September 23, 2022

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Kloster’s personal blog, which featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

The Bulgarian news outlet 24Chasa.bg reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”

Launched in 2013, RSOCKS was shut down in June 2022 as part of an international investigation into the cybercrime service. According to the Justice Department, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers; later in its existence, the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers, the DOJ said.

The Justice Department’s June 2022 statement about that takedown cited a search warrant from the U.S. Attorney’s Office for the Southern District of California, which also was named by Bulgarian news outlets this month as the source of Kloster’s arrest warrant.

When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesperson for the Southern District said, “no comment.”

Update, Sept. 24, 9:00 a.m. ET: Kloster was named in a 2019 indictment (PDF) unsealed Sept. 23 by the Southern District court.

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

24Chasa said the defendant’s surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010.

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, the defendant in this case probably knows quite a bit about other top players in the botnet spam and malware community.

A Google-translated version of the Rusdot spam forum.

Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have enormous information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed, and granted his extradition. Kloster’s fiancee also attended the extradition hearing, and reportedly wept in the hall outside the entire time.

Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.


29 thoughts on “Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S.

  1. Eric Andrew

    He just doesn’t want to be conscripted for the war in Ukraine. Pretty much why he wants to be extradited. Work a deal out and hopefully he doesn’t get sent back to Russia before the war is over.

    1. Steve

      Conscription age range in Russia 16 to 76. Yes, he would fit right in

    1. Lindy

      No internet? …. for life?…. wow, that’s harsh.
      😉

    1. Larry Wannabe techguy

      I’ve noticed the same, so it would seem we who are on Brian’s mailing list get access before everyone else; good deal!

    2. Terry

      Unfortunately the main page is has a very aggressive caching system that won’t show the latest updates. They should disable the W3 Total Cache.

    3. BrianKrebs Post author

      Yes, thanks to the unending DDoS attacks against this site, sometimes the content gets cached longer than I’d like. But as you’ve noted, you stumbled upon a deep, dark secret: Subscribers to the newsletter generally get an early heads-up of any new stories.

      1. The wannabe techguy

        Makes me feel important! Thanks Brian!! I learn lots from you.

      2. Hyperbole:

        Brian, it seems like we can’t comment with the name of the political party that starts with an R, without getting auto-moderated. Why?

        1. BrianKrebs Post author

          Yes, you’re right, your off-topic, baiting comments about Nazis and politics don’t belong here.

  2. Rolf Mikkelson

    If Kloster has information he is willing to share, then I am betting that his former associates have already put a price on his head. That is probably why he wants to be extradited to the USA…

  3. Robert.Walter

    Also: “Don’t send me back to RUS, I don’t want to go in the army.”

  4. The Sunshine State

    This guys statement “America is looking for me because I have enormous information and they need it ” makes himself look delusional

    1. mealy

      Possibly. It did achieve his objective for now.
      Whether he knows something he can trade for
      time off a given sentence remains to be seen.

  5. Alphred Jophrey

    Why is that? Are you privy to his personal contacts and correspondence? Without context, we could come up with some interesting assumptions about character deficiencies in your own right, respectfully.

  6. Prakash

    This statement “America is looking for me because I have enormous information and they need it ” is not really good.

    1. Anon

      He signed his death sentence with that statement. If he gets deported to Russia mostlikely he will be treated as traitor and sent to jail or war.

      1. Brian Hirt

        He’s facing a death warrant anyways. Even the mid-range Moscow elites are sweating & throwing each other under the bus. If he gets sent to the front he’ll have officers at his back with orders to shoot deserters or anyone attempting surrender. Putin is desperately hoping to hold the line longer than western attention spans can hold out. He’s in a leverageable position and knows it. He flips 180 on Moscow he can give up some keys to the kingdom. He’ll have access, personnel, process & login knowledge the 17 eye IC group will find…very useful. Eventually so will INTERPOL. He’s got the currency to buy his freedom with the DoJ. The first one to tattle with the most valuable intel gets the deal, by long tradition.

        1. Who

          What? He ran a botnet. He’s got no “keys” to any “kingdom”.

          1. mealy

            You don’t know what he knows that they want to know.

  7. Jean

    Thank you for your work.

    Did you see a drop in spam volume in 2022 corresponding to this takedown? Is this McColo level of market concentration?

    Musing on socks…. It looks like a basement space. If they have to enter through a person’s home or living space wouldn’t they take off their shoes to do that? People determined to track the ick from their street shoes into homes seems to be an American thing. I have an uninformed and low-certainty belief that illegal or questionable businesses might locate in a nondescript place that does not look like a business.

    Or, they are a “family” in that they live (upstairs) from where they work due to security or housing or just being a community that works together, as much frat as company.

  8. Mahhn

    Jean, no shoes in the house is very common in Japanese and Chinese culture. Also every farm that I’ve been in the house is the same, so very common for homes. For a work place, I’ve not seen that.

Comments are closed.