Oleg Koshkin, a Russian national, was convicted of operating a malware crypter service known as Kelihos. The Kelihos botnet was used by other cybercriminals to obfuscate malware payloads and evade detection.
Koshkin was arrested in California in September 2019 and is facing 15 years in prison. As per the plea agreement, Koshkin will be sentenced on September 20, 2021.
His co-defendants, Pavel Tsurkan and Peter Levashov, were indicted, too, on various charges related to the Kelihos botnet.
Koshkin operated several websites, among them Crypt4U.com, Crypt4U.net, fud.bz, and fud.re, that promised to deliver fully undetectable malware. Among the clients were operators of botnets, remote-access trojans, keyloggers, credential stealers, and cryptocurrency miners from around the globe.
In addition, Koshkin and Peter Levashov worked to develop a system that would allow them to crypt malware multiple times daily:
“In particular, Koshkin worked with Peter Levashov, the operator of the Kelihos botnet, to develop a system that would allow Levashov to crypt the Kelihos malware multiple times each day,” the Department of Justice said.
“The defendant designed and operated a service that was an essential tool for some of the world’s most destructive cybercriminals, including ransomware attackers,” added Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.
Koskin provided Levashov a custom crypting service that allowed him to distribute Kelihos through various criminal affiliates. Levashov used the Kelihos botnet to send spam, harvest accounts, distribute ransomware, conduct DDoS attacks, and more.
Levashov paid Koshkin for maintaining his system around $3,000 per month.
The Kelihos botnet, active since at least 2010, was a massive spam engine that was used by cybercriminals to send millions of spam messages each hour. Levashov was charged with operating the botnet and renting the botnet’s spamming capabilities.
The Kelihos botnet was targeted by the FBI three times in a row from 2011 to 2017. When it was eventually taken down in 2017, the Kelihos botnet controled some 60,000 compromised computers worldwide.