August 11, 2010

Undated photo of Leo Kuvayev, courtesy Spamhaus.org.

A man known as one of the world’s top purveyors of junk e-mail has been imprisoned in Russia for allegedly molesting underage girls from a Moscow orphanage, KrebsOnSecurity.com has learned.

According to multiple sources, Leonid “Leo” Aleksandorovich Kuvayev, 38, is being held in a Russian prison awaiting trial on multiple child molestation charges.

Sources in the United States and Russia said that Kuvayev, who holds dual Russian-American citizenship, was alleged to have molested more than 50 young girls he had lured away from one or more local orphanages. He was brought in for questioning after one of the girls reported the incident to Russian police, who reportedly found videotaped evidence of the incidents.

Brandon A. Montgomery, a spokesman for the Immigration and Customs Enforcement (ICE) division at the U.S. Department of Homeland Security, confirmed that Kuvayev was indicted on Aug. 3, 2009, and arrested on Sept. 15 in Moscow for child molestation charges.

“Our attaché in Moscow is working with the criminal investigative team in Russia, and the investigation is ongoing,” Montgomery said.

The Russian criminal case against Kuvayev, Case. No. 378243, charges him with violations of Russian Criminal Code 134, which prohibits “crimes against sexual inviolability and sexual freedom of the person.” According to sources in Russia familiar with the case but who asked not to be named, Kuvayev is being held in a Moscow jail awaiting trial, which is currently scheduled to start 10 months from the date of his incarceration on Dec. 22, 2009.

Kuvayev in Thailand, 2001

Kuvayev is widely considered one of the world’s most notorious spammers. Anti-spam group Spamhaus.org currently features Kuvayev as #2 on its Top 10 worst spammers list.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

Massachusetts was able to sue Kuvayev because he once held a driver’s license in the state and had rented a mailbox there for his business (two of Kuvayev’s younger sisters live in the Boston area, but did not respond to requests for comment).

In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say BadCow was raking in more than $30 million each year at the time.

Spamhaus credits Kuvayev as being first mass-spammer to send junk e-mail messages as image files in order to evade text-based spam filters. In addition, Spamhaus says Kuvayev kept close relationships with individuals who maintained large botnets, or groupings of hacked PCs that are typically used to relay junk e-mail, and that he may be the person known online as “Pharmamaster,” the individual who claimed responsibility for massive online attacks in 2006 that drove anti-spam provider BlueSecurity out of business.

According to Spamhaus, if Kuvayev is not Pharmamaster, then that moniker belongs to his former business partner, a 37-year-old Russian named Vlad Khokholkov. Sources say Khokholkov is now operating the affiliate program Kuvayev used to run — called “Mailien” — which appears still to be running at full steam and soliciting new spammers, despite Kuvayev’s incarceration. Mailien offers affiliates 40-50 percent of each sale, and some of its “Pharmacy Express” brand partner spam sites currently incorporate familiar trademarks in their domain names, including ebaymeds.com, facebookmeds.com, yahoomeds.com and twittermeds.com, to name just a few. A person answering the ICQ number associated with Mailien’s support desk claimed not to know anyone by the name Khokholkov, but when asked about Kuvayev said that the information could not be provided because it was confidential.


32 thoughts on “Spam King Leo Kuvayev Jailed on Child Sex Charges

  1. shiksaa

    Excellent article and even better news. It’s a shame this sociopath wasn’t locked up long before he could victimize 50 children.

  2. eerms

    This looks like a typical post-soviet “example” acusation and trial. I don’t believa that anyone would do such a stupid thing even in Russia.
    …or I guess he had stept on some toes he shouldn’t have. Maybe Putin was fed up with all the spam in his Inbox.

  3. AlphaCentauri

    So many people consider spam to just be an annoyance, and they tell everyone to “just delete it” or to “get a spam filter” or to “get a life.”

