It was one of the most sophisticated digital fraud operations in the history of the Internet, by some accounts scamming between $10 million and $30 million over the roughly four years it existed.
Dubbed “Methbot” by security researchers, the operation used thousands of infected computers around the world to falsely inflate web traffic to dummy websites and defraud advertisers. A related, overlapping scam, dubbed “3ve,” used infected residential computers linked to real human users.
This week in a U.S. federal court in New York City, the Russian man accused by U.S. authorities of being a ringleader of the group, Aleksandr Zhukov, went on trial for wire fraud, money laundering, and other charges.
One cybercrime researcher described the setup used to run the Methbot network as “the most costly botnet fraud in history.”
Extradited to the United States after being arrested in Bulgaria in November 2018, Zhukov has pleaded innocent. Seven other people, mainly Russians, have also been indicted.
“The cybercrime in my indictment is just [the] imagination of [the] FBI, and I wish to go to jury,” Zhukov told the U.S. court in April 2019.
The case is the latest example of U.S. law enforcement going after alleged Russian cybercriminals around the world, a trend that has infuriated the Kremlin, which has accused the United States of hunting Russian citizens.
But written into the code of the Methbot case, there’s also technical intrigue: The network of servers that was allegedly used by the hackers has been under scrutiny to determine whether it was used by Russian state-backed hackers, or intelligence agencies, to hack into U.S. political parties
“Differentiating between what is ‘cybercrime’ and what is nation-state activity, such as espionage, is getting increasingly difficult, especially concerning Russia,” Mathew Schwartz, executive editor of the industry journal DataBreachToday, told RFE/RL. “In part, this is because some individuals who have day jobs as government hackers -- or contractors -- seem to hack the West in their spare time -- for fun, patriotism or profit.”
'Are You Gangsters? No, We Are Russians'
According to U.S. court records, the Methbot scam first took form in September 2014, when Zhukov and five other men from Russia and Kazakhstan allegedly rented more than 1,900 computer servers at commercial data centers in Texas and elsewhere and used them to simulate humans viewing ads on fabricated webpages.
Eventually, the scam grew to include more than 850,000 Internet addresses, supported by hundreds of dedicated servers located in the United States and in Europe, mainly in the Netherlands.
In a September 2014 text message obtained by U.S. investigators and published by prosecutors, Zhukov, who had moved to Bulgaria in 2010, allegedly bragged about the scope of the scheme to another man who was part of the effort: “You bet! King of fraud!”
“Are you gangsters? No, we are Russians,” the other man responds, according to a U.S. transcript.
In December 2016, White Ops, a U.S. cybersecurity company that specializes in digital ad fraud and botnets, published a report that pinpointed much of the technical information about the operation and its financial damages. Those findings were later corroborated by researchers at Google.
Differentiating between what is ‘cybercrime’ and what is nation-state activity, such as espionage, is getting increasingly difficult, especially concerning Russia.”-- Mathew Schwartz, DataBreachToday
Methbot, White Ops concluded, “was the largest and most profitable advertising fraud operation to strike digital advertising to date.”
On November 6, 2018, Bulgarian police raided the apartment in the Black Sea port of Varna where Zhukov was living and, with U.S. law enforcement present, questioned, then arrested, Zhukov, seizing his computer hardware and cell phones. U.S. authorities unsealed a 13-count indictment against him and seven other Russian and Kazakh nationals later that month.
Zhukov was extradited to the United States two months later, in January 2019.
Another key player was a Kazakh man named Sergei Ovysannikov, who allegedly was involved in the overlapping botnet scheme called 3ve. The scheme was tied to at least $29 million in fraud and allegedly involved more than 1.7 million infected computers. Because the infected computers were in homes, they were linked to real human beings, making it harder to detect.
“However you want to look at it, from an illicit profit-generating perspective, that counts as super lucrative,” Schwartz said.
Ovysannikov was arrested on a U.S. warrant in Malaysia in October 2018. He later pleaded guilty in U.S. federal court.
Yevgeny Timchenko, another Kazakh national who was also allegedly linked to the 3ve scheme, was arrested in Estonia the same month as Zhukov and later extradited. The other men named in the indictment are still at large, according to U.S. officials.
The Steele Dossier
Though the fraud allegedly committed in the Methbot and 3ve schemes was lucrative, the underlying technologies and infrastructure used have interested security researchers and experts tracking state-sponsored hacking efforts, particularly those involving Russia, Iran, North Korea, China, and other countries with developed hacking capabilities.
The complicated setup used to run the Methbot network was extensive and expensive, according to one cybercrime researcher, who described it as “the most costly botnet fraud in history.”
