Guilty Pleas in $29 Million Online Ad Fraud CaseTwo Kazakhstan Men Helped Run Botnet-Driven 3ve Scheme
Two Kazakhstan nationals have pleaded guilty to charges stemming from their role in helping to run $29 million online advertising fraud scheme that the FBI worked with several security firms to shut down in 2018.
Sergey Ovsyannikov, 31, and Yevgeniy Timchenko, 32, each plead guilty to conspiring to commit wire fraud, as well as other computer hacking charges, according to the U.S. Attorney's Office for the Eastern District of New York, which is overseeing the case.
Ovsyannikov faces up to 42 years in prison, and Timchenko faces up to 40 years, prosecutors say. A third man allegedly involved in the scheme, Aleksandr Isaev of Russia, remains in federal custody and that case is ongoing, a spokesperson for the U.S. Attorney's Office says.
As part of their guilty pleas, the two men admitted their roles in helping to create and control an online fraud scheme known as 3ve - pronounced "Eve" - that operated from December 2015 to October 2018. Prosecutors estimated the scheme produced billions of false online ad views and cost businesses about $29 million in fraudulent advertisement payments (see: Feds Charge Eight With Online Advertising Fraud).
The 3ve scheme was powered by a botnet that compromised more than 1.7 million computers scattered throughout the world, prosecutors say.
"The defendants developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers, and to detect whether a particular infected computer had been flagged by cybersecurity companies as being associated with fraud," according to the Justice Department.
Each of the defendants had different roles in the scheme. Ovsyannikov, prosecutors say, helped develop the scam and controlled the fraudulent ad network. He also created a detailed spreadsheet that listed all the botnet's command-and-control servers as well as a list of spoofed websites that were part of the fraud.
Timchenko worked for Ovsyannikov and handled logistical and administrative duties for the group, prosecutors say. He also picked which service providers to use to create the infrastructure for the ad network, selecting those that had large storage capacities and that used the "coolest processors," authorities say.
The scheme worked by using the 3ve botnet to infect computers, which belonged to individuals and businesses. Once a computer was under the control of the botnet, the fraudsters used malware to create hidden web browsers on the infected device that ran in the background without the owner knowing, prosecutors say.
Those web browsers would then download fabricated webpages and load ads onto those pages, which then generated fake advertising impressions that earned Timchenko and Ovsyannikov money from legitimate advertising networks that thought they were paying for legitimate online ad traffic, prosecutors say.
"The defendants falsified billions of advertisement views and caused businesses to pay more than $29 million for advertisements that were never actually viewed by human internet users," the Justice Department says.
In late 2017, a working group composed of 17 security firms, including Google, Facebook, Verizon and White Ops, began secretly tracking 3ve. It then shared its findings with the FBI. After indictments were unsealed in October 2018, Ovsyannikov was arrested in Malaysia and Timchenko was arrested in Estonia. Both were extradited to the U.S. this year.
As part of the investigation, the FBI confiscated the fraud network and sinkholed the domains associated with the 3ve botnet, authorities say.
The 3ve scheme grew out of another online advertising fraud scam known as Methbot, which operated between September 2014 and December 2016 and cost businesses about $7 million in false advertising charges and fake impressions, prosecutors say.
Ovsyannikov worked on Methbot along with five other men believed to be Russian nationals, according to court documents. Prosecutors say Methbot earned money for its overseers by creating fake users to interact with online advertising, and the owners then collected money from legitimate advertising networks.
Prosecutors say Methbot's operators rented 1,900 computer servers and spoofed 5,000 real domains as part of their scheme. They also registered 650,000 IP addresses to make it appear that end users were coming from actual internet service providers.
Once security firm White Ops disrupted Methbot in 2016, Ovsyannikov turned his full attention to creating and running 3ve, according to prosecutors. As part of the October 2018 indictment involving the 3ve botnet, Ovsyannikov and the five Russian nationals were also charged with running the Methbot scheme as well.
The five Russian nationals have not been arrested and are believed to be in Russia, according to the spokesperson for the U.S. Attorney's Office for the Eastern District of New York.