The Department of Justice Tuesday announced the indictments of eight people accused of running massive ad fraud schemes that were disrupted by an FBI-led botnet takedown.
The 13-count indictment, which was unsealed in a federal court in Brooklyn, charged six Russian nationals and two Kazakhstan citizens with crimes including wire fraud, computer intrusion, aggravated identity theft and money laundering. The defendants – Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko – were behind a massive botnet as well as two ad fraud campaigns, known as Methbot and 3ve, that generated millions of dollars. Ovsyannikov, Zhukov and Timchenko were recently arrested in Malaysia, Bulgaria and Estonia, respectively, and are awaiting extradition to the U.S.; the remaining defendants are still at large.
According to the Justice Department indictment, several of the defendants operated the Methbot campaign from September 2014 to December 2016. Zhukov, Timokhin, Andreev, Avdeev and Novikov are accused of setting up a fake ad network that posed as a legitimate company and conducted business with other advertisers; the Justice Department claims the defendants used more than 1,900 systems rented in data centers to load ads on more than 5,000 spoofed domains, while programming the servers to simulate human users and defraud legitimate advertisers. Security vendor White Ops, which initially uncovered Methbot and assisted with the Justice Department’s investigation, claimed the campaign at its height was generating between $3 million and $5 million in fraudulent ad revenue per day.
The Justice Department accused the defendants of launching another ad fraud campaign soon after Methbot’s creation. According to the indictment, 3ve was similar to Methbot in that it fooled advertisers into thinking the internet traffic on ads was legitimate; however, instead of using rented data centers, the defendants used a global botnet that infected more than 1.7 million systems, belonging to both consumers and businesses, and ran “hidden browsers” on those systems to load ads on fabricated webpages. According to the Justice Department, 3ve “falsified billions of ad views and caused businesses to pay more than $29 million for ads that were never actually viewed by real human internet users.”
Botnet takedown
In addition to the indictments, the federal court also unsealed seizure warrants related to the 3ve botnet takedown. According to the Justice Department, the FBI took control of 31 domains and seized information from 89 computer servers that served as the infrastructure for the botnet. After Ovsyannikov was arrested by Malaysian authorities, the FBI and several private sector companies sinkholed the domains as part of “Operation Eversion.”
According to a blog post from Symantec, which was one of several private sector partners involved in the botnet takedown, the 3ve botnet was powered by the Miuref and Kovter malware families. The Justice Department said the FBI also discovered “additional cybercrime infrastructure committing digital advertising fraud” that used both data centers in Germany as well as a botnet that infected computers of U.S. users with malware called Boaxxe. The FBI sinkholed eight other domains related to this botnet.
In addition to White Ops, Symantec and Google, which assisted with the botnet takedown and investigation, law enforcement received assistance from Microsoft, ESET, F-Secure Corporation, Malwarebytes and Trend Micro Inc., as well as CenturyLink, Inc., MediaMath, the National Cyber-Forensics and Training Alliance and The Shadowserver Foundation.