Transcript
Criminals, and in particular cyber criminals, aren’t “good” people: they cheat, they steal, they con… but in most cases, they do have their personal boundaries. Someone might be willing to steal millions of dollars from a bank, but not rob an elderly lady. Ross Ulbricht, whose story we covered in the previous two episodes of our podcast, was OK with paying a hitman to kill someone – but never murdered anyone himself.
But every once in a while, you encounter a criminal who’s different. Someone who seems not to have any bounding limits at all. A ruthless man, for whom the goal truly justifies the means. Leo Kuvayev is that kind of a person, and it’s very probable that it is this ‘no-limits’ mentality that made him so successful as a cyber-criminal. But sometimes, when you have no internal boundaries to balance your raw desire for self-gain – even a genius criminal can go just one step too far.
Life in the Soviet Union behind the Iron Curtain was harsh, especially under the rule of Leonid Brezhnev who revoked all the economic reforms of his predecessor in office and brought the Soviet economy to a standstill. Under Brezhnev, the Communist Party dominated every aspect of the Soviet Union’s citizens’ lives. But while party leaders enjoyed the benefits of power, most citizens – especially those who lived outside of big cities – lived in pretty miserable conditions.
Leonid “Leo” Alexandrovich Kuvayev was born in 1972 in Moscow, into this grim economic reality. As a child he excelled at chess, which became his main hobby: his school teachers praised his extraordinary logical thinking and predicted a bright future for him – but his family’s poor financial situation and the pressing need to help his parents and take care of his four sisters, prevented him from developing his skills in any way.
When the Soviet Union collapsed in 1991 and Russia opened its doors to the world, Leo Kuvayev, who was then in his early 20s, discovered a whole new world full of tantalizing opportunities. He was accepted to the prestigious MIT University, specialized in computer engineering and was especially interested in artificial intelligence. There, too, he showed great potential. A magazine article in a Moscow daily newspaper, published in 2012, described him as –
“…an excellent mathematician, […] fond of chess, and, according to all forecasts, he had a bright future ahead of him as a successful businessman.”
The Rise of the Czar
But for Leo Kuvayev, that wasn’t nearly enough.
As a man who grew up in the austerity of the communist Soviet Union, Kuvayev’s encounter with American capitalism was dizzying and intoxicating. It seems that the absolute freedom to do as he pleased dazzled Kuvayev – and alongside the projects and classes at MIT, his criminal pursuits began to take shape.
We don’t know when exactly Kuvayev’s first get-rich-quick plan was born, but according to estimates, he started distributing pirated movies sometime in the mid-late 90’s. At first, it was pirated copies of Disney films and other similar movies, which he copied and sold on the Internet, but he quickly noticed the great demand for porn films. His activities began to revolve around adult-only movies, with special emphasis on beastiality porn.
Selling pirated porn probably netted Kuvayev a pretty sweet income – but again, he wasn’t satisfied. He used his considerable technical skills to take his questionable business one step further. He attached a small piece of malicious software to the emails he sent to his customers: once this attachment was opened, it secretly took over the victim’s computer and used it to distribute spam. In this way, Kuvayev further expanded the marketing efforts of the pirated films he sold.
As Kuvayev’s army of zombie computers grew, he recognized a new opportunity to expand his business and create another income stream for himself. Together with a friend, Kuvayev founded a company called 2K Services in Montreal, Canada, and created dozens of online pharmacies where he sold penis enlargement pumps, Viagra, and similar drugs. The spam empire he created helped him reach thousands of new customers, and before long the business began to turn over millions of dollars. All this time, Kuvayev managed to hide his activities from his university colleagues and even graduated with honors.
Pharmacy Express
The sale of counterfeit and over-the-counter drugs through websites posing as legitimate pharmacies was a common online crime in the early 2000s, perhaps because many customers preferred the anonymity of the internet over purchasing Viagra at a real-world pharmacy. As time went by and the profits from drug sales grew, Kuvayev reduced his involvement in selling pirated porn movies and focused on selling the drugs that brought him greater profits.
As I mentioned earlier, the key to Leo Kuvayev’s success was his massive use of email spam: spreading millions of emails that contained links to Kubiev’s websites. To evade law enforcement authorities, these emails contained many different links, each of which consisted of random letters and numbers, combined with familiar brand names such as “Viagra” and “Pfizer”, to maintain an authentic appearance. These pseudo-gibberish domains were registered in many different countries – from China to Mexico. Clicking on such a link took the visitor to an intermediate server, whose role was to redirect the request to Kuvayev’s actual website. In this way, the fake pharmacy’s real address remained hidden from any security software trying to block it.
