The Rise and Fall of a Spammer

How the internet police caught the man who ran the world’s largest botnet

W. W. Norton & Company
Science and Technology
7 min readAug 21, 2013

--

Twenty-four-year-old Oleg Nikolaenko knew cold-weather life, having already purchased a fine house in a wealthy Moscow suburb. So the mop-haired young man wasn’t surprised to find himself spending the winter of 2010 in the grip of an arctic chill—he just hadn’t planned on doing so in a Wisconsin jail cell.

Nikolaenko’s mugshot, via The Smoking Gun

Nikolaenko had been arrested while attending the massive Specialty Equipment Market Association (SEMA) auto show in Las Vegas. A car buff, he had also attended the event in 2009 and displayed no obvious reluctance to apply for a US visa on either occasion. He landed at JFK airport in New York on October 30, boarded a connecting flight to Las Vegas, and checked into the Bellagio hotel for a planned six-night stay. But Nikolaenko’s passage through US Customs in New York had alerted FBI agent Brett Banner to his presence. Working out of the FBI’s Milwaukee office, Banner was on the Cyber Crimes Squad that had pursued Nikolaenko for more than a year. Banner believed that the young man—later described by his attorney as the kind of kid “you find in a basement munching nachos and playing Wii”—had actually created and now controlled a massive botnet named Mega-D.

The kind of kid ‘you find in a basement munching nachos and playing Wii’—had actually created and now controlled a massive botnet named Mega-D.

Botnets work by infecting thousands or even millions of computers round the globe with small pieces of malicious software. The code runs silently in the background—most users have no idea of its presence— turning a computer into a “bot” that sits listening over the Internet for any instructions from its controller. The botnet controller can take this massive network of machines and pass them specific pieces of spam, along with lists of e-mail addresses to contact. As the computer owner surfs the Web or watches an online video, her computer could be firing off thousands of messages silently in the background, all of them untraceable to the actual botnet owner. Rather than develop spam pitches themselves, botnet owners often rent out their networks to the highest bidder as a high-tech delivery mechanism for other people’s payloads.

The Mega-D botnet had infected more than 500,000 computers around the globe; they were pressed into service as spambots. At its high point, Mega-D’s spam output was estimated to account for 32 percent of all spam in the world. If you were on the Internet and checking e-mail between 2007 and 2009, you probably received many, many messages sent by Mega-D, usually advertising pharmaceuticals.

At its high point, Mega-D’s spam output was estimated to account for 32% of all spam in the world.

This earned Mega-D the title of “world’s largest botnet,” which suggested that quite a bit of money was behind the operation. Indeed, the botnet’s mysterious owner earned so much cash that, according to records taken from an Australian spam broker who coordinated deals between spammers and the botnets who delivered their messages, Mega-D’s owner had made $464,967.12 in just six months during 2007. And that was just the money from one client; Mega-D’s firepower was so great that the botnet was used to spam for multiple high-volume pitchmen. The sheer volume of the operation brought Mega-D to the attention of US and Australian authorities. In a coordinated process that took years to unfold, agents painstakingly traced one particular spam operation from its America creator to its Australian broker to its Russian Mega-D distributor.

The man behind Mega-D had remained inscrutable for several years, but in November 2009, FBI agents were able to trace money paid by the Australian spam broker to the Russian spammer. Google also turned over the Russian’s e-mail account; he had unwisely used a Gmail address subject to simple US subpoena power. Both the money trail and the e-mail pointed to Oleg Nikolaenko, then living in a fine home on Spasskiy Proezd, Vidnoe 2, Russian Federation.

Nikolaenko had actually been in the United States only weeks before this discovery, attending the 2009 SEMA auto show. He could have been arrested then, had his identity been known, but after returning to Russia, he was hard to get; Russia’s constitution forbids the extradition of its citizens. Banner and the FBI bided their time.

Situations like Nikolaenko’s pose a sticky problem for Internet policing. Grabbing a domestic resident is easy enough, and international police cooperation makes arrests possible in “friendly” countries. But how to reach those who live in countries with enough infrastructure to make Internet work possible, but with limited interest in helping foreign police agencies arrest its citizens? No wonder that, facing such a situation, copyright holders and police agencies around the world have repeatedly proposed Internet site blocking or filtering; if you can’t reach someone, you can at least stop them from reaching you. A blockade doesn’t work against botnet spam, however, because it originates with hundreds of thousands of separate machines around the world.

