United States v. Levashov

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ALASKA UNITED STATES OF AMERICA Plaintiff, Case No. 3:17-cv-00074-TMB FILED EX PARTE AND UNDER SEAL V. PETER YURYEVICH LEVASHOV, a/k/a “Petr Levashov,” “Peter Severa,” “Petr Severa,” and “Sergey Astakhov’, Nee ee ee NO Defendant. TEMPORARY RESTRAINING ORDER AND ORDER TO SHOW CAUSE Plaintiff, the United States of America, has filed a complaint for injunctive relief pursuant to 18 U.S.C. §§ 1845 and 2521, based on the Defendant’s violations of 18 U.S.C. §§ 13843 and 2511. The Government has also moved ex parte for a Temporary Restraining Order and an Order to Show Cause Re Preliminary Injunction pursuant to Rule 65(b) of the Federal Rules of Civil Procedures and 18 U.S.C. §§ 13845(a)(1) and 2521. FINDINGS OF FACT AND CONCLUSIONS OF LAW Having reviewed the papers, declaration, and memorandum filed in support of the Government’s Motion for a Temporary Restraining Order and Order to Show Cause re Preliminary Injunction, the Court hereby makes the following findings of fact and conclusions of law: I. This Court has jurisdiction over the subject matter of this case and there is good cause to believe that it will have jurisdiction over all parties hereto: Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 1 of 9 the Complaint states a claim upon which relief may be granted against the Defendant under 18 U.S.C. §§ 1345 and 2521. 2. There is good cause to believe that the Defendant has engaged in and is likely to engage in acts or practices that violate 18 U.S.C. §§ 1343 and 2511, and that the Government is, therefore, likely to prevail on the merits of this action. 3. There is good cause to believe that, unless the Defendant is restrained and enjoined by Order of this Court, immediate and irreparable harm will result from Defendant’s ongoing violations of 18 U.S.C. §§ 1848 and 2511. The evidence set forth in the Government’s Memorandum of Law, and the accompanying declaration, demonstrate that the Government is likely to prevail on its claim that the Defendant has engaged in violations of 18 U.S.C. §§ 1343 and 2511 by: a. intentionally infecting hundreds of thousands of computers with malicious software (“malware”) designed to steal user credentials from infected computers and to enlist those computers into the Kelihos “botnet” (a network of other infected computers controlled by the Defendant); b. using Kelihos malware to propagate spam email messages that promote counterfeit drugs, pump-and-dump stock schemes, fraudulent employment opportunities, and other frauds; and U.S. v. Levashov 3:17-cv-00074-TMB 2 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 2 of 9 Gi using Kelihos malware to install other malware variants on infected computers, including ransomware and banking Trojans; and d. using Kelihos malware to intercept victims’ communications, including online credentials, without authorization. 4. There is good cause to believe that if such conduct continues, it will cause irreparable harm to both individuals and businesses in the United States. There is also good cause to believe that the Defendant will continue to engage in such unlawful actions if not immediately restrained from doing so by Order of this Court. 5. Based on the evidence cited in the Government’s Memorandum of Law and accompanying declaration and exhibits, the Government is likely to be able to prove that the Defendant is engaged in activities that violate United States law and harm members of the public, and that the Defendant has continued his unlawful conduct despite the clear injury to members of the public. 6. There is good cause to believe that providing the Defendant with advance notice of this action would cause immediate and irreparable damage to this Court’s ability to grant effective final relief. Based on the evidence cited in the Government's Memorandum of Law and accompanying declaration, there is good cause to believe that — if the Defendant was to be notified in advance of this action — the Defendant would relocate his servers and/or command and control U.S. v. Levashov 3:17-cv-00074-TMB 3 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 3 of 9 infrastructure, change the coding of his malware, or otherwise implement measures to blunt or defeat the Government’s planned disruption effort. le The Government’s request for this ex parte relief is not the result of any lack of diligence on the Government’s part, but instead is based upon the nature of Defendant’s illegal conduct. Therefore, in accordance with Fed. R. Civ. P. 65(b), good cause and the interests of justice require that this Order be granted without prior notice to Defendant, and accordingly, the Government is relieved of the duty to provide the Defendant with prior notice of the Government’s Application. 8. The Government has demonstrated good cause to believe that Defendant has directed his illegal activity at individuals and businesses located in the District of Alaska by, among other things, infecting numerous computers in this District with Kelihos, unlawfully intercepting the communications of persons in this District, and by directing fraudulent spam email messages to persons in this District. 2. The Government has demonstrated good cause to believe that to immediately halt the injury caused by the Defendant, the Defendant must be prohibited from infecting computers with Kelihos and from communicating with existing computers infected with Kelihos. 