Accused Malware Kingpin Extradited

Estonian Accused in Fraud Effort Spanning 100 Nations
Accused Malware Kingpin Extradited

Nearly three years after his indictment, the alleged kingpin of an Estonian gang that infected 4 million PCs in more than 100 countries with malware, generating an estimated $14 million in fraudulent online advertising revenue, has been extradited to the United States.

See Also: The Evolution of Automated, Active Attacks

Estonian citizen Vladimir Tsastsin, 34, was charged in a U.S. indictment with computer intrusion, wire fraud, conspiracy and money laundering, among other charges (see 6 Nabbed in Global Internet Scam). The maximum potential prison time associated with the charges filed against Tsastsin totals more than 200 years.

The indictment against Tsastsin and six other men was unsealed on Nov, 8, 2011, and he was arrested the same day by Estonian police, wrapping up a two-year investigation by the FBI that it dubbed Operation Ghost Click. But Tsastsin didn't arrive in the United States to face related charges until Oct. 30, or nearly three years after the indictment was first unsealed.

"Now that Vladimir Tsastsin has been delivered to the Southern District of New York, he can answer for his alleged role in a scheme in which he and others manipulated Internet advertising techniques and reaped at least $14 million in ill-gotten gains in the process," says Manhattan U.S. Attorney Preet Bharara.

Not Guilty Plea

Appearing in a Manhattan federal courtroom Oct. 31, Tsastsin entered a not-guilty plea, ABC News reports.

The U.S. indictment charges the seven men with infecting millions of computers with DNSChanger malware that altered PCs' DNS settings and directed consumers to rogue DNS servers. These servers allegedly rerouted individuals when they clicked on legitimate search engine results to sites of the attackers' choosing. "For example, when the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software," the indictment says. By posing as a legitimate advertising-referral firm and working with ad brokers, the attackers allegedly earned money for every "click" they forcibly referred to sites in an ad broker's network.

The attackers also used their malware to commit "advertising replacement fraud" by replacing advertisements on legitimate sites - including The Wall Street Journal - with advertisements that paid them a commission via their ad broker, the indictment says. It adds that the malware also blocked infected PCs' access to anti-virus sites, thus leaving them susceptible to additional malware infections.

Five of the other men charged in the U.S. indictment - Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov, who are all Estonian citizens - had already been extradited to the United States. On Feb. 1, 2013, Aleksejev pleaded guilty in U.S. federal court to conspiracy to commit unauthorized computer intrusion, and computer intrusion, and was sentenced to serve 48 months in prison. On Feb. 21, 2013, Ivanov pleaded guilty to all of the charges filed against him, and was sentenced to the time he had already served.

Gerassimenko, Jegorov and Poltev are now due to be tried alongside Tsastsin. They're due back in Manhattan federal court Nov. 5.

U.S. authorities say a seventh man named in the indictment, Russian national Andrey Taame, remains at large.

Extradition Delay

What accounts for the lengthy period of time following the U.S. indicting Tsastsin, and his extradition? Legal experts, say that a three-year delay in an extradition process isn't unusual, given many countries' appeals process. They note that some extradition requests simply take longer than others.

But Tsastsin has also faced money-laundering charges in Estonia related to Operation Ghost Click. Initially, he was convicted of those charges. But that ruling was stayed, on the grounds that he couldn't be punished twice, for charges filed both in Estonia and the United States. In June 2014, however, Estonia's Court of Appeals upheld the initial ruling - noting that the United States had also charged him with separate, computer crimes - and sentenced him to serve more than six years in prison.

Tsastsin's five Estonian accomplices, meanwhile, have also been sentenced in Estonia to serve prison sentences of between one and six years. Related "criminal enterprises" used by the DNSChanger malware gang to launder funds - including Rove Digital, EstHost and EstDomain - were hit with fines of up to $126,000, reports Estonian media outlet Delfi.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.