Over the past 18 months, I’ve published a series of posts that provide clues about the possible real-life identities of the men responsible for building some of the largest and most disruptive spam botnets on the planet. I’ve since done a bit more digging into the backgrounds of the individuals thought to be responsible for the Rustock and Waledac spam botnets, which has produced some additional fascinating and corroborating details about these two characters.
In March 2011, KrebsOnSecurity featured never-before-published details about the financial accounts and nicknames used by the Rustock botmaster. That story was based on information leaked from SpamIt, a cybercrime business that paid spammers to promote rogue Internet pharmacies (think Viagra spam). In a follow-up post, I wrote that the Rustock botmaster’s personal email account was tied to a domain name ger-mes.ru, which at one time featured a résumé of a young man named Dmitri A. Sergeev.
Then, on Jan. 26. 2012, I ran a story featuring a trail of evidence suggesting a possible identity of “Severa“ (a.k.a. “Peter Severa”), another SpamIt affiliate who is widely considered the author of the Waledac botnet (and likely the Storm Worm). In that story, I included several screen shots of Severa chatting on Spamdot.biz, an extremely secretive Russian forum dedicated to those involved in the spam business. In one of the screen shots, Severa laments the arrest of Alan Ralsky, a convicted American spam kingpin who specialized in stock spam and who — according to the U.S. Justice Department – was partnered with Severa. Anti-spam activists at Spamhaus.org maintain that Peter Severa’s real name is Peter Levashov (although the evidence I gathered also turned up another name, Viktor Sergeevich Ivashov).
It looks now like Spamhaus’s conclusion on Severa was closer to the truth. More on that in a second. I was able to feature the Spamdot discussions because I’d obtained a backup copy of the forum. But somehow in all of my earlier investigations I overlooked a handful of private messages between Severa and the Rustock botmaster, who used the nickname “Tarelka” on Spamdot. Apparently, the two worked together on the same kind of pump-and-dump stock spam schemes, but also knew each other intimately enough to be on a first-name basis.
The following is from a series of private Spamdot message exchanged between Tarelka and Severa on May 25 and May 26, 2010. In it, Severa refers to Tarelka as “Dimas,” a familiar form of “Dmitri.” Likewise, Tarelka addresses Severa as “Petka,” a common Russian diminutive of “Peter.” They discuss a mysterious mutual friend named John, who apparently used the nickname “Apple.”
Date: May 25, 2010, 10:28 a.m.
“Dimas, hello. How’s everything? What has happened with Apple? Everything is understandable in regards to Ralka. However, what’s happened with them? I used to have more people, they have also disappeared. I think they got scared after Ralsky got shaken down.”
Date: May 25, 2010, 3:20 p.m.
Subject: Re: Stocks
“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”
The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:
Date: May 25, 2010, 3:27 p.m.
Subject: Re: Stocks
“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”
Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.
Date: May 26, 2010, 8:02 a.m.
Subject; Re: Stocks
“My friend….do you think that stocks was not the central theme of our conversation? I filled his ears with this topic. He does not see any possibilities. Not at all. So, we are sitting on our asses, sending pharmacy and replica [spam].
The “John” in the conversation above may have one of the two Johns named as co-conspirators in Ralsky’s 2008 indictment (PDF) on spam charges. According to his Wikipedia page, Ralsky was sentenced in 2009 to four years and three months in prison after pleading guilty to wire fraud, mail fraud and violations of the CAN-SPAM Act. That sentence was later reduced to 35 months, when Ralsky agreed to assist in the prosecution of other spammers. He was reportedly released from prison on Sept. 14, 2012.
Both Severa and Tarelka remain free and quite active in the spam and malware scene. According to sources, Tarelka claims his botnet code was sold to three different miscreants prior to Microsoft’s takedown of Rustock in March 2011, although he still sells custom rootkits to vetted customers. In July 2011, Microsoft began offering a $250,000 reward for information leading to the arrest and conviction of the individual(s) responsible for Rustock.