Earlier this week, Krebs on Security(1) reported on a case between Google and over a dozen people thought to be behind the Glupteba botnet. In this case, Google alleged that two named Russian nationals and 15 other (John/Jane) Does violated the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.(1)
Google initiated this legal action in December of 2021 (a year ago). In their public announcement, they noted that this was the first lawsuit to be launched against a blockchain-enabled botnet.(2)
In their initial filing, Google described Glupteba's blockchain functionality. Botnets are networks of computers that are infected with malware (malicious software, e.g. viruses), and are therefore subject to being controlled by a third party. Though any individual device on the botnet may only contribute a small amount of computing power, a botnet with millions of computers (such as Glupteba) harnesses vast capability for mining cryptocurrency, executing denial-of-service attacks, and other malicious activity. Key to running a botnet is command and control (C2), the method by which the criminal controls the botnet. Typically, the botnet software contains hard-coded domains - addresses of computers on the internet that the infected computers communicate with to receive instructions. Since the shut-down of that computer (or the blocking of its address) renders the botnet inoperable, modern botnets include multiple (thousands of) backup addresses for the infected computers to query. Even in this case, however, the addresses to query are coded into the malware, enabling researchers to find them and block them before the botnet tries to use them, disabling the botnet.(3)
The Glupteba malware may start with a hard-coded address, but if (when) that is interrupted, the malware searches the public Bitcoin records for transactions involving three specific Bitcoin addresses, which are controlled by the human controllers of the botnet (bitcoin addresses are similar to virtual wallets). Based on the activity in those addresses, the infected computer decrypts the new C2 address. Since the C2 address is not coded into the malware, it can't be found by researchers until the botnet is actually using the new address, forcing a delay between when the botnet moves to a new C2 address and when researchers can block that address. Thus, Glupteba stays ahead of conventional efforts to contain it.(3)
This case interests me not just because of the C2 method for the involved botnet, but also because the presiding judge issued fines not just to the defendants, but to their attorney. Last month, Judge Denise Cote noted that not only had the defendants misrepresented themselves on several material facts (i.e. lied), but their attorney, Igor Litvak, has essentially been charged with the same. To understand why the lawyer has also been fined, it is necessary to go into some of the details of the case and its timeline.
Google filed their lawsuit on December 2, 2021. As part of this process, they attempted to contact the named defendants via multiple methods, including to their place of work (Valtran, LLC), email, SMS, and other methods. Receiving no answer, Google initiated proceedings for default judgement on February 7, 2022. This was granted, but on February 24th, Litvak submitted a letter to the court requesting that the default judgement be vacated. At a conference on March 1, he explained that the Defendants never received notice of the action, learning about it form their friends in late January. On March 14, in support of this, the defendants submitted declarations in which each stated that they "Work for Valtran LLC as a software engineer." (4)
Though the Court found it "improbable" that the defendants had not been aware of the case prior to being notified by friends in late January, neither did it feel it had evidence to consider the Defendants' actions to be willful. Further, the Court found that the defendants had a right to contest their innocence of involvement with or knowledge of the botnet, and the default was vacated. The Opinion stated that in spite of the Defendants' delay, both they and Google could "conduct expeditious and targeted discovery."(4)
The Defendants answered Google's complaint on May 11, 2022, bringing couterclaim that Google had interfered with a prospective business relationship by "improper[ly] interfering with Defendants' present and prospective relationships with their employer ...." The Defendants withdrew this counterclaim before Google replied to it, but it remains part of the record.(4)
On May 17th, Google indicated to Litvak that, as part of the discovery phase, Google intended to ask for the electronic devices used by the Defendants in connection with their business. Litvak replied on the 20th, indicating that the Defendants wanted discovery of any devices used by Google in their investigation of the Defendants, and to limit the discovery of the Defendants' devices to those "over which the Defendants have actual physical control and possession." Google rejected these modifications, proposing instead to remove all specifics regarding the exchange of devices. Litvak replied on May 31 that he preferred to keep mention of device exchange, but the final agreement, as submitted to the Court, makes no mention of one. (4)
On June 1, the Defendants "affirmed their commitment to the discovery process," On June 9, following obstructionist activity on the part of the Defendats', the Court found that it had reason to believe that the Defendant's were interested in Discovery only for the purposes of learning what steps Google had taken to disarm their botnet. The Court expressed concern that the Defendants were not participating in the process in good faith and "that their counsel has not been candid with the Court," and directly ordered the Defendants' to comply with their initial disclosure obligations.
Throughout June, the Defendants continued to describe themselves as employees of Valtran, even as they failed to materially comply with their obligations of discovery. On July 19, they indicated that they no longer worked for that company, and so no longer had access to the devices in question. Specifically, the Defendants declared that they had been fired by Valtran in December 2021, and had returned their devices to Valtran the following month. Litvak stated that he had learned of this on May 20, 2022. (4)
Skipping over further back and forth between Litvak, the Court, and Google, on November 15 Judge Cote issued an Opinion in which she found what is evident from the above: not only had the Defendants been devious as to their relationship with Valran and their possession of devices sought by Google, for instance stating in February that they worked for the company but later stating that they had been fired in December; but their attorney had abetted the Defendants in their dishonesty and had acted dishonestly himself by lying outrightly and/or failing to correct falsehoods proffered by his clients and accepted as fact by the Court and by Google. In addition to the the issue of when the Defendants had left Valtran's employment, the Court pointed to the incongruity of the timeline in which Litvak (stated that he) learned on May 20 that his clients were no longer with the company and that the devices Google sought were now out of reach, but on May 31st attempted to negotiate access to those devices as part of a discovery agreement.
Due to his dishonesty, the Defendants and their attorney were sanctioned for the costs, fees, and expenses incurred by Google in litigating this case, an interesting case in which the attorney as well as his clients were found guilty.
Sources:
- https://krebsonsecurity.com/2022/12/judge-orders-u-s-lawyer-in-russian-botnet-case-to-pay-google/#more-61945
- https://blog.google/technology/safety-security/new-action-combat-cyber-crime/
- https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf
- https://casetext.com/case/google-llc-v-starovikov-16
