Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 1 of 13 UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT Grand Jury B-16-1 Criminal UNITED STATES OF AMERICA VIOLATIONS PETER YURYEVICH LEVASHOV aka Petr Levashov aka Peter Severa aka Petr Severa aka SergeyAstakhov 18 U S C §§ 1030 a 5 A and c 4 B 18U S C §371 18 U S C §§ 1030 a 4 and c 3 A 18 U S C § 1343 18 U S C §§ 1030 a 7 C and c 3 A 18 U S C §§ 1037 a 2 and b 1 18 U S C §§ 1037 a 3 and b 1 18 U S C § 1028A 18 U S C §2 18 U S C § 1030 0 18 U S C § 981 a 1 28 U S C § 2461 c 18 U S C § 1037 c 21 U S C § 853 INDICTMENT The Grand Jury charges General Allegations At all times relevant to this Indictment unless otherwise alleged 1 Defendant PETER YURYEVICH LEVASHOV Severa Petr Severa and Sergey Astakhov LEVASHOV a k a Petr Levashov Peter is a citizen of Russia and last resided in St Petersburg Russia 2 LEVASHOV communications uses the alias Peter Severa in various online forums and in LEVASHOV also uses online identifiers ICQ number 104967 jabber@honese com and peter@severa biz to chat or communicate with othersonline 1 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 2 of 13 3 Malicious software malware is a software programdesigned to disrupt computer operations gathersensitiveinformation gain access toa computer or dootherunwanted actions on a computer 4 A hornet is a networkof computers mfectedvfflhmalicious eftw r 4fial-ahewS a third party to control the entire computer network without the knowledge or consent of the computerowners Each of the infected computersis referred to as a bot A botnetcan be used by spammers to send spam through the network of infected bot computers using each of the infectedcomputers to transmit the spam email in order to hide thetrue origin of the spam obscure the identityof the spammer and evade anti-spam filters and otherblocking techniques 5 A Virtual Private Network VPN is a technologythat creates a secure network connection over a public network such as the Internet or private network owned by an Internet Service Provider The user of a-VPN can conceal his trie Internet Protocol IP address from thosewith whom he is communicating 6 A Trojan is a type of malware that masqueradesas a routinedownloadrequestor otherinnocuousfile that encourages thevictim to open it and thereby unknowinglyinstall malware victim computer onto the victim computer thereby creating an unauthorized access point to the 7 Ransomware is a typeof malware that encrypts an infected computer'sfiles and demandspayment tounlock the computer 8 Spam messages areunsolicitedbulk commercialemail messages The Kelihos Botnet 9 The Kelihos botnetis controlled byLEVASHOV through command and control servers which enableLEVASHOV to issue commands to any and all bots in the Kelihos botnet 2 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 3 of 13 10 LEVASHOV controlled andoperatedthe Kelihos botnetto amongothersthings a harvest personal information and means of identification includingemail addresses usernames and logins and passwords from infected computers 2 disseminate spam and 3 distribute malware includingTrojans and ransomware 11 The computers infected as part of any and all criminal activity associatedwith the Kelihos botnetwere usedin and affecting interstate and foreign commerce and communication COUNT ONE IntentionalDamage to a Protected Computer 12 Paragraphs 1-11 are incorporated by reference 13 From on or aboutFebruary22 2016 until approximately April 7 2017 the exact datesbeing unknown to the GrandJury in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV knowingly caused the transmission of a program j code and command to wit theKelihos botnet and as a result of such conduct intentionally caused damagewithout authorization to a protected computer and the offense caused i loss to i one or more persons during any one-year period from LEVASHOV's course of conduct affecting protected computers aggregating to at least $5 000 in value and ii damageaffecting ten or more protected computers during any one-year period I All in violation of Title 18 United States Code Sections 1030 a 5 A c 4 B and 2 j COUNT TWO Conspiracy 14 Paragraphs 1-11 and 13 are incorporated by reference 15 From on or aboutFebruary22 2016 until approximately April 7 2017 the exact i datesbeing unknown to the GrandJury in the District of Connecticut and elsewhere the 3 I j i Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 4 of 13 defendant PETER YURYEVICH LEVASHOV did unlawfully knowingly and intentionally conspire combine confederate and agree with others unknown to the GrandJury to commit offenses against the United Statesin connectionwith the operationand monetizationof the Kelihos botnet thatis a to knowingly cause the transmission of a program