Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's iCloud key in takedown of notorious Russian botnet operator

Last updated

Data from Apple's iCloud service was used to identify, and potentially locate and arrest, the operator of the Kelihos botnet, a system notorious for its association spam networks and criminal conspirators, according to U.S. court documents unsealed on Monday.

According to an affidavit and related court documents filed with the U.S. District Court for the District of Alaska, federal agents requested access to Russian iCloud user Peter Levashov on suspicion of his connection with Kelihos, reports The Verge. Kelihos is in part a malware that infects victims' computers to host spam, more malware and other malicious content.

In an affidavit in support of a search warrant, FBI Special Agent Elliott Peterson said investigators suspected Levashov of operating Kelihos under the aliases "Peter Severa" and "Severa." After what appears to be a significant search effort, agents were able to connect Levashov and Severa through ICQ numbers, Jabber messages, email addresses, forum posts and onine payments.

Data gleaned from two servers linked to the Kelihos botnet, which were seized in Luxembourg, pointed to Levashov's mail.ru account, as well as other email hosting sites including Apple's iCloud. Citing frequent connections to a common IP address, Peterson believes Levashov used the servers as a proxy for his various business dealings, including renting access to the botnet.

Apple agreed to the warrant on the day of its request. Investigators sat on the mountain of evidence collected for about a year, when Levashov traveled from Russia to Spain on vacation last April. Once in the extraditable country, local authorities arrested the so-called bot king. Levashov was arraigned in Connecticut federal court on Friday.

How, exactly, investigators detected Levashov's movements over the one-year period is left unmentioned, but the report notes Peterson's warrant request included information relating to "login IP addresses associated with session times and dates." This data could conceivably have been used to track the suspect when he entered Spain.

Apple is notoriously protective of its customers' data, and the company's privacy practices have only become more stringent in light of recent friction with governmental agencies. The company has published annual reports detailing government requests for information, and in 2014 released a set of guidelines for said data requests.

Still, Apple does comply with valid search warrants and national security orders, as evidenced by the Levashov case.