April 10, 2017

Authorities in Spain have arrested a Russian computer programmer thought to be one of the world’s most notorious spam kingpins.

Spanish police arrested Pyotr Levashov under an international warrant executed in the city of Barcelona, according to Reuters. Russian state-run television station RT (formerly Russia Today) reported that Levashov was arrested while vacationing in Spain with his family.

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to numerous stories here at KrebsOnSecurity, Levashov was better known as “Severa,” the hacker moniker used by a pivotal figure in many Russian-language cybercrime forums. Severa was the moderator for the spam subsection of multiple online communities, and in this role served as the virtual linchpin connecting virus writers with huge spam networks — including some that Severa allegedly created and sold himself.

Levashov is currently listed as #7 in the the world’s Top 10 Worst Spammers list maintained by anti-spam group Spamhaus. The U.S. Justice Department maintains that Severa was the Russian partner of Alan Ralsky, a convicted American spammer who specialized in “pump-and-dump” spam schemes designed to artificially inflate the value of penny stocks.

Levashov allegedly went by the aliases Peter Severa and Peter of the North (Pyotr is the Russian form of Peter). My reporting indicates that — in addition to spamming activities — Severa was responsible for running multiple criminal operations that paid virus writers and spammers to install “fake antivirus” software. So-called “fake AV” uses malware and/or programming tricks to bombard the victim with misleading alerts about security threats, hijacking the PC until its owner either pays for a license to the bogus security software or figures out how to remove the invasive program.

A screenshot of a fake antivirus or "scareware" affiliate program run by "Severa," allegedly the cybercriminal alias of Pyotr Levashov, the Russian arrested in Spain last week.

A screenshot of a fake antivirus or “scareware” affiliate program run by “Severa,” allegedly the cybercriminal alias of Pyotr Levashov.

There is ample evidence that Severa is the cybercriminal behind the Waledac spam botnet, a spam engine that for several years infected between 70,000 and 90,000 computers and was capable of sending approximately 1.5 billion spam messages a day.

In 2010, Microsoft launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

The connection between Waledac/Kelihos and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. According to the stolen SpamIt records, Severa — this time using the alias “Viktor Sergeevich Ivashov” — brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period.

Severa also was a moderator of Spamdot.biz (pictured in the first screenshot above), a vetted, members-only forum that at one time attracted almost daily visits from most of Russia’s top spammers. Leaked Spamdot forum posts for Severa indicate that he hails from Saint Petersburg, Russia’s second-largest city.

According to an exhaustive analysis published in my book — Spam Nation: The Inside Story of Organized Cybercrime — Severa likely made more money renting Waledac and other custom spam botnets to other spammers than blasting out junk email on his own. For $200, vetted users could hire one of his botnets to send 1 million pieces of spam. Junk email campaigns touting auction and employment scams cost $300 per million, and phishing emails designed to separate unwary email users from their usernames and passwords could be blasted out through Severa’s botnet for the bargain price of $500 per million.

The above-referenced Reuters story on Levashov’s arrest cited reporting from Russian news outlet RT which associated Levashov with hacking attacks linked to alleged interference in last year’s U.S. election. But subsequent updates from Reuters cast doubt on those claims.

“A U.S. Department of Justice official said it was a criminal matter without an apparent national security connection,” Reuters added in an update to an earlier version of its story.

The New York Times reports that Russian news media did not say if Levashov was suspected of being involved in that activity. However, The Times piece observes that the Kelihos botnet does have a historic association with election meddling, noting the botnet was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses. According to The Times, those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Vladimir V. Putin, had come out as gay.


60 thoughts on “Alleged Spam King Pyotr Levashov Arrested

  1. IRS iTunes Card

    Spammers, one of the lowest forms of scum on this earth

    1. JCitizen

      Yeah, good riddance! May this teach them to stay hidden in Russia if they want to stay out of the clink! You know Putin isn’t going to do anything to them!

  2. TM

    I’m curious about the economics. Why is renting out the botnet more lucrative than doing the spamming himself?

    1. timeless

      Presumably it’s a matter of how creative your personal use/conversion rate is. If you can’t manage a pitch that converts/yields/returns $200 from a million email addresses, then anyone else willing to pay that much for access to the same email addresses is a better deal.

      This shouldn’t be shocking, most fields specialize. Just because you’re a good malware writer wouldn’t mean you’re a good email scam writer…

    2. Max

      I’m curious about the economics. Why is renting out the botnet more lucrative than doing the spamming himself?

      Its all about quantity.

      whitehat/greyhat methods are not that cheap for sending millions of mails. You need to setup server/s, rotate IP`s, use sort of MTA software, and more, and more, spent time doing it… the time itself is much more expensive you are capable of doing all the other mentioned by me processes

      While using blackhat/hacking methods (use hacked hostings, use botnet with zombies on it) – is much more effective. Yeah, the clicktrough is much lower then if using “legal” ways, but with some preparation there is no limits of sending (good for more then 1kk mails per day).

