Russian accused RSOCKS Botmaster arrested and seeks extradition to US – Krebs on Security


A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely owner of the huge Botnet RSOCKS was arrested in Bulgaria at the request of US authorities. During a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, telling the judge: “America is looking for me because I have so much information. and they need it.”

A copy of Denis Kloster’s passport, as published on his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Klostera.k.a Denis Emelyantsevas the apparent owner of RSOCKS, a collection of millions of hacked devices that have been sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

Originally from Omsk, Russia, Kloster came to attention after KrebsOnSecurity followed clues of the identity of the master of the RSOCKS botnet on cybercrime forums to Kloster’s personal blog, which featured thoughts on the challenges of running a company that sells “security and anonymity services to customers around the world.” the world.” Kloster’s blog even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!” enthuses Kloster’s blog. “We make products that are used by thousands of people around the world, and that’s really cool! And that’s just the beginning!!! We don’t just work together and we’re not just friends, we’re family. »

Bulgarian media reports that Kloster was arrested in June at a coworking space in the southwestern ski resort of Bansko, and the accused asked to be handed over to US authorities.

“I have hired a lawyer there and I want you to send me as soon as possible to clarify these baseless accusations,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in US court.”

Launched in 2013, RSOCKS was shut down in June 2022 as part of an international cybercrime service investigation. According to the Department of Justice, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, clocks, routers, audio/video streaming devices and door openers smart garages; later in its existence, the RSOCKS botnet expanded to compromise other types of devices, including Android devices and conventional computers, the DOJ said.

The Justice Department’s June 2022 statement about the removal cited a search warrant from the U.S. Attorney’s Office for the Southern District of Californiawho was also cited by Bulgarian media this month as the source of Kloster’s arrest warrant.

Asked if there was an arrest warrant or criminal charges against Kloster, a Southern District spokesperson said “no comment.”

Update, September 24, 9:00 a.m. ET: Kloster was named in a 2019 indictment (PDF) unsealed September 23 by the Southern District Court.

The employees who made things work for RSOCKS, circa 2016. Note that no one appears to be wearing shoes.

24Chasa testified that the defendant’s surname is Emelyantsev and that he only recently adopted the surname Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the administrator of RSOCKS claimed ownership of the RUSpoint anti-spam forum. RUSdot is the successor forum to spampointa much more secretive and restricted forum where many of the world’s top spammers, virus writers, and cybercriminals collaborated for years before the community implosion in 2010.

Email spam – and in particular malicious email sent via compromised computers – remains one of the main sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as the administrator of Russia’s most notorious forum for spammers, the defendant in this case probably knows a lot about the other major players in the spam and malware botnet community.

A Google-translated version of the Rusdot anti-spam forum.

Although he claimed his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have so much information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed and granted his extradition. Kloster’s fiancée also attended the extradition hearing and reportedly cried in the room outside the entire time.

Kloster turned 36 while awaiting his extradition hearing and could soon face charges that carry up to 20 years in prison.

[ad_2]Source link