10. The Government has demonstrated good cause to believe that the Defendant has used, and will use in the future, the domain names gorodkoff.com, U.S. v. Levashov 3:17-cv-00074-TMB 4 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 4 of 9 goloduha.info, and combach.com to commit violations of 18 U.S.C. §§ 1343 and 2521 in connection with the Kelihos malware. There is good cause to believe that to immediately halt the Defendant’s illegal activity and to prevent further harm to individuals and businesses in the United States, the gorodkoff.com, goloduha.info, and combach.com domains must be immediately: 1) made inaccessible to the Defendant; and 2) redirected to name-servers identified by the FBI. 11. There is good cause to permit service of documents filed in this case that have been unsealed by this Court, and any unsealed Orders entered by the Court in response thereto, as provided below, given the exigency of the circumstances, the need for prompt relief, and the fact that the Defendant will be in the custody of Spanish law enforcement. The government will provide notice through each of the following methods, which provide due process, satisfy Fed. R. Civ. P. 4(f)(8), and are reasonably calculated to provide notice to the Defendant: a. personal service on the Defendant to be effected by U.S. or Spanish law enforcement or, if personal service is impossible, by certified mail to the Defendant at the Spanish custodial facility; b. personal service upon any attorney representing the Defendant in Spain; C. via publication on the Internet web sites of the Department of Justice or the Federal Bureau of Investigation. U.S. v. Levashov 3:17-cv-00074-TMB 5 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 5of9 TEMPORARY RESTRAINING ORDER AND ORDER TO SHOW CAUSE IT IS THEREFORE ORDERED that the Defendant, his representatives, and persons who are in active concert or participation with him are temporarily restrained and enjoined from using malicious software or code in furtherance of any scheme to commit wire fraud or to engage in unauthorized interception of electronic communications, and in particular, are prohibited from running, controlling, or communicating with software known as Kelihos, on any computer not owned by the Defendant. IT IS FURTHER ORDERED that the Government shall establish substitute server(s) and other computer infrastructure as specified in the Government's Memorandum of Law that, in conjunction with the relief ordered below, will replace the Defendant’s command and control infrastructure for the Kelihos botnet and sever the Defendant’s connection to the infected computers in the Kelihos botnet. Pursuant to the Pen Register Trap and Trace Order signed by this Court, the Government is authorized to collect dialing, routing, addressing and signaling (“DRAS”) information from the Kelihos-infected computers that connect to the infrastructure created pursuant to this Order. The Government shall ensure that no electronic content or other non-DRAS information is collected when victim computers connect to the infrastructure established pursuant to this Order. U.S. v. Levashov 3:17-cv-00074-TMB 6 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 6 of 9 IT IS FURTHER ORDERED that, with respect to the domains gorodkoff.com, goloduha.info, and combach.com, the applicable Domain Registry identified below shall take the following actions: .com VeriSign, Inc. | VeriSign, Inc. 12061 Bluemont Way Reston, VA 20190 nfo Afilias USA, Afilias USA, Inc. Inc. Building 3, Suite 105 300 Welsh Road Horsham, PA 19044 1. Take all reasonable measures to redirect the domains to the substitute servers which will be identified by the FBI; 2. Take all reasonable measures to propagate the foregoing changes through the Domain Name System as quickly as practicable; o. Prevent any further modification to, or transfer of, the domains without the previous authorization of this Court; A, Refrain from providing any notice or warning to, or communicating in any way with Defendant or Defendant’s representatives and refrain from disclosing this Order until such time as this Order is no longer under seal, except as necessary to execute this Order; 5. Provide reasonable assistance in implementing the terms of this Order and take no action to frustrate the implementation of this Order. U.S. v. Levashov 3:17-cv-00074-TMB a Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 7 of 9 IT IS FURTHER ORDERED that copies of the Court Filings shall be served by each of the following methods: a. personal service on the Defendant to be effected by U.S. or Spanish law enforcement or, if personal service is impossible, by certified mail to the Defendant at the Spanish custodial facility; b. personal service upon any attorney representing the Defendant in Spain; C; via publication on the Internet web sites of the Department of Justice or the Federal Bureau of Investigation. IT IS FURTHER ORDERED that pursuant to Federal Rule of Civil Procedure 65(b) that the Defendant shall appear before this Court on April 12, 2017 at 2:00 p.m. to show cause, if there is any, why this Court should not enter a Preliminary Injunction, pending final ruling on the Complaint against the Defendant, enjoining him from the conduct temporarily restrained by the preceding provisions of this Order. IT IS FURTHER ORDERED that the Defendant shall file with the Court and serve on the Government any answering affidavits, pleadings, motions, expert reports or declarations and/or legal memoranda no later than two (2) days prior to the hearing on the Government’s request for a preliminary injunction. The Government may file responsive or supplemental pleadings, materials, affidavits, or memoranda with the Court and serve the same on counsel for the Defendant no U.S. v. Levashov 3:17-cv-00074-TMB 8 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 8 of 9 later than one (1) day prior to the preliminary injunction hearing in this matter. Provided that service shall be performed by personal or overnight delivery, facsimile or electronic mail, and documents shall be delivered so that they shall be received by the other parties no later than 4:00 p.m. (Eastern Time) on the appropriate dates listed in this paragraph. IT IS FURTHER ORDERED that this Order shall expire on the 12th day of April 2017, at 2:00 p.m. [not to exceed 14 days], subject to the further Order of this Court. o~ . Entered this or day of April, 2017 at 2° 45 p.m., in Anchorage, Alaska. U.S. v. Levashov 3:17-cv-00074-TMB 9 Case 3:17-cv-00074-TMB Document 10 Filed 04/05/17 Page 9 of 9

Case Details

Case Name: United States v. Levashov

Court Name: District Court, D. Alaska

Date Published: Apr 5, 2017

Docket Number: 3:17-cv-00074

Court Abbreviation: D. Alaska