      While I do not cheer all the scam, hacking, phishing and all the sort of crap that Krebs is fighting against,
      Severa was a long-time legend – well known in the underground – and if applicible he had a “positive” karma. He was not a scumbag ready to do everything for money, as 95% of the underground criminals try to do.

      And also – yeah Russian are really good in what they do and critically thinking people, and yes – decades ago when spamming was just in the begging – mostly was done by Russians, but honestly – most of the spam nowdays is from India/BD/Pakistan/and other Asian countries.

      1. zboot

        @Max, the question was why the botnet author wouldn’t conduct the spamming himself instead of renting it out to others to use.

        Presumably, those paying $200 make more than that via spam, so why doesn’t he just do that and pocket the profit directly?

        The answer – making money from spamming requires more infrastructure, risk, and marketing skill than just setting up the botnets for sending out the email. There is more risk because while you can disavow what customers do with your servers, you can’t disavow money being paid to your bank account from spam proceeds.

    3. JimV

      Once the botnet has been created and validated to work properly, the rental fees represent a payout more akin to “getting something for nothing” that completely avoids the churn of developing an unending series of spam-and-scam campaigns, with the originator’s subsequent efforts mainly focused toward ensuring the botnet is functioning properly with occasional tweaks or adjustment with updates.

  3. 3axap

    So, he is going to have trial and jail in the US?
    Under USA laws? Even though he is never go to America before, even to commit crime?

    The legal mechanisms for his prosecutions bewilder me.

    1. Tarramisue

      >> Even though he is never go to America before, even to commit crime? <<

      It would seem his computer based crimes crossed the border of the United States alot…so they were waiting for him.

      Crossing those borders via the internet (and intent) is still crossing those borders. Not bewildering at all.

      Bewildering, is thinking you can get away with this stuff cause you're behind a computer in another country.

  4. lecxus

    All this recent arrests shows just one thing.
    it means now they will stop cyber crimes complitely.
    strong data protection laws are allready in place.
    iM 100% sure guy was surprised about that he will be arrested.
    coz all this crooks been thought that they not going to jail.
    but yes they been liad big time.

    1. JCitizen

      I don’t see it that way – I think they are desperately trying to up the ante for spammers, because they know the IoT botnet is growing exponentially, and the problem will get worse before it gets better. It will be like kicking an elephant’s butt to get industry to change the way they secure those devices. It would help if they get hold of the writers of the Mirai virus too.

      1. jgarry

        Two days later, and I notice my spam filter has caught way more pump-and-dump spam.

    2. guy

      The fact that this one guy was eventually caught does not mean that the average spammer is going to be eventually caught.
      First, he made enough money to vacation in Spain. A less-successful spammer who has to settle for vacations in Russia or other native country won’t get arrested.
      Second, as JCitizen wrote, the number of devices being connected to the internet is growing very quickly now. Once there are billions of un-patchable $20 devices with their own IPV6 internet addresses capable of running mailservers and cranking out spam around the clock, the odds of any particular spammer being caught will fall.

  5. wstb

    Its time to get out from cyber crimes botnets…do not get involve anymore !!! Its trap !! The money and profit is just trap !!
    Guys if you read this then i tell you get out dont touch tjis things anymore !!

  6. Uncle Samsung

    @3axap, Your comment assumes Pyotr has never been to the US. How could you possibly know?? You sir write like a Russian troll.

    He might not have been to the US but his digital weapons have.

  7. Jim

    I’m surprised, and pleased with his arrest. The laws that are where his victims were. He probably hit a American server, and therefore. That person had to have pull. Just a you and me would not be able to do it. Now they have to present the case in a foreign court, to get him transfered to the land of free speech. That could prove tough. Differences in law, evidence and anti American attitude may come into play.

    1. Matt

      I don’t think there’s any assumption or assertion that this (however notorious he may be) prolific spammer had any hand in getting an American president elected.

    2. Mike

      First, there would have to be demonstrated that Levashov’s “help” actually changed the outcome of the election. If it did not, then there’s no reason to declare the election void. Second, if Levashov’s activities did change the election outcome, then there would be other processes to handle that. That process takes time.

      Be wary that evidence is not the same as “proof.” Most American news outlets violently cherry-pick their information. Plus, if there is evidence that someone tried to sway the election via a PR campaign, that does not mean that negative information from WikiLeaks actually swayed voters. Effort does not equate with effectiveness. Demonstrating such effect would be quite difficult, as we would need millions of Trump voters to explain that they were swayed. Likewise, in the US, our news outlets have many people thinking that if anyone who happens to be Russian and in Russia was involved in hacking the DNC e-mail server, then by their Russian-ness, that automatically implicates Mr. Putin in the individual’s activities. This is fallacious thinking. The template for this type of fallacious thinking is rampant in the US right now, among other types.

