This article was originally published by Radio Free Europe/Radio Liberty and is reprinted with permission.
After being arrested by Spanish police in 2017, Pyotr Levashov said he so feared being extradited to the United States to face crimes related to his prolific spamming operations that he might take his own life.
“I will be tortured…. I will be killed or I will kill myself,” he told a Spanish judge.
He lost his extradition fight, and a few months after arriving in the United States in February 2018, Levashov pleaded guilty and began cooperating with the Federal Bureau of Investigation (FBI) in an attempt to receive a lighter sentence.
And he made good money doing so: about $6,000 in monthly living expenses from the U.S. government.
That revelation, which Levashov made in June while testifying on behalf of the U.S. government in a separate criminal case, offers insight into the sealed cooperation agreement he reached with the FBI and how valuable his information may have been.
Levashov not only got good money from the FBI. In July, he ended up getting an unusually light sentence for a Russian cybercriminal convicted in the United States: time served, or just 33 months.
That’s one of the lightest sentences among Russian-speaking hackers in recent years, according to a review of more than a dozen cases by RFE/RL, despite a nearly two-decade crime spree.
It’s a sentence that outraged some cybersecurity professionals.
It sends a message to cybercriminals that “spam clearly doesn’t matter to the United States,” Gary Warner, a computer expert who tracked Levashov’s operations for years, said in a July blog post.
Asked about his work for the FBI, Levashov denied that he cooperated with the bureau, contradicting the statements he made under oath in federal court in June. However, he said he had been paid to “consult and to protect” federal government networks in Connecticut, including schools, from an unspecified ransomware attack.
In a text message to RFE/RL, he said he “never cooperate” [sic] with the FBI or “against Russia or Russian hackers.”
“I consult U.S. companies how to defeat malware, nowadays mostly ransomware. But I never cooperate in a way you think, nobody got arrested because of me,” he said, in some of his first comments to the media since his release from federal custody.
Top 10 Spammer
One of the most prolific spammers ever caught, the 41-year-old Levashov had long been a target of the FBI.
From the late 1990s until 2017, from his home in St. Petersburg, he ran three of the largest networks of hacked computers, known as botnets.
At the time of his arrest, his Kelihos botnet consisted of more than 50,000 compromised computers, which he used to spew billions of unsolicited e-mails advertising such things as pharmaceutical drugs, jobs, and stock picks.
According to SpamHaus, an organization founded in Britain to fight computer spam, Levashov ranked among the top 10 spammers in the world. He also used the botnets to send malware.
Levashov ran the botnets in a “unique and clever way” that made it difficult to shut them down, Warner told RFE/RL.
U.S. court records show that Levashov charged clients from $300 to $500 to send 1 million spam e-mails. While testifying in a case against another Russian-speaking hacker, he said he earned tens of thousands of dollars a month.
Levashov told federal district court in Connecticut that there were few hard rules, but he said he “never sent spam to Russia; at least I avoided at all costs,” according to a court transcript.
At his peak, Levashov was sending 4 billion spam e-mails a day, said Warner, who is director of the computer forensics research lab at the University of Alabama in Birmingham.
‘I’m Fighting…Fighting Crime’
Levashov, who was also known as Peter Severa, was detained on a U.S. arrest warrant in April 2017 in Barcelona, where he was vacationing with his wife and son.
He was still operating the botnet at the time through a virtual computer on a portable disk he attached to his laptop. Both were seized by police.
In September 2017, he pleaded with a Madrid judge to deny the U.S. request for extradition, saying the case against him was politically motivated and that he feared for his life.
“If I go to the U.S., I will die in a year,” Levashov told the Spanish court.
As it has with other cases, Russia filed its own extradition request, saying Levashov had committed cybercrimes within Russia. The Spanish judge ultimately ruled for his extradition to the United States.
A few months after arriving in the United States in February 2018, Levashov pleaded guilty to computer crimes and began cooperating with the FBI.
That cooperation was an attempt to receive a lighter sentence, according to testimony Levashov gave in June 2021 in the prosecution of Oleg Koshkin, a Russian-speaking hacker living in Estonia who operated Crypt4U, a website that hid malware from antivirus programs.
