They condemn the brain of a botnet that billed millions of US companies with BitPaymer

The verdict against one of the operators behind a gigantic phishing network makes it clear that international research can reach the brains of cyber operations, even when they are located outside the United States. Ilya Angelov, a 40-year-old Russian citizen known on the network by the alias "Milan" and "okart," was sentenced to two years in prison after admitting that the botnet he helped direct was used to facilitate BitPaymer's randomware attacks on dozens of American companies.

The court documents show that Angelov did not act alone: he was part of a team the FBI called "Mario Kart" and that security analysts have identified with names like TA551, Shathak, GOLD CABIN, Monster Libra, ATK236 and G0127. In that structure, leaders recruited and coordinated malware developers, spam campaign operators and specialists who adapted malicious samples to evade defenses. The result was an infrastructure capable of sending hundreds of thousands of malicious emails and converting committed computers into parts of a marketable botnet.

According to the prosecution, the spam campaign could reach peaks of up to 700,000 e-mails a day and at its most active times the network could infect 3,000 machines per day. The infected teams were rented or sold to other criminal actors: it was the entry piece of the Ransomware-as-a-Service (RaaS) ecosystem. The Department of Justice details that more than 70 United States companies were infected by members who used access sold by this group, and that the related extortion exceeded the $14 million. Readers can consult the official DOJ release for more context in the site of the Department of Justice and review public judicial documents in DocumentCloud.

The criminal activity attributed to this group was extended between 2017 and 2021. Between August 2018 and December 2019, several network-related intrusions allowed the infection with BitPaymer, a ansomware that has ravaged companies through encryption and payment requirements. In addition, other actors such as the group linked to the bank trojan IcedID came to pay about $1 million Angelov's team for access to its bots between the end of 2019 and August 2021, which illustrates how these illicit economies feed each other.

The case also shows the complexity of alliances between criminals: phishing campaign operators such as TA551 have historically collaborated with bands that distributed Conti or other ransomware through infrastructure such as TrickBot or QakBot / Qbot, and have contributed to the delivery of families such as ProLock, Egregor or DoppelPaymer, according to alerts and analysis of response teams and security companies. To better understand the threat of the Ransomware and how these actors are integrated, it is useful to review security analysis and public warnings; for example, the FBI page on the Ransomware phenomenon offers resources and general context on the threat: FBI - cyberresearch.

Angelov's appearance and agreement had geopolitical nuances: the accused decided to travel to the United States to surrender and plead guilty after the Russian invasion of Ukraine in 2022 and after the arrest in Switzerland of a collaborator related to the IcedID band. Such movements put on the table how changes in the international context and police actions in third countries can alter the risk equation for alleged digital criminals.

In parallel, another recent case that recalls the function of the callinitial access broker(initial access broker) is the conviction of Aleksey Olegovich Volkov, who received almost seven years in prison for selling access to networks that were later exploited by the Yanluowang ansomware. These processes emphasize that not only those who execute the encryption directly are persecuted; so are those who generate and traffic the initial access that allows the attacks.

What does all this mean for companies and users? First, that the criminal chain that facilitates the ransomware is sophisticated and modular: there are teams specialized in phishing, others in malware development and others in payment negotiation and laundering. Secondly, judicial intervention and international cooperation can hit that chain, but they do not completely eliminate it. It is therefore critical that organizations strengthen basic and effective preventive measures: mail controls, network segmentation, verified backup, abnormal activity monitoring and response plans. Agencies like the CISA maintain practical guides to mitigate and recover from ransomware attacks.

This case is a reminder that, in the battle against cybercrime, technology and legal cooperation must go hand in hand. Operators adapt and seek new ways of monetization, but the combination of technical intelligence, cross-border investigations and the accumulation of judicial cases shows that there is a way to hold those who organize and allow digital extortion accountable. For those who manage security in companies, the lesson is clear: prevention and preparation are not optional, and surveillance of how a simple mail can become the gateway to an incident that costs millions must be part of corporate strategy.

To expand information on the case and the official documents, please refer to the Department of Justice's statement and the file in DocumentCloud indicated above, as well as specialized reports that have covered the news and the criminal fabric, for example, in BleepingComputer.