      Note that Mr. Pence would not automatically become the US president, as his position was affected by the same election being declared void.

      1. Gnecht

        If not Vice President Pence, then the successor would be House Speaker Paul Ryan, right? Then Orrin Hatch in the Senate… and from there on down, it’s top cabinet positions held by Trump appointees. It seems like a pretty long road to get to someone that anti-Trump people would be happy to have for a president.

        1. Daphne

          Indict Ryan, get a moderate speaker, then wipe out the rest of the coup => clean, loyal white house.

      2. Jeff

        @mike, your statement, “We would need Millions of Trump voters to explain that they were swayed” is not actually correct, we would need about 74 people, electors, to explain that they were swayed. Hillary already won the popular vote by a landslide of almost 3 million… Trump only won the 74 additional electoral votes. In fact if the electors from Mi, Wi, and Oh all made such a statement, it would only take 44 statements using your example…and maybe less.

        But I’m sure there are nowhere near 44 people that regret their vote, right?

        1. Mike

          Thanks for the correction!

          Regarding electors (the analog to the Senate) as opposed to popular vote, it would depend on if the electors are contractually bound to the state’s popular vote, whether winner-take-all or proportional to the districts. So, it’s not just the electors as you say, but in support of your correction, we can have “Faithless Electors.” Contractually tying the electors to their local popular votes keeps the popular vote (analog to the House of Rep’s) from being meaningless. However, the “Faithless” possibility, which is a breach of contract where applicable, does throw a wrench into that system.

          …just thinking it through out loud here…

          It would take something different from the electors saying they regret their decisions, but they would have to testify under oath (and faithless electors are unreliable witnesses if they breached contract–they’d get shot down if put on the stand) that any negative information related to the leaks or hacks swayed their decisions, and from whom to whom matters as well. We had faithless electors who abandoned a local vote for Clinton and still voted for not-Trump. We would need electors who were swayed, not merely regretting, and who are from states where they were not contractually bound to the local votes. Making that case is a little more difficult. If all we have are contractually bound electors, swayed or not, then the issue shifts back to how I phrased it before–millions of Trump voters. However, I did not think of the Electoral College when I first wrote that. So, thanks again for bringing it up.

      3. Craig Thomas

        Have you guys been drinking Putin’s Kool-Aid?

        Levashov is a very serious spammer.
        He’s been arrested for spamming.

        The election-rigging rubbish is Russian fake-news.

        1. BrianKrebs Post author

          Someone has unleashed the comment trolls on this story. Seeing lots of patterns in the comments, same IP addresses, subnets, RDNS, etc. I guess I really pushed some buttons at the troll factory with this post.

    3. dog10

      This is not an arena where you can expect gratitude. Assassins are sometimes killed by their employers before they can talk. The issue will be, whether he is permitted to talk in his trial about anything else he has done.

  8. Brad

    It appears Pyotr is being linked to alleged U.S. election hacking http://www.bbc.com/news/technology-39553250 by other news sites rather than anything he might have done as a spam kingpin.

    I’d be interested in any further details Brian might have regarding that side of the story.

    1. BrianKrebs Post author

      I addressed this in the story. Near as I can tell, the election hacking supposition comes from an RT story where they asked the wife of the accused why her husband was arrested, and she said Spanish police had said he was connected to the election meddling. That’s three people removed (at least) from an actual source, and RT is the media source, which makes me doubt it even more since RT is a propaganda outlet orchestrated by the Kremlin. I’m not saying he wasn’t involved, I’m saying the evidence so far is pretty thin.

    2. H.Skip Robinson

      You should be very skeptical of all mainstream media stories especially when they are supporting a major meme coming from the political oligarchs, left or right. There actually in cahoots.

      1. JCitizen

        Yup! I do have confidence in good old American skepticism though; the tons of fake news on the web is well known by now. In fact it should have been WELL known long before this election. People do glom onto things that say what they want to hear though.

        To suggest that meddling by foreigners can so easily sway a US election is just foreign ignorance. We have way more news sources to choose from here in the US – If more news agencies were like Brian Krebs – the world would be a better place. 😀

  9. Gary

    As someone who runs my own mail server, I find some of these RBLs (reputation blocking list) companies just a step above the spammers. (Keyword being some, but I won’t spam the reply section calling out the good and bad.) One RBL wanted me to join a whitelist service that far exceeded the monthly cost of my server. Ponder this: why in the world are there over 100 RBL companies? Some I believe to be shakedown artists. None who claim I spam or dictionary search has ever provided evidence. I kid you not that one RBL had in their contact form that upon sending them an email, I had to agree to have my IP address blocked for a week. But the script just logged my cellular IP address, so hey, no harm to me.