    It’s not about the email. That’s just the part of the criminal activity that is being flaunted most publicly. When the spam for “v1@gra” shows up in your inbox, you can start following a trail of legal violations, starting with the fact that it’s almost always sent from the computer of an innocent user whose machine has been infected with a Trojan horse.

    Over and over the Spamhaus ROKSO listings mention the same spammer mailing for pharma, refi, replica … and child porn. If it weren’t Kuvayev, it would have been someone else — after all, child porn images don’t just drop down from the sky, ready to be sold. It was all totally predictable, 50+ children ago.

    So when are all the registrars and hosting providers and law enforcement agencies going to wake up, look in their inboxes, and start dealing with all the other scum on the ROKSO list? When are some reporters other than Brian going to start digging? How obvious do criminals have to be before anyone acts?

  4. mailien

    real it’s fucking with big botnet spam tell same Real-Mailer5.5

    and Grum,costrat

    icq: 358-456-25

    research “grum” and all mkill “koobface”

  5. David

    Well I sure won’t shed any tears for him, I won’t doubt the allegations of child sexaul assualt becuase you never know what some people are capable of. That being said your going to tell me spammers don’t send out chil porn spam links, child pron is made all over teh world by people from all walks of liek so this wouldn’t suprise me and for all we know spam may have not only been his only illegal venture. I am glad hoever he is in jail in Russia, lol.. I am thinking he may have thought he would be better off hiding their to escape american justice, but I don’t imagine the conditions in russian jails are anything near whate they are in american jail, he may just wish he was in an american jail instead, my worry here is that he will use his ill gotten gains to bribe his way out of jail there as there is far too much corruption in the russian goverment, so lets all hope that doesn’t happen. Well he didn’t get caught on spam but he is at least in jail. so I can live with that, the only question now will really be will his spamming operation go kaput with out him and will we see a drop in our spam and the types he put out? I doubt… but we are all alowed to dream…

  6. Andrei_i

    As Brian mentioned the “partner spam sites”, it worth seeing a more complete recent serie of associated “Mailien”/”Pharmacy Express” cloned spammed domains hosted by at least five “hijacked hosts”, in “fast flux” style :
    http://bgp.he.net/ip/200.150.163.22#_dns
    http://bgp.he.net/ip/222.188.119.23#_dns
    http://bgp.he.net/ip/200.69.97.7#_dns

    For future reference and for revealing who and what is behind this scam to whoever will research for these websites names, the list collected from above links:

