Russian National Convicted of Charges Relating to Kelihos Botnet

Helped Hackers Evade Defenses of U.S. Businesses and Conduct Malicious Cyber Attacks

By Department of Justice U.S. Attorney’s Office

District of Connecticut


Media – A federal jury in Hartford convicted a Russian national yesterday for his role in operating a “crypting” service used to conceal “Kelihos” malware from antivirus software, enabling hackers to systematically infect victim computers around the world with malicious software, including ransomware.  Oleg Koshkin, 41, formerly of Estonia, was convicted of one count of conspiracy to commit computer fraud and abuse and one count of aiding and abetting computer fraud and abuse.  He faces a maximum penalty of 15 years in prison and is scheduled to be sentenced on September 20.

“By operating a website that was intended to hide malware from antivirus programs, Koshkin provided a critical service that enabled other cyber criminals to infect thousands of computers around the world,” said Acting U.S. Attorney Leonard C Boyle.  “We will investigate and prosecute the individuals who aid and abet cyber criminals as vigorously as we do the ones who actually hit the ‘send’ button on viruses and other malicious software.”

“The defendant designed and operated a service that was an essential tool for some of the world’s most destructive cybercriminals, including ransomware attackers,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.  “The verdict should serve as a warning to those who provide infrastructure to cybercriminals: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable — and we will work tirelessly to bring you to justice.”

“Mr. Koshkin and his associates knowingly provided crypting services designed to help malicious software bypass anti-virus software,” said Special Agent in Charge David Sundberg of the FBI’s New Haven Division.  “The criminal nature of the Crypt4U service was a clear threat to the confidentiality, integrity and availability of computer systems everywhere.  We at the FBI will never stop pursuing those like Mr. Koshkin for perpetrating cyber crimes and threats to the public at large.”

According to court documents and evidence introduced during the trial, Koshkin operated the websites “,” “,” and others.  The websites promised to render malicious software fully undetectable (FUD) by nearly every major provider of antivirus software.  Koshkin and his co-conspirators claimed that their services could be used for malware such as botnets, remote access trojans (RATs), keyloggers, credential stealers, and cryptocurrency miners.

In particular, Koshkin worked with Peter Levashov, the operator of the Kelihos botnet, to develop a system that would allow Levashov to crypt the Kelihos malware multiple times each day.  Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates.  The Kelihos botnet was used by Levashov to send spam, harvest account credentials, conduct denial of service attacks, and to distribute ransomware and other malicious software.  At the time it was dismantled by the FBI, the Kelihos botnet was known to include at least 50,000 compromised computers around the world.

Koshkin was arrested in California on September 6, 2019, and has been detained since his arrest.

Koshkin’s co-defendant, Pavel Tsurkan, is charged with conspiring to cause damage to 10 or more protected computers, and aiding and abetting Levashov in causing damage to 10 or more protected computers.  He is released on bond while awaiting trial.

As to Tsurkan, an indictment is merely an allegation, and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Levashov was arrested by the Spanish National Police on April 7, 2017, and extradited to the United States.  On September 12, 2018, he pleaded guilty to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

The FBI’s New Haven Division is investigating the case through its Connecticut Cyber Task Force.  Assistant U.S. Attorney Edward Chang of the United States Attorney’s Office and Senior Counsel Ryan K.J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case, with assistance from the Criminal Division’s Office of International Affairs.  The Estonian Police and Border Guard Board also provided significant assistance.

In April 2021, the Department of Justice announced the creation of the Ransomware and Digital Extortion Task Force to combat the growing number of ransomware and digital extortion attacks. As part of the Task Force, the Criminal Division, working with the U.S. Attorneys’ Offices, prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The department, through the Task Force, also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.

Leave a Reply

Your email address will not be published. Required fields are marked *