Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S. – Krebs on Security

A 36-year-old Russian man who was recently identified by KrebsOnSecurity as the likely owner of the massive The RSOCKS botnet has been arrested in Bulgaria at the request of the US authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

A copy of the passport of Denis Kloster, which was posted on his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Monasteryaka Denis Emelyantsevas the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

Kloster, a native of Omsk, Russia, came into focus after KrebsOnSecurity followed a trail from the RSOCKS botnet master’s identity on cybercrime forums to Kloster’s personal blog, which featured reflections on the challenges of running a business that sells “security and anonymity services to customers around the world.” Kloster’s blog even contained a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!”, it read enthusiastically on Klosters’ blog. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re family.”

Bulgarian news outlet reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko and that the accused asked to be handed over to US authorities.

“I have hired a lawyer there and I want you to send me as soon as possible to remove these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”

RSOCKS was launched in 2013 and was closed in June 2022 as part of an international investigation into the cybercrime service. The Justice Department’s June 2022 statement on this removal cited a search warrant from US Attorney’s Office for the Southern District of Californiawho was also named by Bulgarian news media this month as the source of Klosters’ arrest warrant.

When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesman for the Southern District said “no comment.”

The employees who kept things running for RSOCKS, circa 2016. Note that no one appears to be wearing shoes.

24Chasa said that the defendant’s surname is Emelyantsev and that he only recently adopted the surname Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of RUSdot spam forum. RUSdot is the successor forum to Spamdota far more secretive and restricted forum where most of the world’s best spammers, virus writers and cybercriminals collaborated for years before the community implosion in 2010.

Email spam – and especially malicious email sent via compromised computers – remains one of the biggest sources of malware infections leading to data breaches and ransomware attacks. So it stands to reason that, as the administrator of Russia’s best-known forum for spammers, the defendant in this case likely knows quite a bit about other top players in the botnet spam and malware community.

A Google translated version of the Rusdot spam forum.

Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have enormous information and they need it,” Kloster said in court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed and granted him extradition. Kloster’s fiancee also attended the extradition hearing and reportedly cried in the hall outside the entire time.

Kloster, who turned 36 while awaiting his extradition hearing, could soon face charges that carry sentences of up to 20 years in prison.


Leave a Reply

Your email address will not be published.