FBI investigators describe Methbot investigation as ‘beautiful concert of things shutting down’

Maybe the only thing more complicated than the Methbot advertising fraud scheme was the plan that ultimately shut it all down.

Last year, the FBI led a takedown operation that, with help from the bot detection firm White Ops and more than a dozen other companies, resulted in the arrest of three accused fraudsters in three different countries, as well as the seizure of more than 50 web servers and numerous bank accounts.

The law operation, detailed Wednesday by FBI officials at the International Conference on Cyber Security, targeted the Methbot/3ve fraud scheme. The ad-fraud ring defrauded digital advertisers and web publishers out of more than $30 million by charging marketers for access to internet users who didn’t actually exist, according to the U.S. Department of Justice. Advertising fraud, already a billion-dollar problem, is set to cost the ad industry $44 billion by 2022.

The investigation, which lasted more than a year and a half, resulted in the arrests of three suspects who were apprehended in Bulgaria, Malaysia and Estonia. Five other suspects have been indicted while managing to avoid capture. Identifying the suspects only turned out to be the first hurdle, though, for FBI agents who ultimately spent six months plotting out how to bring the ringleaders into custody without compromising evidence or tipping off other suspects that police were on the way.

If one suspect alerted others that a raid was underway, the danger was, the rest of the crew could delete crucial evidence or elude local law enforcement authorities working on the FBI’s behalf. Police action ultimately yielded the arrests of Aleksandr Zhukov, a Russian national residing in Bulgaria, Sergey Ovysannikov, a Kazakh man caught in Malaysia, and Yevgeniy Timchenko, a Russian nabbed in Estonia. All three men have pleaded not guilty in the Eastern District of New York.

“We had this matrix of a contingency plan where our team got together and we thought ‘How do we go about this? Where are we going to grab this guy, and how do we grab him?’” said Evelina Aslanyan, an FBI special agent. When it was clear the suspects could be caught, the FBI also had to consider whether authorities could extradite them to the U.S.

“There is really no cyber case of any significance that doesn’t touch multiple countries, and so you have to have international cooperation as a core competency of your cyber investigation and prosecution strategy,” Richard Donoghue, U.S. Attorney for the Eastern District of New York, said Wednesday. 

It didn’t quite work as planned. When Malaysian authorities arrested Ovsyannikov in October 2018, he somehow alerted Timchenko and Aleksandr Isaev, who is still at large. Both “subsequently deleted the contents of their email accounts and online storage accounts used in the scheme,” according to the indictment.

Preparation for the takedown involved “constant” phone calls with authorities in each of those countries to ensure law enforcement there was monitoring the suspects, and that none of the alleged scammers had left their respective countries. Each arrest would trigger a digital sinkhole, where White Ops or another company partnered with the FBI would give out false domain name surface information to make it seem like the operation was ongoing, as well as a phone tree to alert other members that the plan was in motion.

“There was a chain reaction where a call would go out to one person, they would call 10 others, and all those would call 20 others,” Aslanyan said.

To carry out the four-year scheme, the accused scammers relied on malicious software, botnets, falsified web traffic and a myriad of other technical tools that facilitated a “humongous” operation, according to Aslanyan. (BuzzFeed News described other aspects of the collaboration, particularly the private sector planning, in a detailed report last year.)

At its peak, the ad fraud operation involved 1.8 million infected computers at any given time, using those machines to artificially inflate the number of visitors to web pages set up for the sole purpose of scamming marketing firms. It also utilized more than 3 billion ad requests, where ad space is bought and sold, along with at least 10,000 spoofed web domains and no fewer than 60,000 accounts selling advertising inventory.

This effort went on for years, though, once the international police raid went into force, the scheme went from perhaps the most active campaign to almost complete silence within hours, Aslanyan said.

“It was just a beautiful concert of things shutting down. It was this weird sense of ‘Oh my God. It worked.’ But there was still a feeling of ‘It’s so complicated that one of us must have missed something here.’”