information code and command and as a result of such conduct intentionally cause damage and attempted to cause damage without authorization to a protected computer in violation of Title 18 United States Code Section 1030 a 5 A b knowingly and with intent to defraud access protected computers without authorization and by means of such conduct further the intended fraud and obtain somethingof value in violation of Title 18 United StatesCode Section1030 a 4 and c to transmit with intent to extort from persons money and other things of value in interstate and foreign commerce a communication containing a demand and request for money and other thing of value in relation to damage to a protected computer wheresuch damagewas causedto facilitatethe extortion in violation of Title 18 United States Code Section 1030 a 7 Purpose and Object of the Conspiracy 16 A purpose of the conspiracy was forLEVASHOV and his co-conspirators to operate perpetuate control and profit from the Kelihos botnet and to conceal the conspiracyfrom others Manner and Meansof the Conspiracy 17 It was part of the conspiracythatLEVASHOV and his co-conspiratorsdid not seek nor were they given permissionto install the Kelihos botneton victims' computersand to use the victims' computers as part of the Kelihos botnet 18 It was further partof the conspiracythatLEVASHOV operated theKelihos botnet and advertised spam and other malware dissemination services via the botnet to others for 4 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 5 of 13 purchase 19 It was further partof the conspiracythat theKelihos botnetobtained andverified verify credentials includingemail addresses usernames and logins and attempted to obtain and passwords and other means of identificationfrom infected computers 20 It was further part of the conspiracy that LEVASHOV and his co-conspirators causedmalwareand spam to be transmitted over the internet such that they were transmitted in interstate and foreign commerce 21 It was further partof the conspiracythatLEVASHOV monitored thestability and efficacyof the Kelihos botnetthrough anon-linedashboard 22 It was further part of the conspiracy that LEVASHOV and his co-conspirators concealedtheir true identities and criminal activity through among other things using VPNs and proxies onlinealiases and encrypted forms of communication 23 It was further part of the conspiracy that in offering and performing spam and malwaredistributionservicesvia the Kelihos botnet LEVASHOV enriched himself Overt Acts 24 In furtherance of the conspiracy and to effect the objects of the conspiracy LEVASHOV and his co-conspirators committed and caused to be committed following the overt acts among others in the District of Connecticutand elsewhere a On or aboutFebruary 20 2016 LEVASHOV file called stats html the Dashboard b On or aboutMarch 2 2016 LEVASHOV sent anemail from peter@severa biz to a customer stating that mailing costs500 usdper 1 mil emails 750 us dper 2mil l k per 3mil 5 monitored theKelihos botnetvia a Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 6 of 13 c From on or aboutMay 5 2016 to on or aboutMay 9 2016 LEVASHOV accessed a WebMoney identifier endingin 4986 from a computerwith the Internet Protocol address 91 122 62 16 d On or aboutSeptember 22 2016 LEVASHOV ransomwarevia the Kelihos botnet e From on or aboutOctober 1 2016until at least December 8 2016 LEVASHOV accessed a computer server with an Internet Protocol address of 85 17 31 90 f On or aboutDecember15 2016 Kelihos harvested credentials from a File Transfer Protocolclient from a computer in Connecticut g On or aboutMarch 21 2017 LEVASHOV instructed a customer for a spam campaign to pay him by bitcoin and statedthat he charged $300 per 1million emails but more forphishingand scams disseminated the JokeFromMars A l l in violation of Title 18 United States Code Section 371 COUNT THREE Accessing Protected Computers in Furtheranceof Fraud 25 Paragraphs 1-11 and 15-24 are incorporated by reference 26 From on or aboutFebruary22 2016 until approximatelyApril 7 2017 the exact datesbeing unknown to the GrandJury in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV knowinglyand with intent to defraud accessed protected computers without authorization and by meanssuch of conduct furthered the intended fraud and obtained something of value to wit thousands of credentials includingemail addresses usernames and logins and passwords and the object of the fraud was the use of computers and the value ofsuch use exceeded$5 000 in any one year All in violation of Title 18 United States Code Sections 1030 a 4 c 3 A and 2 COUNT FOUR Wire Fraud 27 Paragraphs 1-11 and 15-24 are incorporated by reference 6 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 7 of 13 