An Estonian man who ran an organized cybercrime ring that infected more than four million PCs in over 100 countries with moneymaking malware has pleaded guilty in New York to wire fraud and computer intrusion charges.
Vladimir Tsastsin, 35, ran an online Web hosting and advertising empire in Estonia called Rove Digital. From 2007 to 2011, Tsastin and six other men cooked up and executed a scheme to deploy malware that altered the domain name system (DNS) settings on infected computers (there were versions of the malware for both Mac and Windows systems).
Tsastsin. right, along with other Rove Digital men, at a 2013 hearing in Tallinn. Image: Postimees.ee.
Known as DNSChanger, the malware replaced legitimate ads in victim Web browsers with ads that rewarded Rove Digital, and hijacked referral commissions from other advertisers when victims clicked on ads. The malware also prevented infected systems from downloading software updates and visiting many security Web sites.
Following the takedown of the crime gang, the U.S. government assumed control over the DNS servers that were used by the malware, and spearheaded a global effort to clean up infected systems. U.S. authorities allege that the men made more than $14 million through click hijacking and advertisement replacement fraud.
Tsastsin and his accomplices were arrested in 2011 by Estonian authorities for their role in the scheme, but ultimately the men were acquitted. In June 2014, however, the Estonian Supreme Court revoked that decision, finding them guilty of money laundering. Tsastsin in particular was also found guilty of leading a criminal gang. All but one of the seven were later extradited to the United States, and have already pleaded guilty and/or been imprisoned.
I first encountered Tsastsin in 2008, after research and collaboration with numerous security firms and researchers led to a Washington Post series detailing how Rove Digital and its hosting business — a company called EstDomains — were hosting huge numbers of Web sites that foisted malicious software. His response at the time to assertions that he was somehow tied to Russian organized cybercrime: “Rubbish!”
“Our projects are totally legitimate and they are not involved in any shady activities,” Tsastsin told The Post in Sept. 2008.
One of those stories, EstDomains: A Sordid History and A Storied CEO, detailed Tsastsin’s prior convictions on money laundering and credit card fraud charges in Estonia. That revelation prompted the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit that oversees the domain name industry, to revoke EstDomains’s authority as a domain registrar.
Interestingly, Tsastsin and Rove Digital were among the earliest investors in ChronoPay, a Russian payment processing firm whose CEO was another cybercrime kingpin and one of two core subjects of my book, Spam Nation.
Tsastsin faces a maximum sentence of 20 years in prison on the wire fraud conspiracy count and five years in prison on the computer intrusion conspiracy count. He is currently slated to be sentenced October 14, 2015. The media release from the U.S. Attorney’s Office for the Southern District of New York is here.
DNChanger chronology. Source: InternetIdentity
Update, July 12, 8:56 p.m. ET: Corrected caption.
Source: Krebs