clock menu more-arrow no yes

Filed under:

Feds tracked down Russian spam kingpin with help from his iCloud account

New, 3 comments

Peter Levashov was arraigned earlier this week for his role in the Kelihos botnet

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Illustration by Alex Castro / The Verge

An affidavit unsealed today shows Apple’s unexpected role in bringing a Russian spam king to justice. Once listed as one of the ten worst spammers in the world, Peter Levashov allegedly ran the Kelihos botnet under the alias “Severa,” renting out access to spammers and other cybercriminals. But despite Levashov’s significant efforts at anonymity, court records show that federal agents had been surveilling his iCloud account since May 20th, 2016, funneling back crucial information that may have led to his arrest.

The affidavit (embedded below) lays out Severa’s role in administering the Kelihos spam botnet, and how server records, Jabber messages and online payments led investigators to Levashov. Two Kelihos-linked servers seized in Luxembourg showed frequent logins to Levashov’s account, apparently the result of Levashov using the servers as a proxy.

Investigators also found an iCloud account registered in Levashov’s name, registered from an IP address that had often connected to the Luxembourg server. The affidavit requests information on the account — including “login IP addresses associated with session times and dates” — based on Levashov’s apparent connection to Kelihos spam empire.

The request was successful. The same day the request was filed, a warrant was granted and Apple was placed under a gag order forbidding the company from sharing information about the case. With Levashov in Russia, the case was put on hold until he traveled to an extraditable country. The following April, nearly a year after the warrant was served, Levashov traveled to Barcelona on vacation and was promptly arrested by local authorities, reportedly at the request of US law enforcement.

We still don’t know for sure how US officials became aware that Levashov was in Barcelona. However, the standing iCloud warrant would have given authorities a running tab of IP addresses used to log in to the account, which could easily have tipped them off to the vacation.

The affidavit was made public in the wake of Levashov’s extradition from Spain to the United States, which was only recently finalized. Levashov was arraigned in Connecticut federal court on Friday, and US attorney Bryan Schroder requested that the court unseal the affidavit in connection with that proceeding.

Reached by The Verge, an Apple representative said the company does not comment on law enforcement proceedings.