28 From on or aboutFebruary22 2016 until approximatelyApril 7 2017 the exact datesbeing unknown to the Grand Jury in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV willfully knowingly and with intent to defraud devised and intended to devise a scheme and artificeto defraudand to obtain money and property by means ofmaterially false and fraudulent pretenses representations and promises and did transmit and caused to be transmitted by means of wire communicationsin interstate and foreign commercewritings for thepurposeof executingsuch scheme 29 On or aboutMarch 22 2017 for the purposeof executingand attempting to execute the above-described scheme and artifice to defraud LEVASHOV caused awire to be sentvia a chat platformfrom outsideof Connecticutto an individual in Connecticut whoseidentityis known to theGrand Jury concerning pumpand dump spam All in violation of Title 18 United States Code Sections 1343 and 2 COUNT FIVE Threateningto Damage a Protected Computer 30 Paragraphs 1-11 and 15-24 are incorporated by reference 31 On or aboutSeptember22 2016 in the District of Connecticutand elsewhere the defendant PETER YURYEVICH LEVASHOV with intent to extort from persons money and otherthingsof value transmittedin interstate and foreign commerce a communication containing a demand andrequestfor money andotherthings of value in relation todamageto a protected computer where such damagewas caused tofacilitate the extortion 1030 a 7 C c 3 A and 2 All in violation of Title 18 United States Code Sections 7 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 8 of 13 COUNT SIX Fraud in Connectionwith Email 32 Paragraphs 1-11 and 15-24 are incorporated by reference 33 From on or aboutFebruary22 2016 until approximatelyApril 7 2017 the exact datesbeing unknown to the GrandJury in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV knowingly did use a protected computer to relay and retransmit multiple commercial email messages in and affecting interstate and foreign commerce with the intent to deceive and mislead recipients and an Internet access service as to the origin of such messages towit LEVASHOV transmitted spam messages in furtheranceaof felony under thelaws of the United States towit 18 U S C §§ 2 371 1030 1028A and 1343 and thevolumeof email messages transmitted in furtheranceof the offense exceeded 2 500during any 24-hourperiod 25 000 during any30-dayperiod and 250 000during any one-year period A l lin violation of Title 18 United States Code Sections 1037 a 2 b 1 and 2 COUNT SEVEN Fraud in Connectionwith Email 34 Paragraphs 1-11 and 15-24 and incorporated by reference 35 From on or aboutFebruary22 2016 until approximatelyApril 7 2017 the exact dates being unknown to the Grand Jury in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV knowingly did in and affecting interstate and foreign commerce materially falsify and causeothersto materially falsify header information in multiple commercialemail messages andintentionally initiatethe transmissionof such messages to wit LEVASHOV transmitted spam messages in furtherancea of felony under thelaws of the United States to wit 18 U S C §§ 2 371 1030 1028A and 1343 and the volume ofemail 8 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 9 of 13 messages transmitted in furtherance of the offense exceeded 2 500 during any 24-hour period 25 000 during any 30-day period and 250 000 during any one-year period All in violation of Title 18 United States Code Sections 1037 a 3 b 1 and 2 COUNT EIGHT AggravatedIdentityTheft 36 Paragraphs 1-11 and 15-24 are incorporated by reference 37 On or about M y 15 2016 in the District of Connecticut and elsewhere the defendant PETER YURYEVICH LEVASHOV knowingly transferred possessed and used without lawful authority a means of identification of another person to wit the email address username and password of Victim S B whose identityis known to the Grand Jury during and in relation to a felonyviolation enumerated in 18U S C § 1028A to wit the violation of 18 U S C § 1030 a 5 A charged in CountOne the violation of 18 U S C § 1030 a 4 charged in Count Three the violation of 18 U S C § 1343 charged in CountFour the violation of 18 U S C § 1030 a 7 C charged in CountFive the violation of 18 U S C § 1037 a 2 charged in Count Six and theviolation of 18 U S C § 1037 a 3 charged in CountSeven knowingthatthe means of identificationbelonged toanotheractual person All in violation of Title 18 United States Code Sections 1028A and 2 FORFEITURE ALLEGATIONS 38 Paragraphs 1-11 and 15-24 are incorporated by reference FORFEITURE ALLEGATION ComputerFraud 39 Upon conviction of one or more of the computer fraud offenses alleged in Counts One Two Three and Five of this Indictment the defendant PETER YURYEVICH LEVASHOV 9 