Administrator of RSOCKS Proxy Botnet Pleads Guilty – Krebs on Security

Denis Emelyantseva 36-year-old Russian man accused of running a massive botnet called RSOCKS that sewed malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The request comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators: “America is looking for me because I have enormous information and they need it.”

A copy of the passport of Denis Emelyantsev, alias Denis Kloster, posted on his Vkontakte page in 2019.

First announced in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers sold as “proxies” to cybercriminals looking for ways to route their web traffic through someone else’s device.

Customers could pay to rent access to a pool of proxies for a specified period, with costs starting at $30 per day for access to 2,000 proxies, at $200 daily for up to 90,000 proxies.

Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, clocks, routers, audio/video streaming devices and smart garage door openers. Later in its existence, the RSOCKS botnet expanded to compromise Android devices and conventional computers.

In June 2022, authorities in the United States, Germany, the Netherlands, and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action named no defendants.

Inspired by that takedown, KrebsOnSecurity followed the RSOCKS botnet master’s identity on cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Monastery. The blog featured reflections on the challenges of running a business that sells “security and anonymity services to clients around the world,” and even included a group photo of RSOCKS staff.

“Thanks to you, we are now developing in the field of information security and anonymity!”, it read enthusiastically on Klosters’ blog. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re family.”

However, by the time the investigation was published, Emelyantsev had already been captured by Bulgarian authorities in response to a US arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in a US courtroom.

“I have hired a lawyer there and I want you to send me as soon as possible to remove these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”

RSOCKS, circa 2016. At that time, RSOCKS advertised more than 80,000 proxies. Image: archive.org.

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from these forums show that the RSOCKS administrator claimed ownership of RUSdot spam forum. RUSdot is the successor forum to Spamdota far more secretive and restricted community where most of the world’s best spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.

A Google translated version of the Rusdot spam forum.

In fact, the very first mentions of RSOCKS on Russian-language cybercrime forums refer to the service by its full name as “RUSdot Socks Server.”

Email spam – and especially malicious email sent via compromised computers – remains one of the biggest sources of malware infections leading to data breaches and ransomware attacks. So it stands to reason that as the administrator of Russia’s best-known forum for spammers, Emelyantsev probably knows a thing or two about other top players in the botnet spam and malware community.

It remains unclear whether Emelyantsev followed through on his promise to release this knowledge to US investigators as part of his plea agreement. The case is being prosecuted by the US Attorney’s Office for the Southern District of California, which did not respond to a request for comment.

Emelyantsev pleaded guilty Monday to two counts, including damaging protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison and is currently scheduled to be sentenced on April 27, 2023.

William

Leave a Reply

Your email address will not be published. Required fields are marked *