Only one crook from Operation Ghost Click is still at large

Apr 27, 2016 14:22 GMT  ·  By

Yesterday, a US judge sentenced Vladimir Tsastsin to 87 months in jail for his lead role in an international crime ring that infected with malware over four million computers in 100 countries and pocketed the criminal and his accomplices $14 million (€12.4 million) from click-fraud activities.

The group operated between 2007 and October 2011, when authorities arrested and charged Tsastsin and other crooks of their role in the distribution of the DNSChanger malware.

Tsastsin's group created and operated the DNSChanger botnet

The FBI argued and later proved that the seven created and distributed the DNSChanger malware, which worked by changing a computer's local DNS settings, in order to reroute traffic through a series of DNS servers controlled by the group.

Tsastsin and his associates configured the malware and the malicious DNS servers to hijack user clicks on search results and replace ads on legitimate websites with their own.

The purpose of these tactics was for the group to drive massive amounts of traffic to affiliate and advertising programs, from where they were earning large sums of money.

Tsastsin was also behind the famous EstDomains registrar

The group registered a few dozen front companies in the United States, Estonia, Russia, Denmark, the Republic of Seychelles, England, and Cyprus, in order to launder the money they earned.

One of their front businesses was the EstDomains Estonian domain registrar, which was used by many other criminal groups to register malicious domains used in other cyber-attacks.

One of EstDomains' main clients was the criminal group known as the Russian Bussiness Network (RBN), the creators of the MPack malware kit and the Storm botnet.

EstDomains lost its license in 2008, when ICANN decided to terminate its agreement.

FBI arrested six of the group's seven members

The group's operation was shut down in November 2011, when the FBI, aided by Trend Micro, tracked down the suspects, sinkholed their servers, and made official indictments against the seven, eventually arresting six.

The extradition process dragged on, and at one point, Tsastsin seemed to get away, after an Estonian court decided to acquit him for his role in the DNSMalware campaign.

US authorities didn't give up and insisted with their charges, and today, six of the seven crooks are in prison. Besides the 87-month prison sentence, Tsastsin was sentenced to one year of supervised release and ordered to forfeit $2.5 million (€2.2 million). The table below shows the current prison sentences for each of the seven.  

Name Age Prison Sentence Date of Sentencing
Vladimir Tsastsin 36 87 months April 26, 2016
Timur Gerassimenko 36 48 months July 27, 2015
Dmitri Jegorov 38 44 months July 27, 2015
Konstantin Poltev 33 40 months July 27, 2015
Valeri Aleksejev 36 48 months October 30, 2013
Anton Ivanov 31 Time served July 25, 2014
Andrey Taame 32 Still at large -