Russian Spammer Arrested for Operating Kelihos Botnet

Ray Walsh

Ray Walsh

April 11, 2017

A Russian hacker was arrested in Spain at the weekend at the request of US authorities. The high-level hacker was brought into custody by police in Barcelona. He was seized using a US computer crimes warrant, according to a spokeswoman for Spain’s National Court. According to Spanish police, the arrest was the culmination of a “complex inquiry carried out in collaboration with the FBI.”

Following the arrest, RT reported that the hacker may have been involved in hacking the US elections. However, the RT report was shot down on Monday by the US Department of Justice (DoJ). At that time, the DoJ came forward with a release that explained that the hacker was wanted for his involvement in running the Kelihos botnet, and not election hacking.

Dangerous Botnet

Kelihos is a worldwide botnet that encompasses around 100,000 infected machines. The dangerous botnet was used to steal passwords, login details, and bank details for six years, beginning in 2010. In addition, the Kelihos botnet was used to deliver huge amounts of spam and nefarious payloads – including ransomware – to extort money from people and firms around the world.

The Russian hacker is a 36-year-old computer programmer called Pyotr Yuryevich Levashov. He was arrested in Spain after US authorities ascertained that he was traveling to Barcelona with his family on holiday. According to the DoJ release, Levashov is strongly suspected of operating the massive botnet, because the IP address that it was being operated from was also used by the Russian to access his personal accounts, including an Apple iCloud account and a Google Gmail account in his name.

Initial Confusion

Confusion surrounding his arrest was exacerbated, it would appear, by Levashov’s wife. Maria Levashov told RT that armed police stormed into their apartment in Barcelona on Friday night. According to the woman, the police kept her and her friend locked in a room for two hours while they interviewed her husband.

Maria Levashov reportedly told RT that her husband had been arrested for his part in hacking the US elections. According to RT, she claimed that Spanish police had told her that her husband was arrested because of “a virus which appears to have been created by my husband and is linked to [Donald] Trump’s victory.” According to RT’s initial reports, she even directly mentioned the Democratic National Committee (DNC) hack.

However, the US DoJ has gone on the record to quash those rumors, saying that there is absolutely no connection between Levashov and US election hacking. Why Levashov’s wife told RT such a different story is anyone’s guess. At this stage, however, it seems likely that it was simply a tongue-in-cheek deception designed to send RT on a wild goose chase (as opposed to the hacker’s wife letting a huge secret out of the bag).

Deep Threat

Acting Assistant Attorney General Blanco has gone on the record with a statement about the suspected Kelihos botnet operator:

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives.

“Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics.”

Coordinated Investigation

The investigation that led to Levashov’s arrest was a coordinated endeavor between US authorities and renowned cybersecurity firms. The Federal Bureau of Investigation (FBI) worked alongside security firm CrowdStrike and the Shadowserver Foundation (an organization made up of volunteer cybersecurity experts), in order to home in on the Russian hacker.

Once on Levashov’s trail, the FBI used Rule 41 of the Federal Rules of Criminal Procedure to get a warrant that permitted it to redirect traffic from the Kelihos botnet to FBI-run servers. That procedure is called a “sinkhole attack,” because it “sinkholes” machines that were part of the botnet, stopping the slave computers from being controlled by the botnet any longer.

AKA Peter Suvera

Levashov is also believed to be the Russian spammer Peter Suvera, who is known as one of the world’s worst spammers. This is how the spammer monitoring website Spamhaus (which considers Suvera to be the world’s seventh worst spammer) describes him:

“A spammer who writes and sells virus-spamming spamware and botnet access. Is probably involved in the writing and releasing of viruses & trojans. One of the longest operating criminal spam-lords on the internet. Works with many other Easter [sic] Euro and US based botnet spammers. Was a partner of American spammer Alan Ralsky.”

In addition, KrebsOnSecurity has claimed that Levashov is responsible for “running multiple criminal operations that paid virus writers and spammers to install ‘fake antivirus’ software under the alias Severa.” Brian Krebs says the following about Severa:

“There is ample evidence that Severa is the cybercriminal behind the Waledac spam botnet, a spam engine that for several years infected between 70,000 and 90,000 computers and was capable of sending approximately 1.5 billion spam messages a day.”

The US DoJ has begun closing down command and control (C&C) servers and malicious domains associated with the Kelihos botnet. In addition, it is seeking to have Levashov extradited to the US to face charges for his involvement in operating the spam and botnet operations.

Title image credit: Alexander Geiger/

Image credit: BeeBright/

Image credit: dimbar76/

Image credit: Artist_R/

Exclusive Offer
Get NordVPN for only
Get NordVPN for only