July 10, 2015

An Estonian man who ran an organized cybercrime ring that infected more than four million PCs in over 100 countries with moneymaking malware has pleaded guilty in New York to wire fraud and computer intrusion charges.

Vladimir Tsastsin, 35, ran an online Web hosting and advertising empire in Estonia called Rove Digital. From 2007 to 2011, Tsastin and six other men cooked up and executed a scheme to deploy malware that altered the domain name system (DNS) settings on infected computers (there were versions of the malware for both Mac and Windows systems).

Tsastsin. left, along with other Rove Digital men, at a hearing in Tallinn. Image: Postimees.ee.

Tsastsin. right, along with other Rove Digital men, at a 2013 hearing in Tallinn. Image: Postimees.ee.

Known as DNSChanger, the malware replaced legitimate ads in victim Web browsers with ads that rewarded Rove Digital, and hijacked referral commissions from other advertisers when victims clicked on ads. The malware also prevented infected systems from downloading software updates and visiting many security Web sites.

Following the takedown of the crime gang, the U.S. government assumed control over the DNS servers that were used by the malware, and spearheaded a global effort to clean up infected systems. U.S. authorities allege that the men made more than $14 million through click hijacking and advertisement replacement fraud.

Tsastsin and his accomplices were arrested in 2011 by Estonian authorities for their role in the scheme, but ultimately the men were acquitted. In June 2014, however, the Estonian Supreme Court revoked that decision, finding them guilty of money laundering. Tsastsin in particular was also found guilty of leading a criminal gang. All but one of the seven were later extradited to the United States, and have already pleaded guilty and/or been imprisoned.

I first encountered Tsastsin in 2008, after research and collaboration with numerous security firms and researchers led to a Washington Post series detailing how Rove Digital and its hosting business — a company called EstDomains — were hosting huge numbers of Web sites that foisted malicious software. His response at the time to assertions that he was somehow tied to Russian organized cybercrime: “Rubbish!” 

tsastsin-thumb-228x161“Our projects are totally legitimate and they are not involved in any shady activities,” Tsastsin told The Post in Sept. 2008.

One of those stories, EstDomains: A Sordid History and A Storied CEO, detailed Tsastsin’s prior convictions on money laundering and credit card fraud charges in Estonia. That revelation prompted the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit that oversees the domain name industry, to revoke EstDomains’s authority as a domain registrar.

Interestingly, Tsastsin and Rove Digital were among the earliest investors in ChronoPay, a Russian payment processing firm whose CEO was another cybercrime kingpin and one of two core subjects of my book, Spam Nation.

Tsastsin faces a maximum sentence of 20 years in prison on the wire fraud conspiracy count and five years in prison on the computer intrusion conspiracy count. He is currently slated to be sentenced October 14, 2015. The media release from the U.S. Attorney’s Office for the Southern District of New York is here.

DNChanger chronology. Source: InternetIdentity

DNChanger chronology. Source: InternetIdentity

Update, July 12, 8:56 p.m. ET: Corrected caption.

21 thoughts on “Cybercrime Kingpin Pleads Guilty

  1. IA Eng

    Awesome ! I cannot wait to see which big “phish” is next.

  2. Dunton

    Good news.
    And long time expected.
    Hope he gets a small time frame in prison!

  3. leo

    what’s your take on the OPM hack, now the site offers 3 years “protection”. As one of the victims how are all the people protected that I used as references etc. And still waiting to see whether my wife as a Fed was captured data as well. OPM should really publish all the names, but hey, business as usual?

  4. fghgfhfhfh

    While it sounds like this was a bad actor, I am troubled by the apparent lack of “double jeopardy” protections that he experienced. Indeed, he wasn’t even merely re-tried for a crime he’d already been acquitted of, but simply declared guilty without a fresh trial, unless there’s a lot of detail being omitted from the article to the point of it being misleading.

    This, in turn, indicates that if you’re in Estonia and the state gets a bee in its bonnet about you, with or without a good reason, they may just keep coming after you, without even the hurdle of having to think up new charges each time to accuse you of. Once you’re a suspect, the only question then would be how long until they up and declare you guilty.

    1. Billy

      There is no double jeopardy. In Estonia he was tried only on charges of money laundry occurred in ESTONIA. He set up a lot of dummy companies in Estonia, through which he funneled ill-gotten proceeds. By Estonian laws, if you buy a property with illegal money then it is automatically constitutes money laundry. In the US he is charged with wire fraud and computer intrusion. So there’s no double jeopardy.

    2. Billy

      In Estonia, they got acquitted by the first circuit court, which I consider nonsense, knowing their case first hand. Prosecution appealed and won in 2nd circuit court. This is a normal process. So your objections are baseless.

  5. TinyTimothy

    NASA’s in the malware detection game? (last graphic in this article)

    1. BrianKrebs Post author

      NASA has investigators with guns and badges. They have played key roles in bringing many big time cyber criminals to justice. They were involved in the McColo investigation, as well as cases that led to the arrest of some big time spammers. I actually detail the role of NASA investigators in my book, Spam Nation.

      1. TinyTimothy

        I had no idea! Thanks for the follow up Brian. Also, just ordered a copy of Spam Nation, looking forward to the good read.

        1. ed

          > I actually detail the role of NASA investigators in my book, Spam Nation.

          Hmm. I just ordered as well. You got me interested with that one…

      2. Nick DeVino

        Ahh, thanks Brian. And my roommate said he had evidence that NASA needed those 198.3 million rounds of armor piercing ammunition they ordered last year because of another break out from Areas 50-52. What a silly wanker. They needed it to stop hackers. Thanks for clearing that up, so I can cross that one off the list.

        Know by any chance if the National Oceanic and Atmospheric Administration might have been giving NASA a hand, since those millions of rounds of high explosive incendiary ammo they purchased last year … my room mate wrote that it’s needed to fight Global Warming…

    1. Dunton

      On the contrary, I sure bet he is.
      As far as I understand for him it means the drama is over and he will get minimum possible prison time, if he is lucky – same as spent already. I judge it based on the gov release which mentions just one count he admitted, if I read it right. In that case he is looking on a few years maximum. Which is, if you think of it, not really surprising – honestly speaking what exactly was his crime? Used a botnet to change one legitimate ad on screen on another legitimate ad? I am sorry – this ain’t exactly Al Quaeda.

      One thing I don’t entirely understand though, please enlighten me, is this legal in America to influence possible court decision by blog posts like this one ? I know as a fact, that in many countries of the world it would actually be illegal or be lower than acceptable journalism standards, to publish anything questionable while there is a court hearing going on.

      Know what, I just read the post for that above mentioned reason again and I don’t see anywhere even mentioned that Tsatsin in fact is not even found guilty yet, it actually states everywhere there as a fact that he is a criminal and all that, how come? What does US law say about that?

  6. Austin

    I’m glad they caught these thugs. Another win for the good side!

  7. fox

    BKrebs you dont know what you talking about .do you ?

    Tsastsin. left, along with other Rove Digital men, at a 2013 hearing in Tallinn. Image: Postimees.ee.

    Tsastsin is sitting on the very right in stripe jumper. Google it ….

      1. SalSte

        Even better, the Postimees caption describes Tšaštšin as ‘in stripes’. Likely, he’s an ethnic Russian born in Estonia since his name isn’t a traditional Estonian surname, and the letter š is used exclusively for foreign words, to match similar letters in Russian.

  8. Zelco Munye

    String him up….it will teach him (and others) a lesson.

Comments are closed.