Skip to main content
Press Release

Citizen of Estonia Admits Operating "Crypting" Service to Conceal Kelihos Botnet from Anti-Virus Software

For Immediate Release
U.S. Attorney's Office, District of Connecticut

PAVEL TSURKAN, 33, of Estonia, pleaded guilty today in the District of Connecticut to a federal charge related to his role in operating a “crypting” service used to conceal “Kelihos” malware from antivirus software, enabling hackers to systematically infect victim computers around the world with malicious software, including ransomware.

Tsurkan pleaded guilty via videoconference before U.S. Magistrate Judge S. Dave Vatti to one count of aiding and abetting unauthorized access to a protected computer, an offense that carries a maximum term of imprisonment of 10 years.

According to court documents and statements made in court, Tsurkan, his co-defendant Oleg Koshkin, and others operated an online, for-profit service known as Crypt4U via the websites “,” “,” “,” “,” as well as a custom FTP service for high-volume processing.  The websites promised to render malicious software fully undetectable (FUD) by nearly every major provider of antivirus software.  Tsurkan and his co-conspirators claimed that their services could be used for malware such as botnets, remote access trojans (RATs), keyloggers, credential stealers, and cryptocurrency miners.

Tsurkan provided the Crypt4U service to assist individuals who created and maintained networks of infected and compromised computers, known as “botnets.”  In particular, Tsurkan provided the Crypt4U service to Peter Yuryevich Levashov, who used the service in connection with the Kelihos botnet. The Kelihos botnet was used to send spam, to conduct denial of service attacks, and to distribute ransomware, among other criminal acts.  At the time it was dismantled by the FBI, the Kelihos botnet was known to include at least 50,000 compromised computers around the world, including computers in Connecticut.

Tsurkan is released on a $200,000 bond pending sentencing, which is scheduled for September 27, 2021, before U.S. District Judge Michael P. Shea in Hartford.

On June 15, 2016, a jury in Hartford found Oleg Koshkin, a Russian national last residing in Estonia, guilty of one count of conspiracy to commit computer fraud and abuse and one count of aiding and abetting computer fraud and abuse.  Koshkin is detained while awaiting sentencing.

On September 12, 2018, Levashov pleaded guilty to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.  He is awaiting sentencing.

The FBI’s New Haven Division is investigating the case through its Connecticut Cyber Task Force.  Assistant U.S. Attorney Edward Chang of the United States Attorney’s Office and Senior Counsel Ryan K.J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case, with assistance from the Criminal Division’s Office of International Affairs.  The Estonian Police and Border Guard Board also provided significant assistance.

In April 2021, the Department of Justice announced the creation of the Ransomware and Digital Extortion Task Force to combat the growing number of ransomware and digital extortion attacks. As part of the Task Force, the Criminal Division, working with the U.S. Attorneys’ Offices, prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The department, through the Task Force, also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.

Updated June 17, 2021