To disguise his sites, even more, Kuvayev used another technique known as Reverse Proxy. In this technique, the online store’s web server is hosted not on a single server, but on several different ones – and another intermediate server, the aforementioned reverse proxy, relays the web requests to any one of the servers. In this way, the reverse proxy server forms a sort of buffer between the web servers and the visitor, thus hiding the servers’ identity and true location.
Kuvayev’s sophisticated camouflage methods – for their time, anyway – made it very difficult for security researchers trying to determine the extent of his network – but there were other, less direct, clues. For example, all of Kuvayev’s pharmacies included a statement that said that the store operates under the supervision of a regulatory body called “The New Zealand Board of Pharmacy”. This is a fictitious body – but deliberately similar to the name of a real authority called “The Pharmacy Council of New Zealand”. The fact that the texts that appeared on the websites were written in American English, and not New Zealand English, is yet another clue pointing in Leo Kuvayev’s direction.
Storm
In 2007, an email appeared in the mailboxes of many Internet users with the title:
“230 Dead as Storm Batters Europe.”
The emails contained a link to an article, but instead of taking the victim to a news piece about the deadly storm – it downloaded and installed malware that managed to evade Windows’ security mechanisms, and added the infected machine to a growing network of bots. The email’s title gave this botnet its name: Storm.
Windows popularity among computer users meant that Storm botnet managed to grow incredibly large – roughly fifty million computers – in a relatively short period of time. These computers were used, as before, to distribute email spam: According to estimates, about six thousand computers were regularly and daily engaged in sending spam, and in September 2007, for example, the average number of spam messages sent by Kuvayev’s botnet was about 1.2 billion emails per day. According to Spamhaus, an international organization that monitors the activities of spammers, Kuvayev is the 2nd most prolific spammer of all time, and his botnet accounts for no less than twenty percent of all spam that has ever been distributed in the digital world. This almost unbelievable figure earned Kuvayev his informal title – The Czar of spammers.
In the spirit of the original Storm email, many of these spam emails contained sensational and attractive headlines that today we would call ‘fake news’, such as “Secretary of State Condoleezza Rice kicked Chancellor Angela Merkel” and “Chinese missile strikes an American aircraft carrier”. Other headlines exploited more current news and events, such as the opening of the NFL league or an approaching Christmas. Another technique to get users to click on the links was to promise them free music by popular artists such as Beyoncé, Rihanna, and Kelly Clarkson.
At its peak, around 2008, Storm was considered the largest botnet in the world, and according to estimates was responsible for roughly eight percent of all malware installed on Windows computers. Matt Sargent, an anti-spam expert, estimated that –
“In terms of power, the Storm botnet utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It’s very frightening that criminals have access to that much computing power, but there’s not much we can do about it.”
Peter Gutman, professor of computer science at the University of Auckland in New Zealand, wrote that –
“This may be the first time that a top 10 supercomputer has been controlled not by a government or mega-corporation, but by criminals.”
The many experts who have examined the Storm botnet estimate that at no point did the system utilize its full power. The reason for this, apparently, is that in addition to his other known activities – marketing of drugs, selling pornographic films and the like – Kuvayev used to rent parts of the botnet to other criminals. For example, Storm is believed to have played a key role in the famous DDoS attack that paralyzed Estonia in 2007. In total, according to some estimates, these activities earned Kuvayev about thirty million dollars each month.
Fast Flux
One of the features that set the Storm botnet apart from other botnets at the time was its sophisticated – and even groundbreaking – defense and attack capabilities. One such sophisticated defensive capability was a technique called Fast Flux, which today is used by many cybercriminals, but Kuvayev was the first to use it on a truly large scale. What is Fast Flux?
Well, for the sake of explanation, let’s say that a robber breaks into a bank and flees the scene in their getaway car. However, before the robber managed to drive away, an eyewitness wrote down the vehicle’s license plate number – and now the police are on the lookout for a vehicle with that number.
If the search goes on for long enough, it’s likely that the vehicle will eventually be spotted and the criminal apprehended. But what if the robber had previously installed in their car a ‘James Bond style’ license plate “flipper”: a gizmo that changes the car’s license plate every two minutes or so?… that would make spotting the fleeing car much more difficult for the police, no doubt.
