US Dismantles Kelihos Botnet After ‘Spam Kingpin’ Arrest


Russian Pyotr Levashov, suspected of being one of the Internet’s biggest spam and malware operators, is arrested in Spain

US law enforcement authorities said they were beginning to dismantle the Kelihos spam and malware distribution botnet following the arrest of its alleged operator in Spain on Friday.

Pyotr Levashov, 36, was arrested in Barcelona while on holiday with his wife, son and a friend, according to Russian media reports.

email overload spam ©TijanaM /

Spam kingpin

Levashov is suspected of being one of the longest-operating spam operators on the Internet, running the Kelihos botnet since 2010. Anti-spam organisation Spamhaus currently lists him as no. 7 on its list of top spammers.

In 2012 computer security firms collaborated to seize control of more than 110,000 infected systems powering Kelihos, but a new version of the Kelihos worm began reconstructing the botnet within hours.

Kelihos is known for distributing large volumes of junk emails advertising counterfeit drugs and other scams.

Levashov, also known as “Peter Severa”, is also suspected of using it to install “scareware” that prompts users to pay for antivirus products they don’t need, as well as malware that steals login details from users’ systems and intercepts real-time communications.

Russian and Spanish authorities confirmed he was arrested under a US international arrest warrant. The case is being handled by the US Justice Department’s criminal division, which said the details were under seal.

Contrary to initial reports there appears to be no connection between the case and alleged interference in last year’s US presidential elections by Russian state-backed hackers.


Botnet suspect

In 2009 Levashov was charged in the US with operating the Storm botnet, a predecessor to Kelihos. He is suspected of having been the partner of Alan Ralsky, a convicted US spammer who specialised in stock manipulation schemes.

Levashov may also be linked to the Waledac spam botnet, a system similar to Kelihos that was successfully taken down by Microsoft in 2010, security experts said.

According to investigative journalist Brian Krebs, records stolen from a spam affiliate programme showed Levashov made more than $500,000 (£400,000) over a three-year period from sending junk emails advertising counterfeit pharmaceuticals.

In 2012 Microsoft named a man called Andrei Sabelnikov as the developer of Kelihos, but security researchers said at the time that Sabelnikov was likely to have been only a collaborator on the scheme, with Levashov being the true coordinator of both Kelihos and Waledac.

Levashov’s wife told Russian media outlets he worked with start-ups and developed smartphone applications in Russia, as well as running an event management agency.She said the arrest occurred at night after a large number of police officers smashed in the door of the couple’s rented apartment.

Spanish authorities are transferring Levashov to Madrid and his case is to be heard by Spain’s National Court, according to reports.

The US has 40 days from the date of the arrest to present a legal case for extradition.

FBI agent - Shutterstock - © Peter Kim

Controversial ‘international hacking’ warrant

The US Justice Department told the Associated Press it was working to disrupt the current version of Kelihos using a warrant issued under the controversial Rule 41.

The rule, an amendment to the Federal Rules of Criminal Procedure that came into effect last year, allows US agents under certain circumstances to take control of computer systems located outside the district in which the warrant was issued and outside the US. Warrants can be issued under the rule if the location of the system involved has been concealed or if the systems are located in multiple juristictions and have been hacked.

Civil liberties groups say the rule could allow US agents to hack computers anywhere in the world and obtain data from those systems.

But investigators said the Kelihos takedown is similar to previous botnet disruption operations and doesn’t involve obtaining information from remote systems. The warrant was obtained as a precaution, they said.

Do you know all about security in 2017? Try our quiz!

Read also :
Click to read the authors bio  Click to hide the authors bio