    5drugsonline.net, addipharm.com, advancedaltmed.com, akxes.com, allfatfree.net, allfreecontent.net, allfreeroms.com, allnewipo.com, allplusfree.net, alzes.com, animalshelth.com, arrivecity.com, astrapharm.com, avenuplanete.com, avonthego.com, badwebmedicine.net, bamedic.com, bamedicine.com, baymeds.net, bcesd.com, beatmed.com, begrobo.info, bestatlantadr.com, bestdrjohn.com, bestdrmark.com, bestdrugtesting.net, bestfreecell.net, bestfreeonline.com, bestfreesports.com, bestlungdr.com, bestmedcon.com, bestmedlife.info, bestmedmal.com, bestmedprep.com, bestmedprep.info, bestmedsurplus.com, bestmoviebit.com, bestnetdrug.com, bestonlinedrug.net, bestpharmace.com, bestpricedr.com, bestspatop.com, besttophat.com, bidrhouse.com, bigmandr.com, biologmed.com, bitstreamradio.com, bitvalleylaw.com, bitvalleypro.com, bitvictim.com, bitworksonline.com, brokenjandr.com, brokenjandr5.info, buydrugfree.com, canadapharmsite.com, catmedic.info, cgees.com, clubmedguide.com, clubspamed.info, coolinfomart.net, countyhighmed.com, davimds.com, davimds5.info, debhelt.com, decmedic.com, digimedtrust.com, docmedicalgroup.com, docshousemenu.com, doctorshomes.com, domedic.info, dothelt.com, dracingguide.com, drauctionhouse.com, drcleanhome.com, drcottage.com, dredhouse.com, drevilshouse.com, drexsite.com, drgalehouse.com, drgoodhome.com, drgoodjohn.com, drgoodjohn5.info, drheatshouse.com, drhomebase.com, drhomebytes.com, drhomecalls.com, drhomecomfort.com, drhomedeco.com, drhomedirect.com, drhomeoffice.com, drhomeremedies.com, drhomeremedy.com, drhomesite.com, drhometheater.com, drhouseworld.com, drihouse.com, drironline.com, drjameslange.com, drjohntrent.info, drlovehouse.com, drmalthouse.com, drmarkford.com, drmarkford5.info, drmarkhenry.com, drmarkhenry5.info, drmarkhome.com, drmoldonline.com, drqhouse.com, drsmarthome.com, drugfreelaw.com, druginst.com, drugsonet.com, drworldnews.com, drworldnews5.info, dymedic.com, eadvancedmed.com, eadvancedmed.info, eallfree.net, ebaymeds.com, ehelt.com, elevatedmed.com, emiasloopy.info, emmedic.com, epleymed.com, esbds.com, esmpa.com, esnik.com, esppp.com, espwa.com, esvep.com, etimedic.com, evemedic.info, excessmeds.net, exmedic.info, ezges.com, facebookmeds.com, facmedic.info,fannysite.com, farmpharm.com, feoes.com, firesloopy.info, flaynloopy.info, flyclubmed.com, freeclearhistory.net, freegoodcheap.com, freehairyfanny.com, freelifedirect.com, freemusickey.com, freeservemusic.net, freesitedot.net, freeworldbooks.net, freeworldsports.net, fullhelpsite.info, gapharm.com, ges2you.com, gesnation.com, gesplanet.com, geswizard.com, goforesite.com, gogetwin.com, goodfreecheap.com, gowebmedicine.net, greatbesthome.com, greatmedlab.com, grimedic.com, grirobo.info, gunfannypacks.com, hadakanet.com, hadsite.com, hadworld.net, hamptonhelt.com, helthdirect.com, helthonline.com, helthworld.com, heltpow.com, hermedic.info, highclassguide.com, highclubmed.com, highcountrysite.com, highdeductible1.com, highdoctor.com, highintensity1.com, highmedcenter.com, highmedcenter.info, highmedplus.com, highmedsite.com, highmedworld.com, highrockmed.com, highspeeddoctor.com, highspeeddoctor.info, hightopmedical.com, highwestmedical.com, hoomedic.com, hoteslive.com, hotnewpix.com, househotelsite.net, hunmedic.com, iadvancedmed.com, ibestfree.net, imeditrust.com, impaloopy.info, impopharm.com, inlpharm.com, irshadshah.com, iwebdrug.net, jandrfunding.com, jandrsite.com, jotmed.com, jresd.com, judiloopy.info, justmed1.com, kolmedic.com, letsgopc.com, littlebitbear.com, lodmedic.info, manmedic.info, medaler.com, medbelieve.com, medcenterexpect.com, meddepend.com, medicallbid.info, medicallnet.info, medicationreality.biz, medicch.com, medicck.info, medicdi.com, medicdi.info, medicdo.com, medicer.info, medicge.info, medicineer.com, medickh.com, mediclo.info, mediclu.info, medicnd.info, medicne.info, medicng.info, medicnk.com, medicse.info, medicti.com, medicti.info, meditrustinfo.com, medlaba.com, medprosearch.com, medscool.net, medsoftonline.com, medsouthtrust.com, medstyleonline.com, medtechtop.com, medtrustco.com, medtrustid.com, medwayradio.com, methadown.com, midronline.com, milehighrecovery.com, milehighrecovery1.com, mollyhelt.com, mupharma.info, myadvancedmed.com, myadvancedmed.info, mydrworld.com, myeshome.com, myhelp5inks.info, nadmedic.info, newesland.com, newsiteinc.com, nocodeonline.com, nomoreice1.com, onlinedrugclub.net, onlinedrugworld.net, onlinehealthco.net, onlinehealthlink.net, onlinepetdrug.net, perrobo.info, pharmaac.info, pharmaan.info, pharmaar.info, pharmael.info, pharmaet.info, pharmafl.info, pharmaft.info, pharmahm.info, pharmakb.info, pharmamb.info, pharmann.info, plarobo.info, promedage.info, qualisurgeon.info, reamedic.info, rewarobo.info, samedic.info, serobo.info, sherobo.info, shmedic.info, superhelp.info, supermedtech.info, surgeonenter.info, taxfreesee7.net, tefloopy.info, thefreeplace7.net, thewebdrug.net, utemedic.info, vagmedic.info, vinmedic.info, wapfreemusic.net, webdrugcard.net, webdrugmall.net, webdrugsearch.net, webdrugshops.net, webdrugsupply.net, webhousedrug.net, wrpharma.info, wwwanymedicine.net, wwwcandrug.net, wwwdietdrug.net, wwwdrugsales.net, yourdrjohn.info, yourstorefree.net.