He had unwisely used a Gmail address subject to simple US subpoena power.

The Nikolaenko case is a reminder that nothing so dramatic is usually needed. The United States, Western Europe, Australia, Japan, and other advanced economies exert extraordinary soft power even on spammers. They host many of the towns and cities those with money most want to visit; they host the world’s best financial institutions; they host the world’s best Internet companies; they host the most people with both Internet access and ready money who might be convinced to spring for an unvetted erection aid. Even cybercrooks who want to take a vacation in some remote Asian country often end up connecting on flights through places like Germany, which has shown itself ready to arrest them on behalf of US authorities when they step off the plane.

Nikolaenko had a number of US connections. He needed to receive cash from those he spammed for, he needed a good e-mail client, and he loved cars and Vegas. In the end, he settled on what was easy over what was smart, using a US-based Gmail account, signing up for a non-anonymous ePassporte account to receive cash transfers, and traveling to car shows in Las Vegas on two occasions. Had he limited himself only to the first two indiscretions, his identity would have been revealed to Banner’s team, but he was unlikely to face immediate arrest in Russia. How long he might have lived in comfort, visiting only Black Sea resorts instead of Vegas, we can only guess. But Nikolaenko couldn’t stay away.

When he entered the United States on October 30, 2010, it took Banner several days to receive the information and then to swear out a criminal complaint. He knew that he was racing against time; the Bel- lagio hotel informed him that Nikolaenko was only scheduled to stay until November 5.

On November 3, Banner took a two-count criminal complaint to US Magistrate Judge Aaron Goodstein in Milwaukee. The complaint accused Nikolaenko of violating the federal CAN-SPAM Act by sending e-mails with forged header information. It also charged him with “aiding and abetting” mail fraud; an FBI agent had ordered Viagra from one of the spam messages Nikolaenko sent, but only “VPXL” male enhancement pills had arrived. Judge Goodstein signed off on an arrest warrant.

FBI agents arrested Nikolaenko in Las Vegas on November 4. They took him before a federal judge there, who shipped him off to Wisconsin in the custody of the US marshals. Denied bail by a Milwaukee judge, who noted that he carried two passports and a large quantity of cash, Nikolaenko spent Christmas staring at the inside of a cell.

Coda (for those who like tidy endings)

Nikolaenko finally pled guilty to controlling the Mega-D spam botnet. His plea agreement revealed that the FBI had seized his laptop when Nikolaenko was arrested in Las Vegas; on that laptop agents had found spreadsheets detailing Nikolaenko’s spam earnings, along with a control script for Mega-D. Nikolaenko also admitted to making “in excess of $400,000" from his botnet.

His parents, Egor and Luidmila, sent a touching letter from Russia, begging the judge to go easy on their son. “It was very difficult and shocking to realize that our son had unexpectedly stumbled,” they wrote. “Honourable Court! Definitely, Oleg has made an inconsiderate act, mainly due to his mindlessness and youth. And life has given him a hard lesson to learn. He has paid his freedom for that. But Oleg is our son, our flesh and blood…[W]e hear that Oleg is honest in his repentance for what he had done, and he will never do anything like that in the future.”

A friend also weighed in with the court, explaining what it was like to work daily with Nikolaenko in the car-tuning business they shared. “Day after day, month after month we were busy with cars, often hanging in the workshop till morning,” he wrote. “It was very difficult to earn money. Often we slept three-four hours a day after tuning cars at night. I was seating [sic] behind the wheel, while Oleg was adjusting parameters of the engine. To do that we have to trust each other to the maximum.” Nikolaenko, said the friend, was “the Real Man.”

On February 27, 2013, a judge sentenced Nikolaenko to the time he had already served in prison, along with three years of probation. No victims came forward to assert damages, so restitution was not required.

The Internet Police (W. W. Norton, 2013)

Amazon | Barnes & Noble | iBookstore | Indiebound | Powell’s

Photo by Leah Anderson

Nate Anderson is deputy editor at Ars Technica. His work has been published in The Economist and Foreign Policy. He lives in Chicago, Illinois.

--

--