Four Eastern European men pleaded guilty to a scheme overseeing websites that hosted malware used to cause victims hundreds of millions of dollars in losses, the Justice Department said Friday.
Russian nationals Aleksandr Grichishkin and Andrei Skvortsov, along with Aleksandr Skorodumov from Lithuania and Pavel Stassi of Estonia, allegedly oversaw an organization that rented IP addresses, computers servers and domains to cybercriminals between 2008 and 2015. The practice, known as “bulletproof hosting,” is popular with digital thieves trying to evade law enforcement agencies.
Grichishkin, Skvortsov, Skorodumov and Stassi pleaded guilty to one count of RICO conspiracy. They each face up to 20 years in prison.
Crooks have used the hacking tools allegedly hosted by the defendants’ organizations to repeatedly infect U.S. financial institutions and defraud victims. That includes Zeus, a notorious piece of malicious code that a variety of criminals have used to steal over $100 million from victims. Despite the Justice Department’s 2014 disruption of a Zeus-based botnet, strains of the malicious code have continued to infect organizations.
Law enforcement officials target bulletproof hosting services because of the breadth of illicit activity the services enable. Russian national Kirill Firsov in January pleaded guilty to running another such service, known as Deer.io, which let scammers operate independent web stores where they sold access to hacked online accounts.
In the latest guilty pleas, the charging documents describe a professionally run criminal enterprise with each of the defendants playing a unique role.
Skvortsov was allegedly in charge of smoothing things over with unhappy clients, while Grichishkin oversaw the organization’s employees. Skorodumov handled IT administration for the organization, while Stassi ran the marketing department and set up new hosting accounts using fake or stolen information, according to the indictment.
One of the most helpful services that the four men provided clients was monitoring websites used to block internet infrastructure that is suspected of being used in a crime, according to U.S. prosecutors. Once one of those “blocklists” emerged, the accused would promptly configure new infrastructure for their criminal clients under fake or stolen identities, prosecutors said.