The FBI has arrested the man that they allege is behind the notorious Mega-D botnet, which at one point accounted for nearly a third of all of the spam on the Internet. The arrest came to light this week after the man was caught entering the U.S. last month on his way to a car show.
The man that authorities believe is responsible for controlling the Mega-D botnet is Oleg Nikolaenko, a Russian whom the FBI alleges worked with affiliates in several countries around the world to push a variety of products through spam, including fake watches and herbal supplements. According to an affidavit filed by the FBI in U.S. District Court in Wisconsin and obtained by Krebs on Security, agents got onto Nikolaenko’s trail after one of his alleged associates filled them in on a spam and affiliate marketing scam that he was involved in.
The FBI, in a joint investigation with the FTC and others, had worked to shut down a large spamming operation known as Affking. During the investigation, an Australian man named Lance Atkinson agreed to plead guilty and eventually began telling authorities about his dealings with others in the underground, including a Russian he had worked with and knew as “Docent.”
“In the interview, Atkinson explained his involvement in the Affking and related enterprises, including Affking predecessor companies Genbucks and Sancash. Specifically, he recalled that two of his largest Russian spamming affiliate used the online monikers ‘Docent’ and ‘Dem,'” FBI agent Brent Banner wrote in his complaint against Nikolaenko.
Agents eventually were able to get access to email accounts involved in the payment chain of the affiliate marketing program via a federal subpoena, and found that one of them belonged to Nikolaenko. A search warrant that gave them access to the emails themselves showed conversation between Nikolaenko and another Gmail user the FBI alleges to be Atkinson, in which the two discussed spam operations.
The FBI also found emails which, after an analysis by researchers at SecureWorks, turned out to contain the executable file for the Mega-D malware. Mega-D is the same botnet that security researchers at FireEye took action against in November 2009, sinkholing some of the botnet’s command and control servers and severely crippling its capabalities. In the complaint, Banner says that Nikolaenko was in the United States at the time of the Mega-D takedown and that he left the country two days early, likely to go home and fix the damage caused by the operation.
Nikolaenko is being held in Wisconsin and is expected to make his first appearance in court today, according to a report in the Milwaukee-Wisconsin Journal-Sentinel.