DOCUMENT: Internet, Crime

FBI Targets Young Russian Spam Kingpin

Moscow man, 23, suspected of controlling "botnet"


View Document

Russian Botnet King

NOVEMBER 30--An FBI investigation has identified the young Russian man behind the notorious “Mega-D” botnet, the malicious network of more than 500,000 infected computers that was capable of sending ten billion spam e-mails a day and, until late last year, reportedly accounted for nearly a third of the spam clogging the Internet, The Smoking Gun has learned.

An ongoing grand jury probe is targeting Oleg Nikolaenko, a 23-year-old Moscow resident, for allegedly violating the anti-spam law, as well as “abetting violations of the mail and wire fraud statutes,” according to an affidavit sworn last month by an FBI agent (an excerpt from that document can be found here).

Nikolaenko has not been previously tied to the creation or operation of "Mega-D" (nor, for that matter, has anyone else been publicly linked to the mysterious, and illegal, botnet).

Federal investigators believe that Nikolaenko’s “Mega-D” botnet sent billions of e-mails on behalf of scam artists peddling fake Rolexes, counterfeit prescription medications, purported erectile dysfunction drugs, and “herbal remedies” not approved by government regulators.

Two of these online hustlers--Jody Smith and Lance Atkinson--have provided investigators with details of their dealings with Nikolaenko, who has used the online moniker “Docent.” Smith pleaded guilty last August to a felony conspiracy count and was sentenced to a year and a day in prison (he is scheduled to be released from the Leavenworth penitentiary in late-January). Atkinson, an Australian citizen, has told investigators that “his largest spamming affiliates were Russian.”

Using grand jury subpoenas, FBI agents have obtained financial records showing that, for example, Nikolaenko received $459,000 over one six-month period from Atkinson, whose online operation was known as “Affking.” According to the FBI affidavit, security researchers identified the “Mega-D” botnet as a prime source of “spam promoting Affking’s products.” One researcher quoted by the FBI determined that “'Mega-D' was likely the largest botnet in the world, accounting for 32% of all spam. Security researchers estimated that the botnet was capable of sending ten billion spam email messages a day.”

Along with examining Nikolaenko’s online financial transactions (via the ePassporte service), FBI agents have also used subpoenas and search warrants to obtain records associated with two Gmail accounts used by Nikolaenko. On November 8, Google provided the FBI with a disc containing the e-mails from one of these accounts.

Agents have also been monitoring Nikolaenko’s travel, the affidavit reveals. Subpoenaed travel records and immigration and State Department files show that he twice visited the U.S. last year. In July, he arrived in Los Angeles and stayed in the country for ten days. In late-October, he arrived in New York and departed from Los Angeles 11 days later. During that second visit, Nikolaenko spent several days in Las Vegas, according to hotel records obtained by the FBI. While in L.A., he apparently stayed at The Tower hotel in Beverly Hills.

Nikolaenko could not be reached for comment.

According to the FBI affidavit, Nikolaenko’s botnet was crippled late last year by FireEye, a network security company that convinced U.S.-based Internet service providers to help shut down “Mega-D” command and control computers. FireEye was able to identify about 509,000 computers that had been infected with a virus that allowed them to “become bots seeking direction from the Mega-D command an control computers.” (5 pages)

Comments (1)

whats really BS about this is that Google etc REFUSE to stop this traffic. Its real easy- just check headers for bogus or non-matching email addresses. All the scammers use them. I report thousands a year, none of these companies give a damn about criminal activity on their networks. Yahoos systems know which ones are spam, but refuse to block it. Occasionally a small ISP will write back with a "thanks weve eliminated the script" but the rest could care less, prompting the question "why are they knowingly SPONSORING this illegal activity?" What are they hiding?