Standards, Regulations & Compliance

US Prosecutors Indict Estonian for Selling Metasploit

Andrey Shevlyakov Has History of Flouting Export Controls
US Prosecutors Indict Estonian for Selling Metasploit
Commands in the Cortana scripting language used to automate the Metasploit Framework (Image: Christiaan Colen/CC BY-SA 2.0)

U.S. federal prosecutors say an Estonian man was prepared to violate U.S. export regulations by selling a license for penetration testing software to a Russian individual.

See Also: 5 Requirements for Modern DLP

Estonian authorities arrested the man, Andrey Shevlyakov, on March 28 at the behest of U.S. authorities seeking his extradition. Shevlyakov faces an indictment alleging 18 counts of criminal behavior including money laundering and violations of the U.S. statute that restricts trade on dual-use technologies.

Among the items prosecutors say Shevlyakov procured for Russian end users, including defense contractors, were electronic components used in avionics, missiles and electronic warfare systems.

In June 2020, he responded to an individual based in Russia who inquired through a front company for a license for Metasploit Pro, the penetration testing tool offered by Massachusetts firm Rapid7.

In a court filing arguing that Shevlyakov should be denied bail once extradited, federal prosecutors say the would-be customer detailed a history of failed attempts to acquire the software through third parties.

"Sales to Russia are virtually impossible," the inquirer wrote. "We cannot reveal the end user, nor can we identify ourselves." Prosecutors say Shevlyakov responded with an email listing prices for different versions of Metasploit Pro. Shevlyakov has been on a U.S. blacklist known as the Entity List since 2012. He is required to obtain a license to export anything from the United States. Prosecutors say he maintained an "intricate logistics operation" involving frequent courier trips into Russia to deliver goods.

The Department of Justice in March 2022 initiated Task Force KleptoCapture, dedicated to enforcing export restrictions, sanctions and economic countermeasures imposed by the United States following Moscow's attempt to conquer Ukraine.

Federal agencies recently warned U.S. companies to be vigilant against attempts to evade export controls through the use of third parties.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.