How police recovered $15 million USD from Swiss bank accounts of ad fraud scammers

The government of Switzerland has transferred to the United States a total of $15,111, 1453.84, representing the illicit proceeds obtained by an Internet advertising fraud scheme orchestrated by Kazakh citizens Sergey Ovsyannikov and Yevgeniy Timchenko, in complicity with Russian citizen Aleksandr Isaev. U.S. Department of Justice (DOJ) issued a statement about the incident.  

Before reviewing the fraud, it’s worth noting a few basics of online advertising: Website owners can place ads on their platforms, receiving compensation based on the interactions recorded by these ads, all through intermediaries. The defendants designed a scheme that allowed the conduct of users and web pages to be falsified, programming devices to load ads on fraudulent websites through automated software.

Identified as “3ve.2 Template” or simply “Eve.”, this was an online advertising fraud in which the defendants used a botnet and a command and control structure to access more than 1.7 million infected computers, mainly in the U.S., and thus download web pages specially designed to load ads.

Consequently, the defendants falsified billions of views of these ad ads, impersonating more than 86,000 domains associated with online publishers. The fraud operators made about $29 million USD from these ads that were never seen by real users, diverting funds from the online publishers to whom the money was supposed to reach. The money sent to the U.S. by Swiss authorities is all that has been recovered so far.

Ovsyannikov was arrested in October 2018 in Malaysia, and was extradited to the United States shortly thereafter, while Timchenko was arrested in November 2018 in Estonia. Both pleaded guilty and have been sentenced. Isaev remains at large.

After these arrests, law enforcement in the U.S., in collaboration with several private sector companies, began the process of dismantling this cybercriminal infrastructure, which involved thousands of devices infected with a malware variant known as Kovter.

So far, the Federal Bureau of Investigation (FBI) has seized 23 web domains used either to display the ads or for the distribution of the Kovter malware. U.S. agents also executed multiple search warrants on 11 server provider firms, identifying a total of 89 servers employed by cybercriminals.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.