The car license plate in our analogy is the IP address of an online pharmacy. Many security companies build themselves databases of black-listed IP addresses and block them to protect their customers.
But as users, we don’t usually type an IP address into our browser’s address bar: we use a more human-readable domain name, such as malicious.life. The web request for malicious.life gets sent to DNS servers, which translates the domain name back into an IP address – such as, for example, 161.156.161.99.
With Fast Flux, a botnet is able to update the DNS server’s entry for a domain name very frequently – even every few minutes – so that the IP addresses identifying a malicious website are constantly changing: hence the name ‘Fast Flux.’
Fast Flux makes tracing the actual physical location of a web server much more difficult. Also, the fact that most of the communication between the bots in the network is peer-to-peer – that is, individual computers who talk amongst themselves, as opposed to all machines talking to a few central servers – also made it very difficult for the researchers to crack open the bot network.
Kuvayev goes on the attack
But Kuvayev, as per his usual self, wasn’t content with “just” passively protecting his botnet. He took it one step further.
Storm was also equipped with an automatic attack capability against any entity that tried to investigate or analyze it. Networks from which such probing attempts were made were immediately crippled by massive DDoS attacks: websites such as Spamhaus, Spameater.com, and 419eater.com, which monitor the activities of spammers, were attacked and brought down for various periods of time. This ability of Storm led to security professionals being wary of investigating the botnet. Josh Korman, a host-protection architect at IBM said that –
“As you try to investigate [Storm], it knows, and it punishes, It fights back…. As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet and they’re afraid.”
It might be that this unusual behavior of actually attacking researchers who try to poke at his infrastructure, wasn’t the first time that Kuvayev crossed lines that most cyber-criminals aren’t willing to cross.
Blue Security was a small startup company founded in 2004 by two Israeli entrepreneurs – Eran Reshef and Amir Hirsh – whose goal was to stop email spam. Their idea was to fight fire with fire: for each spam email received by a client, their software sent one email back to the spammer, asking for the relevant email address to be removed from their database. It seemed that this unconventional approach to spam prevention actually worked: not only because many of Blue Security’s customers reported a sharp decline in the number of spam emails they received – but also because Blue Security quickly became a victim to crippling DDoS attacks, launched against its website by a mysterious nemesis known as ‘pharmamaster’.
We don’t know for sure, but it’s likely that pharmamaster was no other than Leo Kuvayev, and if it was him – then what happened next is very much in line with his ‘no boundaries’ mentality. According to persistent rumors, phramamaster sent thugs to threaten, in the real world, the two founders and their families. Both founders never acknowledged these rumors – but Blue Security was shut down shortly after. It’s a story we covered in more depth in episode 3 of Malicious Life, called ‘Spam Empire.’
The indictment that stopped nothing
Still, there were security researchers who didn’t let fear stop them. The first breakthrough in the investigation against Kuvayev is credited to Patrick Runald, Head of Threat Intelligence and Detection at Broadcom Inc. Patrick noticed that the people behind the botnet have a strong affinity for American culture and language. Further research by Microsoft revealed that the mailing addresses of two of Kuvayev’s straw companies were in Boston.
These discoveries, which linked the criminal activity to an American address, allowed the Attorney General of the State of Massachusetts to convince the court to issue an order allowing law enforcement to take Kuvayev’s websites offline. In addition, Microsoft’s efforts to close the vulnerabilities his malware exploited in Windows resulted in a reduction of about twenty percent in the number of computers connected to the botnet. These efforts, along with strong competition from other bot networks that led to a price war in the underworld, meant that Storm’s dominance began to fade by 2009.
Leo Kuvayev himself managed to escape from the United States at the last minute, and return to Russia with his wife and two children. He stood trial in the United States in absentia and was found guilty of distributing spam and pornography, selling drugs, and a host of other federal offenses, for which he was fined $37.5 million. But since there is no extradition treaty between the US and Russia, and also thanks to his connections in the Russian government, Kuvayev continued to run his schemes and scams from Russia without interruption.
One such scam is known as a “Pump & Dump scam”. Kuvayev purchased many cheap shares of mostly unknown companies – and then distributed millions of spam messages with alleged ‘inside information’ that claimed the aforementioned shares were going to soar in the near future. Victims who fell for Kuvayev’s scam bought these shares, and the sudden increase in demand naturally caused these shares’ prices to skyrocket. Right then, Kuvayev would sell the shares in his possession at the new higher price, making a huge profit. The sell would lessen the demand for the shares, which would then crash back to their true market values – causing the gullible investors to lose all or most of their investment.