“I’m fighting, helping [the U.S. government], fighting crime,” Levashov told the Connecticut court when prosecutors asked him to describe “in general terms” what assistance he had been providing under his cooperation agreement.
In return, Levashov said the “government get [sic] me out of jail, so I am on bond” and “pays for my living expenses.”
When asked about the compensation, he said, “Right now it’s around $6,000 per month,” according to court transcripts.
Levashov was released from custody on bond in January 2020, pending his final sentencing, which came 18 months later.
In a follow-up exchange with RFE/RL, Levashov contradicted his earlier court testimony, saying “the U.S. government never paid my living expenses.” He said his family had been paying his expenses. But he also confirmed he received some money for computer work he said he did for the government in Connecticut.
Asked how long the payments continued, Levashov said they stopped in the first half of 2020.
The FBI declined to comment.
Levashov also told the court in June that he had possibly more than 100 meetings with FBI agents as part of his cooperation — a number that one defense lawyer who has handled cybercases described as “extraordinary.”
The agents had access to Levashov’s laptop and memory card that contained his virtual computer, including his logged chats with other hackers, according to U.S. prosecutors.
Levashov told the court he helped the FBI review the evidence on those devices, including the chats, and confirmed the contents of his correspondence with Crypt4u, whose service he utilized for his own crimes.
“I think [the] government would speak on my behalf in front of my judge, and it should decrease my sentence,” Levashov said in his testimony, when asked how his cooperation would impact how much time he would get for his own crimes.
Not long after, Koshkin was convicted for his role in operating Crypt4u. Earlier this month, he was sentenced to four years in prison.
‘In For Everything’
Experts say that the Russian government tolerates cybercriminals like Levashov as long as they don’t target Russian companies and individuals.
That goes not just for spammers but also for more intrusive hackers who, in several well-documented cases, have been hired to work for Russian intelligence agencies.
Levashov also monitored subgroups on Russian-speaking cybercriminal forums, potentially making his cooperation more valuable to the FBI.
A moderator may know some “powerful things” like the Internet Protocol addresses or cryptocurrency addresses of participants, Warner said.
Greg Hunter, a Russian-speaking, Virginia-based defense lawyer who has represented about a dozen cyberhackers from the former Soviet Union, said that once a client agrees to cooperate, he is “in for everything.”
Levashov “would have been required to go through his computer and go through everything he knows,” Hunter said.
In his court testimony, Levashov said that prior to his release on bail, FBI agents would take him out of prison, give him food, and allow him to hold video calls with his family overseas.
Levashov’s sentencing was repeatedly delayed over the course of nearly two years as he cooperated with agents. It finally took place in July, one month after he testified against Koshkin.
Judge Robert Chatigny let Levashov go free, sentencing him to the time he had already spent in prison, saying he was unlikely to offend again.
Warner told RFE/RL it was a “travesty of justice,” saying Levashov wasted decades of law enforcement and research time and caused businesses hardships.
Another aspect of Levashov’s case is that he has not been deported, something that typically happens when a foreign national who is extradited to the United States is finally released from prison.
Mark Rasch, a former federal computer crimes prosecutor, told RFE/RL that Levashov might still be providing some help to U.S. authorities, which would explain why they have decided to allow him to stay in the country.
When contacted by RFE/RL, the FBI declined to comment.
Arkady Bukh, a New York-based lawyer who has represented dozens of Russian-speaking hackers, said most of his clients end up cooperating with the FBI or Justice Department because the chances of winning acquittal are so slim.
The federal conviction rate is over 97 percent and Bukh said it is probably even higher for cybercriminals because the government has generally been working on such cases for months, if not years, and have terabytes of evidence.
Bukh said hackers who agree to cooperate can potentially get out on bail, sentenced to time served, and receive some financial support, but that it requires months or even years of assistance to the government.
“When the relationship is good, the agent will most likely come back to the prosecutors and say, ‘Listen, we worked with him a few months. [We got] valid, good information. We secured tons of material. We need to help this guy’,” Bukh told RFE/RL.
Some who cooperate even end up living in the United States permanently, he said.
Levashov told RFE/RL he has the legal right to reside in the United States until April and then intends to leave.
In the meantime, he said he was focusing on launching a new business venture, hoping to raise millions of dollars through crowdfunding for a type of business that uses the same underlying technology used in cryptocurrencies.