    More references:
    http://spamtrackers.eu/wiki/index.php/Pharmacy_Express

  7. Andrei_i

    More domains (I wish I could edit my previous post):
    aemedicine.com, allnewsound.com, bestnewstuff.com, chpmedic.com, demedicine.com, fepharmacy.com, heltdust.com, hypharmacy.com, kepharmacy.com, lemedic.com, litmedic.com, machelt.com, mamedic.com, medicineac.com, medicineba.com, medicinecy.com, medicinedg.com, medicineea.com, newfamilylife.com, newmediaus.com, nomedic.com, papharmacy.com, pharmacyan.com, pharmacyba.com, pharmacyry.com, pharmacysi.com, pharmacyth.com, pharmacytl.com, pharmacyut.com, phmedicine.com, qumedicine.com, sumedicine.com, tepharmacy.com, thenewrage.com, tupharmacy.com

  8. AlphaCentauri

    The spamwiki article on his site is here:
    http://spamtrackers.eu/wiki/index.php/Pharmacy_Express

    Like other scam pharmacies, the license they display is forged. (See medbestonline.com/cert.php?item=lic-cert)

    But it’s important to get the word out that they are spoofing the contact information of a real pharmacy by the name of Pharmacy Express. The real Pharmacy Express has absolutely no relationship to Mailien/Kuvayev.

  9. KFritz

    If he wasn’t framed, he’ll wish he was in an American jail. Russia is one of the few places in the ‘developed’ world that’s worse than the US to be in jail. Child molesters are the bottom of the bin in stir. In more ways than one.

    It is possible that he was framed, but lots of times people who categorically proclaim, ‘framed/innocent’ for molestation are pedophiles standing up their brethren.
    The tourist photo fr/ Thailand gives cred to the charges.

    1. AlphaCentauri

      It does point out the discrepancy between “justice” and “punishment.” Despite the possibility of severe punishment (being sent to a Siberian prison camp for alleged white collar crime, as happened with Mikhail Khodorkovsky), internet criminals in Russia operate very openly. They seem to feel that their best chance for avoiding imprisonment is to make enough money to pay generous bribes, rather than to actually observe the law.

      1. KFritz

        The ‘frame-up’ in question for pedophilia. The Russian govt is very happy to have malware Mafias bring in cash as long as they don’t take it fr/ Russians. Besides stealing fr/ Russians, heinous crimes like pedophilia, getting on the wrong side of powerful officials, and getting on the wrong side of more powerful Mafiosi are the only ways to get arrested.

    2. eerms

      I think he deserved it and for all I know he could be a pedofile at the end, but I’m allways sceptic regarding all the information coming from Russian press.