Kuvayev in Moscow
Leo Kuvayev left Moscow as a pauper – and returned to it as a very wealthy man. He began to invest in real estate projects throughout Russia, purchasing land in St. Petersburg and establishing a chain of successful cafes and grill restaurants. He led an extravagant lifestyle, while at the same time continuing his cybercrime activities – including, for example, renting parts of his botnet to other elements in the Russian underworld. These renters would use Kuvayev’s botnet to host fake pharmacies or other such shops, and in return pay a percentage of each sale to Kuvayev himself.
During this time, Kuvayev committed several minor offenses that got him into trouble with the Russian law enforcement authorities – but despite the pressure on the Russian government by the US to extradite him, Kuvayev had enough allies in Russia to make sure that any police investigation opened against him was terminated almost as quickly as it opened. Reports in the Russian media show that on several occasions Kubiev was under surveillance by the secret police – but continued to operate undisturbed.
It seemed like Kuvayev’s personal philosophy of ‘no boundaries’ was definitely paying off. He was rich, he was a major player in the Russian underground and he was safe from his American prosecutors.
But it was then that Leo Kuvayev made a critical mistake.
As part of his flamboyant lifestyle, Kuvayev turned one of his office basements into a ‘sex dungeon’ that was fully equipped with sex toys, a shower, a sauna, a jacuzzi, whips, handcuffs, and a huge bed. He hired prostitutes to join him every night, making sure that they always weighed less than eighty pound, or 35 kilograms.
But at some point, this just wasn’t enough for him – and so Kuvayev started looking for alternatives to satisfy his insatiable sexual appetite.
One day he met a 12-year-old girl who lived in a boarding school not far from one of his offices. Kuvayev learned that the girl is suffering from mental issues, but is too poor to afford the medication she needs. He seized the opportunity, convinced the girl to sleep with him, and when he was done, gave her some 1000 rubles. He even offered her another 500 rubles for every girl she will bring to him in the future. A short time later he found a new accomplice named Olga Chernokuzova, who helped him find no less than twelve other young girls. Many of his victims suffered from mental problems. The oldest was only 16 years old.
When his deeds were discovered, the Russian police started investigating the matter – but Kuvayev employed as many tricks as he could to delay that investigation. For example, he pretended not to remember anything, then tried to blame the young girls who supposedly “seduced” him, and finally even managed to convince the court that he was schizophrenic and mentally unfit to stand trial. Kuvayev was transferred to a psychiatric hospital, but according to reports his stay there was quite comfortable, and he even continued to invite prostitutes and even little girls to his room.
In the end, the police investigators were able to convince the court to order another medical evaluation for Kuvayev, and he was ultimately sentenced to twenty years in a correctional facility that is considered particularly harsh, even by Russian standards. To evade this severe punishment, Kuvayev promised to compensate his victims for 5000 rubles each, plus another five million rubles that he would “donate” to the court. We don’t know if these suggestions did the job, but we do know that in 2012 the Russian Supreme Court shortened Kuvayev’s prison term to only ten years, and he was transferred to a more relaxed correctional facility.
During his time in prison, Kuvayev studied previous pedophilia cases in Russia – and then returned to the court with a new and rather surprising demand: castrate me chemically, and shorten my sentence to only seven years. Sometime later Kuvayev withdrew this request, but at the same time filed a complaint to the court about the “humiliating treatment” he was subject to in prison. In total, Kuvayev submitted over 250 such complaints to the court and the Russian prison service, and everyone who was involved in his case was also personally sued by Kubiev. According to reports, he mocked his jailers and fellow prisoners and even masturbated using pictures of his cellmates and their families. This behavior – together with the well-known fact that child molesters are usually treated as scum by other inmates – got him into fights that almost cost him his life. Due to his troublesome behavior, he was constantly moved between different prisons in the country.
As of this writing, Kuvayev is due to be released from prison at any moment – or may even have already been released: the Russian media rarely reports on his exploits, so it is difficult for us in the west to track his actions. Will he go back to his antics and flood our mailboxes with spam and nasty scams? Who knows, but it is doubtful that his stay in prison dulled his sharp business and technological acumen – nor his personal conviction that the goal always justifies the means, however twisted and unconventional. In that case, it’s almost certain that Leo Kuvayev remains one of the most dangerous cyber-criminals out there.