Posts Tagged: Sergey Vladomirovich Sergeev

Feb 18

Alleged Spam Kingpin ‘Severa’ Extradited to US

Peter Yuryevich Levashov, a 37-year-old Russian computer programmer thought to be one of the world’s most notorious spam kingpins, has been extradited to the United States to face federal hacking and spamming charges.

Levashov, in an undated photo.

Levashov, who allegedly went by the hacker names “Peter Severa,” and “Peter of the North,” hails from St. Petersburg in northern Russia, but he was arrested last year while in Barcelona, Spain with his family.

Authorities have long suspected he is the cybercriminal behind the once powerful spam botnet known as Waledac (a.k.a. “Kelihos”), a now-defunct malware strain responsible for sending more than 1.5 billion spam, phishing and malware attacks each day.

According to a statement released by the U.S. Justice Department, Levashov was arraigned last Friday in a federal court in New Haven, Ct. Levashov’s New York attorney Igor Litvak said he is eager to review the evidence against Mr. Levashov, and that while the indictment against his client is available, the complaint in the case remains sealed.

“We haven’t received any discovery, we have no idea what the government is relying on to bring these allegations,” Litvak said. “Mr. Levashov maintains his innocence and is looking forward to resolving this case, clearing his name, and returning home to his wife and 5-year-old son in Spain.”

In 2010, Microsoft — in tandem with a number of security researchers — launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

Severa routinely rented out segments of his Waledac botnet to anyone seeking a vehicle for sending spam. For $200, vetted users could hire his botnet to blast one million pieces of spam. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Waledac first surfaced in April 2008, but many experts believe the spam-spewing machine was merely an update to the Storm worm, the engine behind another massive spam botnet that first surfaced in 2007. Both Waledac and Storm were major distributors of pharmaceutical and malware spam.

According to Microsoft, in one month alone approximately 651 million spam emails attributable to Waledac/Kelihos were directed to Hotmail accounts, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks, and more. The Storm worm botnet also sent billions of messages daily and infected an estimated one million computers worldwide.

Both Waledac/Kelihos and Storm were hugely innovative because they each included self-defense mechanisms designed specifically to stymie security researchers who might try to dismantle the crime machines.

Waledac and Storm sent updates and other instructions via a peer-to-peer communications system not unlike popular music and file-sharing services. Thus, even if security researchers or law-enforcement officials manage to seize the botnet’s back-end control servers and clean up huge numbers of infected PCs, the botnets could respawn themselves by relaying software updates from one infected PC to another.


According to a lengthy April 2017 story in about Levashov’s arrest and the takedown of Waledac, Levashov got caught because he violated a basic security no-no: He used the same log-in credentials to both run his criminal enterprise and log into sites like iTunes.

After Levashov’s arrest, numerous media outlets quoted his wife saying he was being rounded up as part of a dragnet targeting Russian hackers thought to be involved in alleged interference in the 2016 U.S. election. Russian news media outlets made much hay over this claim. In contesting his extradition to the United States, Levashov even reportedly told the RIA Russian news agency that he worked for Russian President Vladimir Putin‘s United Russia party, and that he would die within a year of being extradited to the United States.

“If I go to the U.S., I will die in a year,” Levashov is quoted as saying. “They want to get information of a military nature and about the United Russia party. I will be tortured, within a year I will be killed, or I will kill myself.”

But there is so far zero evidence that anyone has accused Levashov of being involved in election meddling. However, the Waledac/Kelihos botnet does have a historic association with election meddling: It was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses. Those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Putin, had come out as gay. Continue reading →

Jun 11

Rustock Botnet Suspect Sought Job at Google

Microsoft has fingered  a possible author of the late Rustock spam botnet – a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers,  and confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, “Cosma2k,” possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

To help in the hunt, I hereby offer some details about him.

Microsoft helped to dismantle Rustock in March after a coordinated and well-timed “stun” targeting the spam botnet’s infrastructure, which was mainly comprised of servers based in U.S. hosting facilities. Two weeks after that takedown, I tracked down a Web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author. That reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators I spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin. By consulting a leaked database I obtained last year of the top earners for — at the time the world’s largest rogue online pharmacy network — I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates.

The information from the reseller and from the Spamit database traced back to a Spamit affiliate who used the pseudonym “Cosma2k.” The email address tied to that Cosma2K account was “”. When I came into possession of the data back in August 2010, the site was still responding to requests, and the homepage presented some very interesting information. It included a job résumé, underneath a picture of a young man holding a mug. Above the image was the name “Sergeev, Dmitri A.” At the very top of the page was a simple message: “I want to work in Google.” Beneath the résumé is the author’s email address, followed by the message, “Waiting for your job”!

Here is the complete page and résumé, in case anyone wants a closer look at this Belorussian-educated job seeker. I shared the information with Google in August 2010, to find out if they’d received a job application from this person, or if they’d considered flying him to Mountain View, Calif. for an interview. I still don’t have an answer to either question. I shared this same information with Microsoft in March.

Microsoft seems determined to bring the Rustock malefactors to court. Maybe the mug shot in this résumé will help to identify at least one of them.