Skip to main content

U.S. V. Tsastsin, Et Al. Indictment Prepared Remarks Of U.S. Attorney Preet Bharara November 9, 2011

November 09, 2011

Good afternoon. My name is Preet Bharara, and I am the United States Attorney for the Southern District of New York.

Today, we announce the unsealing of an Indictment charging seven individuals – six Estonian nationals and one Russian national – with perpetrating a massive and sophisticated Internet fraud. Six of those seven defendants were arrested at our request yesterday by Estonian law enforcement, in Estonia, and the seventh is at large.

We believe this criminal case is the first of its kind, and it arises from a cyber infestation of the first order. As described in the Indictment, the defendants are charged with engineering a massive cyber scheme that infected more than four million computers in 100 countries with malicious software (or malware), allowing them to profit illegally to the tune of at least $14 million. At least a half million of those computers were located in the U.S.

As alleged, the defendants were cyber bandits who hijacked millions of computers at will and rerouted them to Internet websites and advertisements of their own choosing – collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered.

As alleged in the Indictment, the defendants controlled companies that masqueraded as legitimate Internet advertising companies. The more Internet traffic the defendants drove to certain websites and Internet ads, the more money the defendants collected under their advertising contracts. On a massive scale, then, the defendants gave new meaning to the term “false advertising.”

What’s more, because of the nature of the malware used to carry out the scheme, the infected computers were left more vulnerable to other viruses as well, because in most cases they were unable to download basic anti-virus updates.

In just a moment, I’ll illustrate to you how the cyber-scheme worked. Before I do that, let me introduce our law enforcement team.

First, I want to acknowledge the extraordinary cooperation we received internationally, particularly from the Estonian Police and Border Guard Board. Without their assistance, the investigation and the arrests we are announcing today would not have been possible.

I am joined at the podium by Janice Fedarcyk, the Assistant Director-in-Charge of the New York Office of the FBI, who has made cyber security an absolute top priority of the New York Field office, and for good reason.  Also here is Mary Galligan, the Special Agent- in- Charge of the Special Operations and Cyber Branches of the FBI, and Daniel O’Brien, the Assistant Special Agent-in-Charge of the Cyber Branch.

I am also joined by Paul Martin, Inspector General of NASA OIG – the National Aeronautics and Space Administration, Office of the Inspector General. Why NASA, you may be asking yourself? Because NASA’s computers were among the millions infected with the malware. In fact, after NASA discovered that over 100 of its computers were infected, NASA’s agents teamed up with the FBI to unravel the scheme and root out who was behind it.

I also want to express my appreciation to the career prosecutors who have conducted this meticulous investigation: Assistant United States Attorneys Sarah Lai, James Pastore, and Alex Wilson, as well as Lisa Zornberg and Michael Bosworth, the Chiefs of our Complex Frauds Unit, Thomas Brown, the Deputy Chief for Cyber, and Sharon Cohen Levin, the Chief for forfeiture.

Now let’s look at how the alleged cyber scheme in this case actually worked. As I mentioned, this cyber plot came to light after certain computers at NASA became infected with malware.

Notwithstanding NASA’s involvement, however, this was not rocket science.  But, in order to understand the scheme, you need to understand a couple of fairly basic things about how computers connected to the Internet are actually steered to particular web pages.

  • In order to go to a particular web page, there are actually two ways to do it.

  • If you know the IP address, which is typically a long series of numbers, you can type that into your browser, and your computer will take you there. No one really uses that method.

  • Instead, we all use the second method – which is typing in the plain English website domain name; for example, or, etc.

  • But that requires some translation – so your computer knows what IP address is associated with that domain name.

  • So, when you type in a domain name, for example, this is what happens:

    • Your browser is directed by the computer’s operating system to a server somewhere, called a DNS Server (“Domain Name System” Server); it is that DNS Server that provides the actual IP address for the website and directs you to the computer hosting that website.

    • DNS Servers are sort of like an Internet white pages phone book; but instead of providing phone numbers for businesses, they provide IP addresses for websites.

    • So, to be directed to where you want to go, you need to be connected to a legitimate DNS Server.

