36-year-old Pyotr Levashov was charged on Friday in the US with one count of causing intentional damage to a protected computer, one count of conspiracy, one count of accessing protected computers in furtherance of fraud, one count of wire fraud, one count of threatening to damage a protected computer, two counts of fraud in connection with email and one count of aggravated identity theft.
Levashov stands accused of controlling and operating the Kelihos botnet to, among other things, harvest personal information and means of identification (including email addresses, usernames and logins, and passwords) from infected computers.
To further the scheme, Levashov allegedly disseminated spam and distributed other malware – such as banking Trojans and ransomware, and advertised the Kelihos botnet spam and malware services to others for purchase in order to enrich himself.
According to the indictment, during any 24-hour period, the Kelihos botnet was used to generate and distribute more than 2,500 unsolicited spam e-mails that advertised various criminal schemes, including deceptively promoting stocks in order to fraudulently increase their price (so-called “pump-and-dump” stock fraud schemes).
Levashov, who went online under several nicknames – the most memorable of which was “Peter Severa” (i.e. Peter of the North) – was arrested in Barcelona on April 7, 2017, while on vacation with his family. He is a resident of St. Petersburg, Russia.
He has been detained since his arrest, and the US Justice Department is seeking his extradition.
On April 10, 2017, the US authorities announced that they have taken action to dismantle the Kelihos botnet, by sink-holing three domains used to control the botnet and redirecting the traffic from compromised computers to servers under their control.
There seems to be plenty of evidence that points to Levashov also being the man behind the Waledac botnet, but the indictment makes no mention of any charges regarding its operation.