    Mind you my email will pass SPF and DKIM. I am completely traceable.

  10. Marvin Waschke

    Brian– The amount of detail you put in these blogs is staggering. Extradition is a weak point, to say the least, in the prosecution of cybercrime. In this case, the roll out this time will be interesting with all the political implications of possible ties to election tampering and the volatile state of US – Russian relations. I’m staying tuned in…

  11. Mike

    Ignoring the DNC hack for a moment (I’ve seen other sources that it was a leak instead of a hack) and instead focusing on the spam, could you please review what makes his spamming activities illegal under whatever jurisdictions are involved?

    Is this part of US law, international law, or other jurisdictions? Is it the malware bots, or the sending of unwanted e-mails? Anyone can send unwanted e-mails and it’s annoying, but where and how does it cross legal thresholds?

    1. JCitizen

      In the US the CAN-SPAM Act of 2003
      and in the Council of 2005 starting a world wide cooperation on countering spam.

  12. KFritz

    It never ceases to amaze that people who with the intelligence to mastermind and code complex computer programs can’t understand the simple fact that they’ll be arrested if they travel outside of a very few nations that entertain friendly relations with Russia.

    1. Guy

      When you’re a wealthy and powerful businessman for years, you convince even yourself that it will be OK if you take that trip to Spain. There are probably other spammers who took trips there and didn’t get arrested.

      1. UntilTheEnd

        No my friend, the weak point is the Woman. She is bored in Russia with all the money Severa brought in, probably his dickgame is low too. So she complains to Severa that she wants to explore the world with him and that my friend is a Weak point lf most of them.

        There are some of them who are still in the game since CardersPlanet and never been raided, this my friend are disciplined people.

  13. Stefan Savage

    Brian didn’t mention it but Severa was also behind the Storm botnet, back in the day.

  14. Huh?

    Brian,

    As you know many Russian cybercriminals end up getting caught and converted as agents to serve the Russian Government. Do you think Pyotr will be used by the Russian Government as a puppet for their own purposes? I am curious what you think about this sort of criminal mind and his value to them in the current climate.

  15. AlphaCentauri

    He is liable under US law for running a botnet that included US computers. That means he installed his malware on those computers and took control of them to send the spam. The federal law covering such activities is very broad. Any unauthorized use of any computer attached to the internet is covered, and the penalties are potentially severe.

    In addition, the Storm botnet was used as part of Ralsky’s pump and dump stock spam, violating laws covering securities. It also was using a fast flux botnet to actually host the websites the spam was advertising, so your grandma might end up hosting a site selling narcotics if she clicked on the wrong button on a website. (One site I recall was one of those “click here to feed a puppy in a shelter for a day,” as I recall.)

    Ralsky was one of the owners of Xin Net, the “Chinese” registrar registering all those spammed domain names, too, it turns out.
    http://ksforum.inboxrevenge.com/viewtopic.php?p=50629#p50629

    So lots of charges for the Justice Department to work with, lots of reasons for him to want to trade information for leniency.

  16. iceman

    To do this kind of things you must have education skills and knowledge. Im asking now what is wrong in our society that skilled educated people using skills and talent for this kind of crimes. ??? Can they not get better job ? if talent skills and knowledge dont matter then whats the point of education ?
    to they study only to do crimes with sklills they have ???

  17. James

    Peter Severa and Peter of the North

    …and of course, “sever” is the Russian for “north”…

  18. TM

    I suppose you’ve seen this:

    https://www.nytimes.com/2017/04/10/technology/us-arrest-russian-email-spam-peter-levashov.html

    “Officials said Mr. Levashov’s arrest and the takedown of his network ended a vast criminal enterprise. For more than a decade, Mr. Levashov used his online empire to enrich himself and help others drain bank accounts and commit stock fraud, officials said. He has flooded computers with millions of spam email messages advertising counterfeit pharmaceuticals and remedies for erectile dysfunction, using subject lines like “No amorous failure risk.”

    Despite Russian news media reports to the contrary, American officials said Mr. Levashov played no role in attempts by Russian government hackers to meddle in the 2016 presidential election and support the candidacy of Donald J. Trump.”

    Btw, if there were an election hacking connection, the DoJ surely wouldn’t have touched him.

  19. Sean McVeigh

    It’s also possible that his wife Maria was interviewed by someone and she in fact indicated that he was being arrested for helping to hack thee election.

  20. CT

    So why delete my comment, Brian? I’m certainly no troll. In fact, a huge fan. There was nothing trolly about my comment. Disappointed, because I raised an important point.

    1. BrianKrebs Post author

      I don’t censor comments, except for readers who accuse me of censorship. Your comment, which I just approved, was caught by auto-moderation system.

Comments are closed.