  • And it is this simple Internet fact of life that we allege the defendants relied on to pull off their multi-million dollar scam.

  • As explained in the Indictment, what they did was infect millions of computers around the world with malware – malicious software. That happened typically when computer users visited certain sites or downloaded software from the Internet and unwittingly infected their own computers.

  • And what the malware did was change the DNS server settings so that infected computers were routed not to legitimate DNS Servers, but to rogue servers controlled and operated by the defendants in New York, Chicago, and elsewhere.

  • And so, as the Indictment explains, if you were infected by the defendants’ malware, your computer could be hijacked to whatever website the defendants wished.

  • So the defendants’ plan was to infect computers; direct them to servers they controlled; then redirect traffic to unintended websites; and reap an illegal financial windfall from that web traffic.

In one variation of the fraud, when the user of an infected computer clicked on a search result link displayed through a search engine query, they were falsely directed to a different website than the one they intended to visit. This type of fraud is described in the Indictment as “click hijacking.”

The defendants then allegedly received money for each of these fraudulently engineered “clicks.”

As alleged, they executed this click-fraud on a massive scale, earning millions in illegal profits, by bringing unsuspecting computer users around the world to websites they never intended to visit.

They allegedly engaged in a related type of fraud as well, as described in the Indictment “advertising replacement fraud.” As you know, websites make money by selling advertising.

And that’s a lucrative business. But, as the Indictment alleges, the defendants corrupted that business model too.

We allege that they replaced legitimate Internet advertisements on websites with substituted ads that triggered payments to them.

Finally, as I mentioned, there was an insidious side effect to this alleged cyber infection  computer users were typically unable to update their anti-virus and operating system software.

That left them more vulnerable.

As alleged in the Indictment, the defendants carried out this click-fraud over five years, generating at least 14 million dollars in illicit revenue. With today’s charges, we have unmasked who they are, unmasked their alleged crimes, and we will seek their extradition to the United States so they can be brought to justice.

Now, I want to mention some information about how this takedown took great care to avoid
Internet disruptions for those with infected computers.

Yesterday morning at approximately 3:00 a.m., the Government literally pulled the plug on the defendants’ rogue computer servers, which had been operating out of data centers in New York, Chicago, and other locations.

The FBI dismantled the computer infrastructure that the defendants used to execute their alleged crimes. Since then, the FBI has been promptly advising Internet Service Providers around the world of their customers whose computers may be infected, and those notification efforts are ongoing.

At the Government’s request, a federal judge in Manhattan has also appointed an independent receiver to replace the defendants’ unplugged “bad” servers with clean, good servers so that Internet life can go back to normal for the affected users.

And because of this careful planning, infected computer users’ Internet service has been routed through clean servers without being interrupted.

Let me conclude by emphasizing that the cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today.  It has truly become the new frontier for law enforcement. And what we see in cases like today’s is likely just the tip of the Internet iceberg.

About a year ago, we announced a massive cyber fraud that involved the Zeus Trojan, allowing Eastern European hackers to steal millions from U.S. bank accounts.

As I said then, the modern, high-tech heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity. And it can be accomplished in the blink of an eye, with just a click of the mouse – at a distance of thousands of miles.

Today’s case is just the latest manifestation of that gathering threat, and it highlights yet another way in which the cyber threat has evolved and grown.

That is why the FBI – under the leadership of Director Mueller and Jan Fedarcyk in New York – has so ramped up its cyber efforts in terms of resources and focus. And we have done the same in this Office.

We will be doing more and more in this area – as it is absolutely essential to our national security, our economic security, and our citizens’ personal security.

And it is equally imperative that there be increased international collaboration among law enforcement to bring cyber criminals to justice. Too much of this conduct occurs abroad, and if we are to make a dent in the problem, we will all have to work as well together as we and the
Estonians have done so this week.

It is my pleasure to call to the podium:

1. Janice Fedarcyk, the Assistant Director-in-Charge of the New York Office of the FBI

2. Paul Martin, Inspector General of NASA OIG – the National Aeronautics and Space
Administration, Office of the Inspector General


Updated May 13, 2015