      A quick search in *.ru with my humbe russian knowledge reveales that the information leading to Kuvayes arrest was made public by anonymous hackers. Apparenlty they hacked internet secure payment company called Cronopay and came accross some e-mails between Kuvayev and the company management.

      1. AlphaCentauri

        I agree that the fact that the Russian press isn’t reporting it does give me pause. I’m going to assume Brian followed good procedure as far as getting independent confirmation of information when the sources wish to remain anonymous. I don’t know what their law are regarding reporting the names of people accused but not convicted of sex crimes.

        If this were a frame-up, why would the Russian government choose these particular allegations? It would have been trivial to get him on tax evasion, which would result in a long prison sentence. If the idea were to intimidate political opponents, sex crime allegations wouldn’t be as effective as one might think, since the government can only intimidate innocent people if they know for a fact the accused is also innocent — and only Kuvayev’s closest friends could really know that. It’s also much easier to create fake financial records regarding unreported income than it would be to edit his image into kiddie porn videos.

        While allegations like these destroy the reputation of the accused (not that Kuvayev’s reputation had far to sink), they are also a stunning indictment of the Russian government’s child protection services. And even if there were a conspiracy to bring down some local official responsible for the orphanage, why choose Kuvayev as the rapist, knowing that his international notoriety would embarrass the entire Russian Republic?

    3. Krebs

      “The tourist photo fr/ Thailand gives cred to the charges.”

      What? You seem to be insinuating something like “if you go to Thailand then you’re more likely to be a paedophile” with this statement. This is simply ridiculous.

      1. BrianKrebs Post author

        Hi. Please pick another nickname. Also, please refrain from using links to Goatse sites as your sig. Thanks.

  10. Max

    Holy, no way they finally got this guy.

    I see a lot of hate on spammers here. Some people are mailing legit products and services that are targeted to their intended audience.

    These same people may rely on this income to pay their rent and bills. Their income may not be much more than what us average Joe’s make a year. Maybe around minimum wage after business related expenses.

    Luckily the Can-Spam has essentially legalized spam and improved the quality and amount of targeted leads. Of course some guy like Leo here is not part of this broader audience of small time “spammers”.

    1. Bob

      Isn’t spam, by definition, unwanted unsolicited email? Usually for a fraudulent product?

      I get lots of email from reputable companies on an almost daily basis. I don’t consider that spam.

      Spam is the trash for fake Viagra, male enhancement products, all the money-making schemes, fake watches, etc.

      Like a judge once said about pornography, (paraphrasing here) “I can’t define pornography, but I know it when I see it.”

      Spam is spam

      1. JBV

        Bob:

        How charitable of you to consider emails that clog your inbox as not being spam, just because you think they were sent by “reputable companies.”

        If I didn’t ask for the emails, it’s all spam to me. Call it “spam,” “unwanted, unsolicited email,” or offers from legitimate entities, it’s all annoying and it infuriates me that “reputable companies” send so much of it. It’s all spam when my inbox is loaded with advertising that I don’t want.

        The difference here isn’t quantity or quality. It’s the fraudulent, often criminal activity behind the mailings. If you opt-out of a legitimate company’s emails, they generally will stop sending them. (I don’t click on opt-out links in the emails, though; there’s always the risk that they aren’t from the named sender. The only safe way to opt out is to go to the company’s website or to phone them.) If you respond in any way to a malefactor’s email, you are in for trouble.

        This seems like a good time to remind other, less sophisticated readers of this blog of Brian’s first few rules of email:

        Never click on a link in an email unless you are sure you know and trust the sender.

        Never reply to an unsolicited email; you are just confirming that you have a live email address.

        Report suspicious or fraudulent emails to the FBI at:

        http://www.ic3.gov/default.aspx

    2. Michael

      Spammers enable scammers; all should be jailed. Both do not care about how their own families will get by then — why should I?

    1. BrianKrebs Post author

      Well whatever influence you may have had, thanks! I’m certainly seeing the traffic from it today!

