Preet Bharara, the United States Attorney for the Southern District of New York, announced today that VLADIMIR TSASTSIN pled guilty to wire fraud and computer intrusion charges arising from his operation of a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. The malware secretly altered the settings on infected computers, enabling TSASTSIN and the six other charged defendants—Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, Andrey Taame, and Anton Ivanov—to digitally hijack Internet searches, re-route computers to certain websites and advertisements, and receive payment for the hijacked Internet traffic. TSASTSIN pled guilty today to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion before U.S. Magistrate Judge Michael H. Dolinger. Sentencing is scheduled for October 14, 2015, before U.S. District Judge Lewis A. Kaplan.

Manhattan U.S. Attorney Preet Bharara said: “Vladimir Tsastsin has admitted to his role in a massive cyber hack and fraud scheme that infected millions of computers in over one hundred countries and netted Tsastsin and his co-conspirators over fourteen million dollars. Today’s guilty plea highlights not just the international scope of the threat posed by cyber criminals, but also the global reach of this Office and our law enforcement partners here and around the world to track down and prevent such criminals.”

According to the Indictment and other court documents previously filed in Manhattan federal court, and today’s plea proceeding:

From 2007 until October 2011, TSASTSIN, Gerassimenko, Jegorov, Aleksejev, Poltev, Taame, and Ivanov controlled and operated various companies that masqueraded as legitimate publisher networks (the “Publisher Networks”) in the Internet advertising industry. The Publisher Networks entered into agreements with ad brokers under which they were paid based on the number of times Internet users clicked on the links for certain websites or advertisements, or based on the number of times certain advertisements were displayed on certain websites. Thus, the more traffic that went to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. The defendants fraudulently increased the traffic to the websites and advertisements that would earn them money and made it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ Publisher Networks when, in actuality, it had not.

To carry out the scheme, the defendants and their co-conspirators used what are known as “rogue” Domain Name System (“DNS”) servers, and malware (“the Malware”) that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms that are described in detail below: “click hijacking” and “advertising replacement fraud.” The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the Malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.

Click Hijacking

When the user of an infected computer clicked on a search result link displayed through a search engine query, the Malware caused the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. Each “click” triggered payment to the defendants under their advertising agreements. This click hijacking occurred for clicks on unpaid links that appeared in response to a user’s query as well as clicks on “sponsored” links or advertisements that appeared in response to a user’s query—often at the top of, or to the right of, the search results—thus causing the search engines to lose money. For example, when the user of an infected computer clicked on the domain name link for the official website of Apple iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.

Advertising Replacement Fraud

Using the DNS changer Malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the defendants. For example, when the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”

The defendants earned millions of dollars under their advertising agreements, not by legitimately displaying advertisements through their Publisher Networks, but rather by using the Malware to fraudulently drive Internet traffic to the websites and ads that would earn them more money. As a result, the defendants and their co-conspirators earned at least $14 million in ill-gotten gains through click hijacking and advertisement replacement fraud. The defendants laundered the proceeds of the scheme through numerous companies including, among others, Rove Digital, an Estonian corporation, and others listed in the Indictment.

* * *

TSASTSIN, 35, of Estonia, faces a maximum sentence of 20 years in prison on the wire fraud conspiracy count and five years in prison on the computer intrusion conspiracy count. The statutory maximum sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.

Estonian nationals Gerassimenko, Jegorov, Poltev, and Aleksejev have each pled guilty to the same wire fraud and computer intrusion conspiracy counts. Aleksejev was sentenced to 48 months in prison. Ivanov pled guilty to all charges and was sentenced to time served. Judge Kaplan has scheduled the sentencings of Gerassimenko, Jegorov and Poltev for July 23, 2015. The last defendant, Taame, who is a Russian national, remains at large. The charges against Taame are merely accusations and he is presumed innocent unless and until proven guilty.

Mr. Bharara praised the outstanding investigative work of the Federal Bureau of Investigation, the National Aeronautics and Space Administration-Office of the Inspector General, and the Estonian National Police and Border Guard Board.

This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Sarah Lai and Alexander Wilson are in charge of the prosecution.