Click-Fraud Kingpin Receives 7-Year Sentence

Estonian Hacker Amassed $14 Million With DNS-Changing Malware
Click-Fraud Kingpin Receives 7-Year Sentence

Cybercrime can pay very well. The challenge, of course, is staying out of jail long enough to spend one's ill-gotten gains.

See Also: Close the Gapz in Your Security Strategy

To wit, malware kingpin Vladimir Tsastin, 35, an Estonian national, has been sentenced to serve more than seven years in prison after pleading guilty in July 2015 to running a massive click-fraud scheme that earned $14 million in profits via more than 4 million victims across 100 countries.

U.S. District Judge Lewis A. Kaplan this week sentenced Tsastin to serve 87 months in prison, followed by one year of probation, calling his crimes "brazen, sophisticated and outrageous," according to the U.S. Department of Justice. Kaplan also ordered Tsastin to forfeit $2.5 million.

Tsastin and his gang began the criminal activities as early as 2006, according to security firm Trend Micro, which helped the FBI identify and disrupt the underlying, malicious infrastructure used in the attacks.

The gang operated publishing companies Esthost and Rove Digital, which entered into agreements with advertising brokers - receiving payment based on the number of clicks on advertisements they placed online - and then used custom-built "DNSChanger" malware to change the domain name system settings on infected computers, allowing them to generate fake clicks, according to court documents.

"At its heart, the Esthost/Rove Digital scheme was a relatively simple one: plant DNS changer malware onto user systems and redirect queries for popular domains to malicious servers," according to a blog post from Trend Micro. "This allowed the attackers to redirect the traffic aimed at these domains and carry out hard-to-detect but profitable attacks like hijacking search results and replacing website advertising."

Without a doubt, the scheme was lucrative. "By falsely collecting advertising fees for every 'click' their victims made, Tsastsin and his co-conspirators collected over $14 million," U.S. Attorney Preet Bharara said in a statement.

As a further source of revenue, the gang also employed fake AV - false security alerts that advise PC users to pay for and install bogus security software, according to Trend Micro.

'Operation Ghost Click'

The FBI launched its "Operation Ghost Click" investigation into the Esthost/Rove Digital gang's activities in 2009 and, working with Estonian authorities, successfully disrupted the group in 2011. Three years later, Tsastin was extradited from Estonia to stand trial in the United States.

In addition to Tsastsin, six other men were named in the related U.S. indictment: Andrey Taame, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov.

Taame, who is a Russian national, remains at large, while the rest have been arrested and sentenced.

In October 2013, Aleksejev was sentenced to 48 months in prison. In July 2015, Gerassimenko, Jegorov, and Poltev were sentenced to 48 months, 44 months, and 40 months in prison, respectively, while Ivanov was sentenced to time served. All were also ordered to forfeit "criminal proceeds and the electronic and online infrastructure used to perpetrate their fraudulent scheme," according to the Justice Department.

The gang carried out its activities, in part, by using "approximately 50 rogue DNS servers located in New York City and additional ones at a data center in Chicago," according to the Justice Department. "Each of the rogue servers contained approximately two hard drives; the larger hard drives received as many as 3,000 fraudulent 'clicks,' or DNS resolution requests, per second, while the smaller servers received several hundred requests per second."

As part of his sentencing, Tsastsin agreed to forfeit multiple items of property, which is a penalty attached to being convicted of wire fraud. In a court document, prosecutors listed 82 items - ranging from servers and network switches to Windows and Mac laptops, as well as an iPhone 4 - that he will forfeit.

Sentencing Factors: Cooperation, Deterrence

In determining the sentence against Tsastsin, Judge Kaplan said he took into account the defendant's cooperation with U.S. authorities.

"During several meetings with the government, Mr. Tsastsin fully disclosed the details of his criminal conduct. Moreover, he revealed to the government specific information regarding production and distribution of computer malware in Russia and Europe, including payment processing in involving transactions," Kaplan writes in a sentencing memorandum. "The defendant fully disclosed information about his contacts and their activities. All this valuable information was documented by the government, and there is no doubt that it has been and will be used in its investigation of this and other crimes."

The judge said he also acknowledged the defendant's difficult history, noting that his "youth was very challenging due to [the] weak economy in Estonia in the aftermath of perestroika and independence from the Soviet Union," which forced his well-educated parents into low-paying jobs. As a result, while Tsastsin enrolled in the informatics science program at one of Estonia's most prestigious universities in 1998, where "he was an excellent student with an academic standing within the top 5 [percent] of his class," he was forced to drop out in 2002, because he could no longer afford the tuition fees, the judge writes. "In the same year, he opened his software company, which in 2006 became the best startup company in Estonia."

Kaplan said he balanced those factors against the need to deter future criminals. But while this is a well-established legal concept - and boilerplate argument on U.S. prosecutors' sentencing requests - it's far from clear if cybercrime deterrence works.

Tsastsin's lawyer, Arkady Bukh, couldn't be immediately reached for comment on his client's sentencing. But prosecutors had argued that because Tsastsin's crimes were "serious, extremely sophisticated and caused harm at numerous levels," he should be jailed for more than eight years, and probation officials had sought at least five years of probation for Tsastsin, Bukh told Bloomberg.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.