On July 10th, Alexander Tverdokhlebov was sentenced to 110 months (just over nine years) in prison based on his guilty plea to one count of wire fraud.
Tverdokhlebov came to the United States from Russia in 2007. Within a year, he started posting in several Russian-language cybercrime forums. To gain access to the forums, a current member must vouch for the outsider, but once allowed in, the forum provides members with assistance in all stages of cybercrime. Members can find partners, purchase services to facilitate the crime (including computer intrusion and money laundering services), and solicit purchasers of the profits of the crime (including stolen credit card and personal identifying information [PII]).
Tverdokhlebov used the forums to sell his computer intrusion services and the profits of his crimes and to seek assistance in liquidating stolen money.
According to the statement of facts accompanying the plea agreement, Tverdokhlebov posted on three different occasions that he had control of a botnet and was willing to rent it to members to facilitate other crimes. A botnet is a network of computers that have each been infected with malware which allows a remote party to control the computer without the user’s permission. An individual infected computer is called a “bot,” thus a network of them is a “botnet.” A botnet can be used to facilitate further cybercrime (for example, as the Avalanche network was used) or each bot can be covertly accessed to steal the personal information stored on that machine.
Tverdokhlebov’s botnet started at 10,000 bots and grew to 500,000 over three and a half years. He also used the forums to sell the proceeds of his crime—mainly stolen credit card numbers. In one post, he solicited buyers for 40,000 credit card numbers. In several others, he offered to sell credit card numbers in increments of 1,000 to other members.
Tverdokhlebov also sought additional partners to help liquidate the proceeds of his crime. In one post, he offered to work with other cybercriminals to “cash out” stolen financial information. The press release on his sentencing notes that used Russian students staying in the United States on J-1 visas to assist in this effort. According to the press release, the students would “open bank accounts in their names, receive money from victim accounts, and then transfer the money to Tverdokhlebov or his co-conspirators.” Tverdokhlebov stipulated that the victims' estimated loss due to his cybercrime was between $9.5 and $25 million.
Wire Fraud in Virginia?
But how was a California resident indicted on wire fraud in the Eastern District of Virginia?
Tverdokhlebov partnered with a Russian national, referenced as V.P. in the indictment, to commit some of the above cybercrimes. Interestingly, the statement of facts notes that V.P. was living outside the United States until 2015, when he was extradited to the United States.
To communicate with V.P., Tverdokhlebov used ICQ, an instant messaging software. From 2008 to 2010, the ICQ servers that both received and transmitted all user communication were located in Dulles, Va.
The indictment points specifically to four sets of messages that Tverdokhlebov sent V.P. through ICQ in 2008. The messages are described in the indictment as follows:
Tverdokhlebov pled guilty to the first of these four counts.
The sentencing order includes penalties beyond 110 months in prison: Tverdokhlebov also received three years of supervised release and consented to a significant forfeiture order. The order includes:
- $272,000 in cash seized from safe deposit boxes in Los Angeles.
- $4.6 million in bitcoin
- A 2013 BMW 528i
- All of the computers and electronic devices found in Tverdokhlebov’s residence or safe deposit boxes. The devices require four pages to list.
Tverdokhlebov’s sentencing has several special conditions, including substance abuse treatment. In a sentencing request, Tverdokhlebov admitted to using marijuana daily and both cocaine and alcohol three to four times a week.
The court also mandated computer monitoring and prior probation approval of either new credit card charges or new lines of credit.
Viewed as a takedown of a botnet operator, the indictment and sentence comport with the Department of Justice’s emphasis on dismantling computer networks used for cybercrimes as previously seen in the takedown of the Avalanche and Kelihos networks.