A sizable number of the servers that the Methbot operation rented and utilized were owned and maintained by companies affiliated with XBT Holding S.A., which is owned by a Russian venture capitalist named Aleksei Gubarev.
That holding includes a group of web-hosting businesses also known as Webzilla, which has operations in Dallas, Texas, as well as in Russia, and which has specialized in services aimed at Internet advertisers, gaming companies, software developers, and e-commerce businesses. Among its web-hosting domains are DDoS.com, 1-800-HOSTING, and SecureVPN.com.
A series of reports by the McClatchy newspaper network and the Miami Herald documented how major web viruses have spread via XBT’s infrastructure.
While known within the tech industry, Gubarev’s name and his companies burst into wider public view in January 2017 with the publication of a collection of memos written by a former British spy named Christopher Steele.
The memos, which were written in 2016, included salacious, unverified allegations against then-U.S. presidential candidate Donald Trump. It later emerged that the work was commissioned by a Washington law firm on behalf of the Democratic Party.
The collected memos, which had circulated among reporters in Washington but were published first by BuzzFeed, were known as the Steele Dossier.
One memo alleged that XBT/Webzilla and affiliated companies played a key role in the hack of Democratic Party computers in the spring of 2016, which resulted in the leak of e-mails that many believe helped harm former Secretary of State Hillary Clinton’s campaign against Trump. The memo also alleged Gubarev had been coerced into providing services to Russia’s main domestic security agency, known as the FSB.
Subsequent U.S. intelligence reports and law enforcement indictments blamed the hack on Russia’s military intelligence agency, known as the GRU. Russia’s foreign intelligence agency, called the SVR, has been implicated both in that hack and the more recent SolarWinds intrusion of U.S. government and corporate servers.
Gubarev has denied the allegations and sued BuzzFeed in U.S. court for publishing the Steele Dossier. That lawsuit was ultimately thrown out, but during the process, a technical expert who had served as chief of staff of the FBI’s Cyber Division in Washington, D.C., testified on behalf of BuzzFeed’s lawyers.
The expert, Anthony Ferrante, said that Russian cyberespionage groups had used XBT servers to conduct “spear-phishing” campaigns against Democratic politicians, and XBT-owned infrastructure had been used to support Russian state-sponsored cybercampaigns.
Ferrante asserted that the size of the Methbot operation, and the fact that a large number of IP addresses were first added to XBT-affiliated servers in late 2015 and then suddenly shut off in December 2016, meant an XBT employee would have had to do that manually.
That, he said, pointed to the likelihood that XBT managers knew the company’s infrastructure was being used for illegal activity.
“Additionally, the operation was a large scale ‘botnet,’ which is consistent with statements made in the [Steele] Dossier,” Ferrante wrote.
A press spokesman for Ferrante’s Boston-based consulting company declined to comment further on the case.
Gubarev, who reportedly lives in Cyprus, could not be immediately located for comment.
In an e-mail to RFE/RL, however, his U.S. lawyer confirmed that XBT had hosted some of the Methbot operation. But, he said, Gubarev and XBT executives were in fact “unsung heroes” because, he said, they canceled the account in December 2016, after the publication of the White Ops report, and preserved hard drives as evidence.
“The reason that the government is able to make its case now is because of the fast action by Mr. Gubarev and Webzilla,” Val Gurvits, a lawyer based in the Boston suburb of Newton, told RFE/RL.
Gurvits also said that while “bad actors” misused Webzilla’s network, “not a single reputable source found that Webzilla was at fault for any such misuse.”
“The truth is that my clients have always taken extraordinary measures to ensure that its networks are not misused,” he said.
In court arguments on May 5, Kostyantyn Bezruchenko, chief technical officers for Webzilla and Servers.com, indicated that Zhukov knew Gubarev personally, having invited him to attend a concert on Cyprus in September 2016. Zhukov flew in from Bulgaria on a private jet, Bezruchenko told the court, and Bezruchenko then joined Zhukov on the jet in flying back to Bulgaria.
Schwartz, of DataBreachToday, said the Methbot case shows how blurred the line has become between run-of-the-mill online criminal activity and state-sponsored cybercampaigns of the sort used not only by Russian intelligence, but also the Central Intelligence Agency, the U.S. National Security Agency, and intelligence agencies around the world.
He also said agencies are increasingly using commonly available malware, and even criminal-run infrastructure, as part of “the cybercrime-as-service ecosystem.”
“For spies, using infrastructure built by -- and for -- criminals makes sense, because it's more difficult for victims or foreign intelligence agencies to tell if any given activity is criminal or government run,” he said.