January 24, 2023

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.

First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.

Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.

Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.

In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action did not name any defendants.

Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”

RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.

A Google-translated version of the Rusdot spam forum.

Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.

It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.

Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.

15 thoughts on “Administrator of RSOCKS Proxy Botnet Pleads Guilty

  1. Darryl

    The group photo is great. It’s eerily analogous to otherwise normal office life scam call offices seem to enjoy. They look like a legitimate startup. How many of them had a real understanding of what they were doing? Do their families know they dress up to go commit 9-5 international cyber crime?

    Looking forward to hearing his confident defense.

    1. kuba

      my guess – all of them. they are robin hoods. that’s the way russians think of scamming westerners…

  2. The Sunshine State

    This Russian low life says ““I am not a criminal and I will prove it in an American court.”

    Notice if a person says “I” and “me” when being accused of a criminal act , this is a sign of narcissism

    1. Mike Jackson

      True this. Just ask Agent Orange (ex-President Trump)

    2. mealy

      “Notice if a person says “I” and “me” when being accused of a criminal act , this is a sign of narcissism”
      Uhhhh… making things up is also a sign of narcissism. Just sayin.

    3. SchittsCreek

      How else would you expect someone to respond without saying “‘I”? Talking about themselves in the third person would surely be more narcissistic?

      1. ArbeitMachtFleisch

        Who knows what he’s talking about? Many unofficial sources for improving composition cite excluding subject and object pronouns as a way to read more authoritative and professional. It is also widely assumed when a person repeats or repurposes a question before answering, they are being deceptive. My guess is he co-mingled and bastardized the aforementioned or has a concussion.

        The rest of the comments here aren’t much better and it’s sad to see people so dehumanized. Calling all Russians vile and whatever other derogatory terms is objectively wrong, distasteful, and utterly disgusting. I really hope you all reconsider whatever is causing such contempt for people and become willing to accept alternative solutions that don’t focus on excessive incarceration terms, but strike at the root and preventing them instead. No positive results are going to come from imposition of three-fold negativity to ANOTHER HUMAN. Thank you.

  3. Gunter Königsmann

    In Germany the BSI (the ministry for computer security) currently appends ads in bus stops that if you don’t know if your 9to5 job is about doing cybercrime you can contact them.

  4. Ukraine

    All Russians are vile scum people
    Just go to Phuket, or anywhere in Asia they still let the war mongering vermin in

    1. piero

      Already jumping straight into racism. I wonder what other countries waged illegal wars on countries that didn’t attack them and massacred civilians. I’ll give you a hint, starts with: U.S.

  5. Blanche DuBois

    Welcome to the USA!!!
    Your first time?
    We’ve been waiting so long for you.
    You have many interesting things to disgorge…er, …tell us.
    All in exchange for 3 hots and a cot, and full medical and dental care.
    Hot tip: Avoid “Big Fat Albert” in cell block H…

Comments are closed.