      1. shiksaa

        Brian,

        Exactly how did this dirtbag manage to lure children away from orphanages? I hope we can expect those people in charge of those children to be investigated.

        Did you get any idea from your sources as to the age range? I don’t see how little children could just go off with a grown man without some adult noticing, and certainly not more than 50 times.

        1. AlphaCentauri

          Unfortunately, it’s not difficult. Rarely do children victimized by pedophiles get dragged away by force. Most go willingly. Most pedophiles seem like nice people, the kind of people who are really good with kids. Parents of children abused by priests or scoutmasters or athletic coaches are often proud that their kids are getting singled out for special attention. The orphanage supervisors may have considered spending time with Kuvayev to be a great chance for their kids to get a chance for a future career in computers.

          Pedophiles target vulnerable kids. Kids in orphanages often have attachment issues, where they have no fear around strangers, but become anxious and act out when they start to get attached to anyone. While an adult having sex with a child is very wrong from an adult point of view, to a preteen with poor social supports it may seem like a privilege, getting treated as an adult when their friends are still playing with dolls. Sometimes the kids who are raped by pedophiles will return repeatedly or will even recruit their friends to “go see the creepy guy who will give you all kinds of money if you let him take pictures of you.” That’s why statutory rape isn’t dependent on lack of consent.

          And those same vulnerable kids with attachment issues are at risk of becoming abusers as adults themselves. We don’t know what may have turned Kuvayev into the type of soulless shell of a human being that could do this.

  11. Alex Blow

    well-well
    lj.rossia.org/users/clonopay
    clonopay.livejournal.com

  12. CRP

    nice %)
    have you seen it: chrono-pay.livejournal.com?

    1. AlphaCentauri

      Hmm, your links aren’t staying posted long before LiveJournal takes them down.

      Since you’ve got such mad skills at hacking, maybe you can hack canadianhealthcaremall.net and post them there? That domain will never be shut down, apparently. 😉

  13. Jack

    The whole operation was set up. Kuvayev was set up by both microsoft and usa gov (as if both parties haven’t done things behind peoples backs).

    The video tapes were faked, as well as all the other evidence. They didn’t have anything against kuvayev to put him in jail for spam, so they had to take things in their own hands.

    There’s been extreme heat about this issue on russian underground forums, and doubt this is the last anyone hears about it.

    1. SysAdmin

      I doubt it’s fake. I know people who used to work for him before he got into the spam game that told me that he liked to argue that child porn provided money to children that would otherwise go starving.

  14. SpamSlayer

    Heh… I got those pictures of Kuvayev by hacking his Leonik.com personal website. Still have a CD full of his other pics, if you want them.

    http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/d42187bb3825bfe9/24a7b310ea1512ef?hl=en&q=Leo+Kuvayev+group:news.admin.net-abuse.email

    Yeah, this is the SpamSlayer who originally found out Kuvayev (then called the Russian Spam Gang, because everyone thought they were operating out of Russia) was operating out of Brighton, MA. I sent a lot of the info to the FBI and MA State Attorney General that they then used to indict him in the US.

    He then fled to Montreal, Quebec, Canada, so I got the Mounties on him for his kiddie smut, forcing him to flee to Russia, where he tried once to send me death threats via telephone (which prompted the FBI to tell me to get a telephone recording device, which led to me making the infamous Polyakov ‘it’s keeeeeling me!’ recording).

    Kuvayev’s sunk about as low as a human can go and still be called human, I guess… exactly where I wanted to put him when he laughed at me after I told him to stop spamming me, all those years ago.

    Weak, broke and running scared. That’s the way all spammers should be.

  15. J

    This guy stole my email address and uses it to send spam. I know, they are bounced and I get them.
    No, my comp isn’t hacked

    Where are the site hackers when you need one! Why don’t they put their talents to better use and clean this kind of Internet pond scum, off the planet.

Comments are closed.