A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely owner of the huge Botnet RSOCKS was arrested in Bulgaria at the request of US authorities. During a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, telling the judge: “America is looking for me because I have so much information. and they need it.”
On June 22, KrebsOnSecurity published Meet the administrators of the RSOCKS proxy botnetwho identified Denis Klostera.k.a Denis Emelyantsevas the apparent owner of RSOCKS, a collection of millions of hacked devices that have been sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.
Hailing from Omsk, Russia, Kloster came to attention after KrebsOnSecurity tracked clues of the identity of the master of the RSOCKS botnet to cybercrime forums for Kloster’s personal blog, which featured thoughts on the challenges of running a business that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.
“Thanks to you, we are now developing in the field of information security and anonymity!” enthuses Kloster’s blog. “We make products that are used by thousands of people around the world, and that’s really cool! And that’s just the beginning!!! We don’t just work together and we’re not just friends, we’re family. »
“I have hired a lawyer there and I want you to send me as soon as possible to clarify these baseless accusations,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in US court.”
Launched in 2013, RSOCKS was shut down in June 2022 as part of an international cybercrime service investigation. According to the Department of Justice, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, clocks, routers, audio/video streaming devices and door openers smart garages; later in its existence, the RSOCKS botnet expanded to compromise other types of devices, including Android devices and conventional computers, the DOJ said.
The Ministry of Justice June 2022 statement about this withdrawal cited a search warrant from the U.S. Attorney’s Office for the Southern District of Californiawhich was also named by the Bulgarian media this month as the source of Kloster’s arrest warrant.
Asked if there was an arrest warrant or criminal charges against Kloster, a Southern District spokesperson said “no comment.”
24Chasa testified that the defendant’s surname is Emelyantsev and that he only recently adopted the surname Kloster, which is his mother’s maiden name.
As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the administrator of RSOCKS claimed ownership of the RUSpoint anti-spam forum. RUSdot is the successor forum to spampointa much more secretive and restricted forum where most of the world’s best spammers, virus writers and cybercriminals collaborated for years before the community implosion in 2010.
Email spam – and in particular malicious email sent via compromised computers – remains one of the main sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as the administrator of Russia’s most notorious spammer forum, the defendant in this case probably knows a lot about the other major players in the spam and botnet malware community.
Although he claimed his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.
“America is looking for me because I have so much information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”
The Bulgarian court agreed and granted his extradition. Kloster’s fiancée also attended the extradition hearing and reportedly cried in the room outside the entire time.
Kloster turned 36 while awaiting his extradition hearing and could soon face charges that carry up to 20 years in prison.