The Estonian police arrested six men (Vladimir Tsastsin, Timur Gerasimenko, Dmitri Yegorov, Valeri Alekseyev, Konstantin Poltev, and Anton Ivanov) last week for organized cybercrime activities on an international scale. The six men are accused of operating various companies that masqueraded as legitimate publisher networks in the Internet advertising industry from 2007 to October of 2011.
Based in Estonia, the criminal venture hijacked 4 million computers in more than one hundred countries. Through companies such as Esthost and Rove Digital, the defendants are alleged to have used a strain of malware known as DNS Changer to hijack victims’ computers for the purposes of redirecting Web browsers to ads that generated pay-per-click revenue for the defendants and their clients.
U.S. authorities believe that the men made more than $14 million through click hijacking and advertisement replacement fraud. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies such as NASA. Both Windows and Mac OS computers were infected.
The law enforcement action, named “Operation Ghost Click,” was the result of a multi-year investigation, and is being called the “biggest cybercriminal takedown in history.” It is a great example of successful collaboration between law enforcement organizations, educational institutions, and the private sector in different countries. Operation Ghost Click included the FBI, police in Estonia and the Netherlands, , the Georgia Institute of Technology, the University of Alabama at Birmingham, the National Cyber-Forensics and Training Alliance, and private groups such as Neustar, Spamhaus, Team Cymru and Trend Micro, as well as the DNS Changer Working Group (DCWG).
The cybercriminals had wide connections in Russian hacker communities including the Russian Business Network, a multi-faceted cybercrime organization.