Botnet operator who proxied traffic for other cybercrime groups pleads guilty

An Estonian national pleaded guilty this week in an Alaska court on charges of building and operating a botnet comprised of internet routers that proxied malicious traffic for other cybercrime gangs.

According to court documents, Pavel Tsurkan, 33, of Estonia, created and operated a botnet named "Russian2015."

The botnet, which Tsurkan controlled through the website russian2015.ru, allegedly infected more than 1,000 routers, the Department of Justice said on Thursday.

"Tsurkan modified the operation of each compromised Internet router so that it could be used as a proxy, allowing Tsurkan to transmit third-party Internet traffic through the home Internet routers without their owners' knowledge or consent," the court documents read.

"At times, Tsurkan allowed dozens of his criminal clients to route their traffic through a single victim's home internet router. For example, in the case of Victim 3, a hospital located in Alaska, Tsurkan configured the victim's router to allow it to channel the traffic for over 70 different computers."

Investigators said the infected routers were used as proxies for a variety of purposes, including sending spam e-mail messages.

"The unlawful use of the victims' routers resulted in latency in the victims' own Internet connections as well as significant data overage charge," US officials said.

Victims reported a surge in traffic ranging from 3 to 6 GB/day while having their routers infected. Some victims incurred data overages in the range of hundreds to thousands of dollars, officials said.

Tsurkan pleaded guilty in a second case last month

Tsurkan was arrested in Estonia in 2019 and extradited to the US. After pleading guilty, Tsurkan faces a maximum prison sentence of up to 10 years for operating the botnet.

In addition, Tsurkan pleaded guilty last month in a separate case in Connecticut to operating Crypt4U, a code crypting service that allowed cybercrime gangs to disguise the malicious behavior of their malware families. Customers of the Crypt4U service included the Kelihos botnet.

The Estonian national faces a second maximum 10-year prison sentence in that case as well.

Tsurkan is currently released on a $200,000 bond pending sentencing in the Crypt4U case, which is scheduled for September 27, 2021, and sentencing in the Russian2015 case, which is set for November 10, 2021.