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 10 of 13 shall forfeit to the United States pursuantto 18 U S C § 1030 7 all right title and interest in any property real or personal constituting or derived from proceedsobtained directly or indirectly as a result of theviolation s of 18 U S C §§ 371 and 1030 and any personal property used or intended to be used in any manner or part to commit or to facilitate the commission of the said violation s including but notlimited to a any computer hardware servers proxies networkequipment and electronic devices used or intended to be used to commit or to facilitate the commission of such offense s and b a sum of money equal to the totalamountof any property real or personal which constitutes oris derived fromproceedstraceable toviolation s of or obtained as a result of 18U S C §§ 371 and 1030 40 I f any of the above-described forfeitable property a as resultof any act or omission of the defendant cannot be located upon the exercise of due diligence has been transferred sold to or depositedwith a third party hasbeen placed beyond thejurisdiction of the court hasbeen substantially diminished in value or has been commingledwith other propertywhich cannot be divided withoutdifficulty it is the intentof the United States pursuantto 21 U S C § 853 p to seek forfeiture of anyotherproperty of saiddefendantup to the value of the forfeitable property described above All in accordancewith 18 U S C § 1030 0 and 21 U S C § 853 and Rule 32 2 a Federal Rules of Criminal Procedure FORFEITURE ALLEGATION Wire Fraud 41 Upon convictionof the wire fraud offense allegedin Count Four of this Indictment the defendant PETER YURYEVICH LEVASHOV shall forfeit to the United States of America pursuantto 18U S C § 982 a 1 C and 28 U S C § 2461 c all right title and interest in any 10 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 11 of 13 and all property real or personal which constitutes or is derived from proceedstraceable to the violation of 18 U S C § 1343 and all property traceable to such property including a sum of money equal to the total amount any of property real orpersonal which constitutes or is derived from proceedstraceable to theviolation of 18 U S C § 1343 or obtainedas a resultof such offense 42 I f any of the above-described forfeitable property a as resultof any act or omission of the defendantcannot be located upon the exercise of due diligence has been transferred sold to or depositedwith a third party has been placed beyond the jurisdiction of the court has been substantiallydiminished invalue or has been commingledwith otherpropertywhich cannot be divided withoutdifficulty it is the intentof the United States pursuant to 21 U S C § 853 p as incorporated by28 U S C § 2461 c to seek forfeiture ofany otherpropertyof the defendantup to the value of the forfeitable property described above A l lin accordancewith 18 U S C § 981 a 1 as incorporated by28 U S C § 2461 c and Rule 32 2 a Federal Rules of Criminal Procedure FORFEITURE ALLEGATION Email Fraud 43 Upon convictionof one or moreof the email fraud offenses alleged in Counts Six and Seven of this Indictment thedefendant PETER YURYEVICH LEVASHOV shall forfeit to the United States pursuant to18 U S C § 1037 c all right title and interest in any property real or personal constituting or derived from proceedsobtained directly orindirectly as a result of the violation s of 18U S C § 1037 any equipment software orothertechnology used or intended to be used to commit or to facilitate the commission of the said violation s a sum of money equal to the total amount any of property real orpersonal which constitutes oris derived from proceedstraceable toviolationsof or obtained as a result of the offense 18 U S C § 1037 11 Case 3 17-cr-00083-RNC 44 Document6 Filed 04 20 17 Page 12 of 13 I f any of the above-described forfeitable property aas result of any act oromission of the defendant cannot be located upon the exercisedue of diligence has been transferred sold to or depositedwith a third party has been placed beyond the jurisdiction of the court has been substantiallydiminished invalue or has been commingledwith other propertywhich cannot be divided withoutdifficulty it is the intent of the United States pursuant 21 to U S C § 853 p to seek forfeiture ofany other property ofsaid defendant up to the value of the forfeitable property described above 12 Case 3 17-cr-00083-RNC Document6 Filed 04 20 17 Page 13 of 13 A l l in accordancewith 18U S C § 1037 c and 21 U S C § 853 and Rule 32 2 a Federal Rules of Criminal Procedure A TRUE BILL FOREPERSON UNITEDSTATESOF AMERICA J DEIRDRE M DALY UNITED STATES ATTORNEY VANESSA RICHARDS ASSISTANT UNITED STATES ATTORNEY DAVID T HUAN ASSISTANTUNITEDSTATES ATTORNEY 13