By Agence France-Presse
US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners.
Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request.
A Spanish judge on Monday ordered him to be remanded in custody as Washington is expected to seek his extradition. The US has 40 days to present evidence.
A US indictment unsealed Monday said Levashov, 36 and a native of St. Petersburg, had operated the Kelihos botnet since around 2010.
Two years earlier he was already in the sights of US investigators running another botnet and managing the spam operations of a major US spammer, Alan Ralsky. Ralsky and others were jailed in that case but Levashov was never caught.
100,000 computers infected
The Kelihos network is made up of private computers around the world running on the Microsoft Window operating system. The computers are infected with malware that gives Levashov the ability to control them remotely, with the owners completely unaware.
According to the Justice Department, at times the number of computers in the network has topped 100,000, with between five and 10 percent of them in the United States.
Through underground networks, Kelihos sold the network's services to others, who would use it to send out spam emails advertising counterfeit drugs, work-at-home scams, and other fraud schemes, the indictment said.
They were also used for illegal "pump-and-dump" stock market manipulation schemes, and to spread other malware through which hackers could steal a user's banking account information including passwords, and lock up a computer's information to demand huge ransoms.
Levashov was proud of his work. According to Justice Department filings, earlier this year he posted an ad for his work noting he had been in the spam business "since the distant year 1999."
"During these years there has not been a single day that I keep still, by constantly improving quality of spamming," he said.
His prices rose with the illegality of the operation. For legal ads, he charged $200 per million spam emails. For scams and phishing attacks, it was $500 per million.
To help someone with a stock manipulation, he wanted a deposit of $5,000-$10,000 to share his list of 25 million traders. He also demanded 5 percent of the gains made on the stock.
The Spamhaus Project, which documents spam, botnets, malware and other abuse, listed Levashov as seventh on its "10 Worst Spammers" list and "one of the longest operating criminal spam-lords on the internet."
"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," said Acting US Assistant Attorney General Kenneth Blanco in a statement.
Taking over the network
Levashov's arrest was unrelated to investigations into Russian interference in last year's US presidential election, US officials said.
Earlier, the suspect's wife had earlier told Russia Today that his arrest was connected to the election hacking case.
In parallel with the arrest, US justice authorities announced an extraordinary move to bring down the Kelihos network, obtaining warrants that allows it to take control of the computers in the botnet by changing the malware to intercept its operation.
That will direct the Kelihos traffic to "sinkhole" servers set up by authorities, overtime eliminating traffic through Levashov's server network.
Such a move appeared to be the first ever application of controversial new investigative powers for US authorities which took effect late last year.
While the move will give them access to private computers, investigators pledged to guard the privacy of computer owners.
"This operation will not capture content from the target computers or modify them in any other capacity except limiting the target computers' ability to interact with the Kelihos botnet," the warrant said.