Over 4 million infected PCs in 100 countries, but guilt of DNS Changer gang not proven says court

Graham Cluley
Graham Cluley
@[email protected]

Ghost ClickIn November 2011, it was announced that “Operation Ghost Click”, a two-year joint investigation by the FBI and Estonian law enforcement, had resulted in the arrest and charging of six Estonian men and one Russian.

The men were charged in connection with DNS Changer – a sophisticated money-making malware campaign that had recruited over four million computers in approximately 100 countries into a botnet.

The Estonian men were arrested and taken into custody by the Estonian Police, while the United States sought their extradition.

In subsequent hearings, prosecutors claimed that the gang earned $24.2 million through criminal activities, and that a Seychelles-registered company operated by alleged mastermind Vladimir Tsastsin received at least $16.37 million.

Sign up to our free newsletter.
Security news, advice, and tips.

Tsastsin has had something of a history with organised crime, having previously been found guilty of credit card fraud, document forgery, and money laundering, as detailed by this Washington Post article by Brian Krebs from 2008.

Today, over two years later, an Estonian court has acquitted four of the men – including Tsastsin – saying that the charges against them have not been proven.

The problem appears to have been the lack of specific victims produced by prosecutors.

There were smiles on the faces of Tsatstin, Timur Geraassimenko, Dmitri Jegorov and Konstantin Poltev, as they were told of the court’s decision at the Harju County Court in Estonia.

Ghost Click suspects

For now the men remain remanded by the Estonian authorities, while a decision is made as to if they should be extradited to America to face prosecutors there.

Two others who were arrested back in 2011, Anton Ivanov and Valeri Aleksejev, have already been extradited to the United States, and are going through the legal process there.

What was DNS Changer?

Operating under the company name “Rove Digital”, the cybercriminals behind the DNS Changer click fraud malware campaign used a collection of rogue DNS servers to display alternative adverts and redirect millions of infected PCs and Macs to unconnected webpages, earning them money in the process. In addition, the malware attempted to block attempts by users to update their anti-virus software.

Affected computers included ones belonging to individual, business and government agencies such as NASA.

The FBI ultimately seized control of the rogue servers and made them safe, and launched a public awareness campaign to encourage affected users to check if their DNS settings had been meddled with and – if so – fix them.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.