Two International Cybercriminal Rings Dismantled and Eight Defendants Indicted for Causing Tens of M

https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing

Department of Justice
U.S. Attorney’s Office
Eastern District of New York

FOR IMMEDIATE RELEASE
Tuesday, November 27, 2018

Two International Cybercriminal Rings Dismantled and Eight Defendants Indicted for Causing Tens of Millions of Dollars in Losses in Digital Advertising Fraud

A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with criminal violations for their involvement in perpetrating widespread digital advertising fraud. The charges include wire fraud, computer intrusion, aggravated identity theft and money laundering. Ovsyannikov was arrested last month in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested earlier this month in Estonia, all pursuant to provisional arrest warrants issued at the request of the United States. They await extradition. The remaining defendants are at large.

Also unsealed today in federal court in Brooklyn were seizure warrants authorizing the FBI to take control of 31 internet domains, and search warrants authorizing the FBI to take information from 89 computer servers, that were all part of the infrastructure for botnets engaged in digital advertising fraud activity. The FBI, working with private sector partners, redirected the internet traffic going to the domains (an action known as “sinkholing”) in order to disrupt and dismantle these botnets.
(snip)

The internet is, in large part, freely available to users worldwide because it runs on digital advertising: website owners display advertisements on their sites and are compensated for doing so by intermediaries representing businesses seeking to advertise their goods and services to real human customers. In general, digital advertising revenue is based on how many users click or view the ads on those websites. As alleged in court filings, the defendants in this case represented to others that they ran legitimate companies that delivered advertisements to real human internet users accessing real internet webpages. In fact, the defendants faked both the users and the webpages: they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue.

The Datacenter-Based Scheme (Methbot)

As alleged in the indictment, between September 2014 and December 2016, Zhukov, Timokhin, Andreev, Avdeev and Novikov operated a purported advertising network (“Ad Network #1”) and, with Ovsyannikov’s assistance, carried out a digital ad fraud scheme. Ad Network #1 had business arrangements with other advertising networks whereby it received payments in return for placing advertising placeholders (“ad tags”) on websites. Rather than place these ad tags on real publishers’ websites, however, Ad Network #1 rented more than 1,900 computer servers housed in commercial datacenters in Dallas, Texas and elsewhere, and used those datacenter servers to load ads on fabricated websites, “spoofing” more than 5,000 domains. To create the illusion that real human internet users were viewing the advertisements loaded onto these fabricated websites, the defendants programmed the datacenter servers to simulate the internet activity of human internet users: browsing the internet through a fake browser, using a fake mouse to move around and scroll down a webpage, starting and stopping a video player midway, and falsely appearing to be signed into Facebook. Furthermore, the defendants leased more than 650,000 Internet Protocol (“IP”) addresses, assigned multiple IP addresses to each datacenter server, and then fraudulently registered those IP addresses to make it appear that that the datacenter servers were residential computers belonging to individual human internet users who were subscribed to various residential internet service providers. As a result of this scheme, Ad Network #1 falsified billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users.

The Botnet-Based Scheme (3ve.2 Template A)

As also alleged in the indictment, between December 2015 and October 2018, Ovsyannikov, Timchenko and Isaev operated a purported advertising network (“Ad Network #2”) and carried out another digital ad fraud scheme. In this scheme, the defendants used a global “botnet”¾a network of malware-infected computers operated without the true owner’s knowledge or consent¾to perpetrate their fraud. The defendants developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers and check whether a particular infected computer had been flagged by cybersecurity companies as associated with fraud. By using this infrastructure, the defendants accessed more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere, and used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages. Meanwhile, the owners of the infected computers were unaware that this process was running in the background on their computers. As a result of this scheme, Ad Network #2 falsified billions of ad views and caused businesses to pay more than $29 million for ads that were never actually viewed by real human internet users.

The Botnet Takedown

Following the arrest of Ovsyannikov by Malaysian authorities, U.S. law enforcement authorities, in conjunction with various private sector companies, began the process of dismantling the criminal cyber infrastructure utilized in the botnet-based scheme, which involved computers infected with malicious software known in the cybersecurity community as “Kovter.” The FBI executed seizure warrants to sinkhole 23 internet domains used to further the charged botnet-based scheme or otherwise used to further the Kovter botnet. The FBI also executed search warrants at 11 different U.S. server providers for 89 servers related to the charged botnet-based scheme or Kovter.

In addition, as part of its investigation, the FBI discovered an additional cybercrime infrastructure committing digital advertising fraud through the use of datacenter servers located in Germany and a botnet of computers in the United States infected with malicious software known in the cybersecurity community as “Boaxxe.” The FBI executed seizure warrants to sinkhole eight domains used to further this scheme and thereby disrupt yet another botnet engaged in digital advertising fraud. Finally, the United States, with the assistance of its foreign partners, executed seizure warrants for multiple international bank accounts in Switzerland and elsewhere that were associated with the schemes.
(snip)