones. Does anyone check for this sort of thing?

  14. AlphaCentauri

    There have been some arrests involving coordination with law enforcement in India:
    http://www.philly.com/philly/news/special_packages/inquirer/pill/

    The articles describe a major disruption of drug supplies from India, but I can’t find anything with timing that really coincides with their comments about having to stop shipping scheduled drugs in February 2007. The Indian-American medical student running the operation, who was arrested in Philadelphia in 2005, was sentenced to 30 years in December 2007. His father, also a physician, was arrested in India in 2005 but may have been too ill to stand trial. Several co-defendants plead guilty in the interim. The Tulip Labs/Sancash case was at the end of 2007.

Comments are closed.