Cybercrime , Fraud Management & Cybercrime

Russian Convicted of Aiding Kelihos Botnet Operator

Prosecutors: Crypting Provider Helped Infect 50,000 Computers
Russian Convicted of Aiding Kelihos Botnet Operator

A Russian national has been convicted of aiding a botnet scheme that infected victims' devices with malicious Kelihos malware and ransomware, according to the U.S. Justice Department.

See Also: Ransomware Demystified: What Security Analysts Need to Know

Oleg Koshkin, 41, operated the websites "," "" and others that offered crypting services, which were used to hide the Kelihos malware from anti-virus software, prosecutors say. Koshkin and co-defendant Pavel Tsurkan, had claimed that the malware could be used for crypting botnets, remote access Trojans, keyloggers, credential stealers and cryptocurrency miners, the Justice Department notes.

Koshkin was found guilty at trial Tuesday on one count of conspiracy to commit computer fraud and abuse and one count of aiding and abetting computer fraud and abuse. He was convicted of aiding Peter Levashov, the operator of the Kelihos botnet, in causing damage to 10 or more protected computers.

Koshkin was arrested in California in September 2019 and has been detained since then. His sentencing is slated for Sept. 20, when he faces a maximum penalty of up to 15 years in prison.

Co-defendant Tsurkan, arrested Sept. 6, 2019, in Estonia and extradited to the United States on March 4, 2021, is charged with conspiring to cause damage to 10 or more protected computers and aiding and abetting Levashov in causing damage to protected computers. Tsurkan, who was released on a $200,000 bond, is awaiting trial.

Levashov’s Kelihos botnet infected at least 50,000 computers, according to the FBI. It was able to crypt the Kelihos malware multiple times each day using Koshkin’s crypting services, prosecutors say.

Levashov was arrested by the Spanish National Police in April 2017 and extradited to the United States. In September 2018, he pleaded guilty to causing intentional damage to a protected computer, conspiracy, wire fraud and aggravated identity theft. Sentencing for Levashov is scheduled for July 20, when he faces between 121 and 151 months in prison and a fine of up to $350,000.

"Koshkin and his associates knowingly provided crypting services designed to help malicious software bypass anti-virus software," says David Sundberg, special agent in charge of the FBI's New Haven Division. "The criminal nature of the Crypt4U service was a clear threat to the confidentiality, integrity and availability of computer systems everywhere. We at the FBI will never stop pursuing those like Koshkin for perpetrating cybercrimes and threats to the public at large."

Botnet Scheme

Prosecutors say Koshkin's custom, high-volume crypting service helped Levashov to distribute Kelihos to affiliates.

The botnet was then used to send spam emails, harvest bank account credentials and conduct distributed denial-of-service attacks as well as distribute ransomware and other malicious software, prosecutors say.

In the 2017 indictment against Levashov, the prosecutors alleged that the Kelihos botnet distributed hundreds of millions of fraudulent emails per year, intercepted credentials to online and financial accounts belonging to thousands of Americans and spread ransomware throughout their networks (see: Russian Pleads Guilty to Operating Kelihos Botnet).

The Levashov indictment also alleged that he participated in and moderated online criminal forums on which stolen identities and credit cards, malware and other tools of cybercrime were traded and sold.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.