Two Kazakh Cybercriminals Plead Guilty in Global Digital Advertising Fraud Involving Tens Of Millions of Dollars in Losses
Leader of Scheme Will Forfeit Online Domains and More Than Eight Million Dollars Seized From Swiss Bank Accounts
Sergey Ovsyannikov and Yevgeniy Timchenko, citizens of the Republic of Kazakhstan, pleaded guilty yesterday and today, respectively, in federal court in Brooklyn to conspiring to commit wire fraud and related charges, for their involvement in a widespread digital advertising fraud. Ovsyannikov was arrested in October 2018 in Malaysia and extradited to the United States in March 2019. Timchenko was arrested in November 2018 in Estonia and extradited to the United States in February 2019. Both plea proceedings took place before United States Magistrate Judge Steven M. Gold. When sentenced, Ovsyannikov faces up to 42 years in prison, and Timchenko faces up to 40 years in prison.
Richard P. Donoghue, United States Attorney for the Eastern District of New York, and William F. Sweeney, Jr., Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the guilty pleas.
Background on Digital Advertising
The internet is, in large part, freely available to users worldwide because it runs on digital advertising, where website owners display advertisements on their sites and are compensated by intermediaries representing businesses that advertise goods and services to human customers. In general, digital advertising revenue is based on how many users click, or view, the advertisements on those websites. As alleged in court filings, the defendants in this case represented that they ran legitimate companies that delivered advertisements to human internet users, who accessed real internet webpages. In fact, the defendants faked both the users and the webpages they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, and fraudulently obtained digital advertising revenue.
The Botnet-Based Criminal Scheme (“3ve.2 Template A”)
Between December 2015 and October 2018, Ovsyannikov and Timchenko were involved in operating a purported advertising network and carried out a digital advertising fraud scheme, referred to in the advertising industry as “3ve.2 Template A.” In this scheme, the defendants used a global “botnet”¾ a network of malware-infected computers operated without the true owner’s knowledge or consent to perpetrate their fraud. The defendants developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers, and to detect whether a particular infected computer had been flagged by cybersecurity companies as being associated with fraud. By using this infrastructure, the defendants accessed more than 1.7 million infected computers belonging to individuals and businesses in the United States and elsewhere, and used hidden browsers on those infected computers to download fabricated webpages and load advertisements onto those fabricated webpages. Meanwhile, the owners of the infected computers were unaware that this process was running in the background on their computers. As a result of this scheme, the defendants falsified billions of advertisement views and caused businesses to pay more than $29 million for advertisements that were never actually viewed by human internet users.
The Defendants’ Roles
Ovsyannikov led the development of the 3ve.2 scheme, and was a principal and owner of the advertisement network used to carry out the scheme. Ovsyannikov set out the infrastructure of the scheme in a spreadsheet titled “[Ad Network] Structure. Hosting and Domains.” The spreadsheet listed many of the command-and-control servers and other servers involved in the scheme, including several designated as repositories of “spoof” webpages. Ovsyannikov maintained lists of webpages to fabricate (or “spoof”) in his cloud storage account and on servers that he controlled, including more than 86,000 webpages associated with online publishers, including the webpages of thousands of businesses in the United States. In communications with co-conspirators, Ovsyannikov explained how different aspects of the infrastructure worked together to perpetrate the fraud, such that a “bot” in the botnet would “set itself” to visit a “spoofed domain” and cause a falsified advertisement view. Ovsyannikov directed proceeds of the fraud to bank accounts in Switzerland, among other locations. As part of his guilty plea, Ovsyannikov will forfeit those Swiss bank accounts, which contain more than eight million dollars.
Timchenko worked for Ovsyannikov and handled logistical and administrative aspects of the 3ve.2 scheme. Timchenko assisted in creating the infrastructure of command-and-control servers and other servers that were instrumentalities of the scheme. Timchenko deliberately chose certain U.S. service providers because they had the “coolest processors” and a “larger” cache (for temporary data storage) than competing providers. Timchenko also researched webpages to fabricate, deliberately targeted webpages for businesses in the United States, and placed those webpages on a running list that both defendants kept that was titled “New companies for spoofing.”
Separately, Ovsyannikov provided technical assistance to the operators of another digital advertising fraud scheme, referred to in the advertising industry as “Methbot.” In the Methbot scheme, the perpetrators used computers housed in commercial datacenters, instead of in a botnet, to carry out the digital advertising fraud. Ovsyannikov helped the Methbot operators program the datacenter computers to mimic human behavior, disguise the computers’ automated browsers, and evade fraud detection software. The Methbot operators falsified billions of advertisement views and caused businesses to pay more than $7 million for advertisements that were never actually viewed by human internet users.
The Botnet Takedown
Following the arrest of Ovsyannikov by Malaysian authorities in October 2018, U.S. law enforcement authorities, in conjunction with various private sector companies, began the process of dismantling the criminal cyber infrastructure utilized in the botnet-based scheme, which involved computers infected with malicious software known “Kovter.” The FBI executed seizure warrants to redirect the internet traffic going to 23 internet domains used to further the charged botnet-based scheme or otherwise used to further the Kovter botnet (an action known as “sinkholing”), in order to disrupt and dismantle the botnet. The FBI also executed search warrants at 11 different U.S. server providers for 89 servers related to the charged botnet-based scheme or Kovter.
In addition, as part of its investigation, the FBI discovered an additional cybercrime infrastructure committing digital advertising fraud through the use of datacenter servers located in Germany, and a botnet of computers in the United States infected with malicious software known in the cybersecurity community as “Boaxxe.” The FBI executed seizure warrants to sinkhole eight domains used to further this scheme and thereby disrupt yet another botnet engaged in digital advertising fraud.
Finally, the United States, with the assistance of its foreign partners, executed seizure warrants for multiple international bank accounts in Switzerland and elsewhere that were associated with the schemes.
For technical details on the malware and botnets referenced in this case, please see US-CERT Alert TA18-331A: https://www.us-cert.gov/ncas/alerts/TA18-331A
The government’s case is being prosecuted by the Office’s National Security and Cybercrime Section. Assistant United States Attorneys Saritha Komatireddy, Michael T. Keilty, Alexander F. Mindlin and Karin K. Orenstein are in charge of the prosecution.
Republic of Kazakhstan
Republic of Kazakhstan
E.D.N.Y. Docket No. 18-CR-633 (ERK)