Table Of Content

Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 1 of 34 PageID #: 48 korman, j. iNCL'^ vK'o OFFICE U.S. DISTRi Tr OCoRT E.D.N.Y ^ NOV 27 2018 RMT:SK/AFM/MTK GOLD, MJ . F. #2016R02228 BROOKLYM OFFICE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK X UNITED STATES OF AMERICA I NDICTMENT CH^r.lp. - against - (T. 18, U.S.C., §§ 37lT98T(a)TT5(C), ALEKSA NDR ZHUKOV, 982(a)(1), 982(a)(2)(B), 982(b)(1), BORIS TIMOKHIN, 1028A(a)(l), 1028A(b), 1028A(c)(4), MIKHAIL ANDREEV, 1030(a)(2), 1030(a)(4), 1030(a)(5), DENIS AVDEEV, 1030(b), 1030(c)(2)(A), 1030(c)(2)(B), DMITRY NOVIKOV, 1030(c)(3)(A), 1030(c)(4), 1030(i)(l), SERGEY OVSYANNIKOV, 1030(0(2), 1343,1349,1956(h), ALEKSANDRISAEV and 1957(a), 2 and 3551 et seq.: T. 21, YEVGENIY TIMCHENKO, U.S.C., § 853(p); T. 28, U.S.C., § 2461(c)) Defendants. X THE GRAND JURY CHARGES: INTRODUCTION At all times relevant to this Indictment, unless otherwise indicated: 1. Individuals and businesses ("publishers") were able to provide free content on the intemet—such as websites, search engines, translation services, video playback services and global mapping services—because advertisers paid for the opportunity to show advertisements (sometimes referred to as "ads") alongside that content. 2. The digital advertising industry was made up of a chain of specialized businesses. Publishers commonly used entities called supply-side platforms ("SSPs")t o conduct auctions that sold the advertising space on their sites. These auctions commenced Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 2 of 34 PageID #: 49 as soon as an internet user accessed a website and concluded within milliseconds, before the webpage displayed to the user. Businesses seeking to promote their goods and services online ("brands") commonly used entities called demand-side platforms( "DSPs")t o bid in these auctions and thereby had their advertisements placed on webpages that real human internet users were browsing. Brands commonly paid for advertising on a lump-sum basis, and publishers commonly received payment based on how many times users clicked on or viewed advertisements( sometimes referred to as "impressions"). The entities in between the brands and the publishers—the DSPs, SSPs and ad networks that connected SSPs with publishers—charged fees along the way. 3. The defendants in this case used sophisticated computer programming and infrastructure spread around the world to exploit the digital advertising industry through fraud. They represented to others that they ran legitimate ad networks that delivered advertisements to real human internet users accessing real internet webpages. In fact, the defendants faked both the users and the webpages: in each of the charged schemes, they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue. 4. In one iteration—a datacenter-based scheme referred to in the ad industry as "Methbot"—the defendants used computers they controlled that they had rented from commercial datacenters in Dallas, Texas, and elsewhere. 5. In another iteration—a botnet-based scheme referred to in the ad industry as "3ve.2 Template A"—the defendants used computers to which they had gained unauthorized access (i.e. that had been "hacked"), including computers belonging to Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 3 of 34 PageID #: 50 individuals and businesses in the United States and elsewhere, including in the Eastern District of New York. 1. The Defendants 6. The defendant ALEKSANDR ZHUKOV was a citizen of the Russian Federation. He led the development of the datacenter-based scheme. ZHUKOV served as the chief executive officer of Ad Network #1, the identity of which is known to the Grand Jury. Ad Network #1 was a private corporation owned by ZHUKOV with offices in the Russian Federation and the Republic of Bulgaria. It purported to assist customers with delivering advertisements to real human internet users via its ad network. 7. The defendant BORIS TIMOKHIN was a citizen of the Russian Federation and worked for Ad Network #1. TIMOKHIN handled programming aspects of the datacenter-based scheme. 8. The defendant MIKHAIL ANDREEV was a resident of the Russian Federation and the Ukraine and worked for Ad Network #1. ANDREEV handled programming aspects of the datacenter-based scheme. 9. The defendant DENIS AVDEEV was a citizen of the Russian Federation and worked for Ad Network #1. AVDEEV handled technical and business aspects of the datacenter-based scheme. 10. The defendant DMITRY NOVIKOV was a resident of the Russian Federation and worked for Ad Network #1. NOVIKOV handled administrative and coordination aspects of the datacenter-based scheme. 11. The defendant SERGEY OVSYANNIKOV was a citizen of the Republic of Kazakhstan. He led the development of the botnet-based scheme and provided Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 4 of 34 PageID #: 51 technical assistance to the operators of the datacenter-based scheme. OVSYANNIKOV served as a principal and owner of Ad Network #2, the identity of which is known to the Grand Jury. Ad Network #2 was a private corporation owned by OVSYANNIKOV and ALEKSANDRISAEV with a registration address in Edinburgh, Scotland. It purported to assist customers with delivering advertisements to real human internet users via its ad networks. 12. The defendant ALEKSANDR ISAEV was a citizen of the Russian Federation and served as a principal, owner and chief executive officer of Ad Network #2. ISAEV handled business and contracting aspects of the botnet-based scheme. 13. The defendant YEVGENIY TIMCHENKO was a resident of the Republic of Kazakhstan and worked at Ad Network #2. TIMCHENKO handled logistical and administrative aspects of the botnet-based scheme. II. The Schemes to Defraud A. The Datacenter-Based Scheme 14. In or about September 2014,Z HUKOV,T IMOKHIN,A NDREEV, AVDEEV and NOVIKOV (collectively, the "Methbot defendants") launched a digital advertising fraud scheme under the guise of operating Ad Network #1. Ad Network #1 had business arrangements with other advertising networks that enabled it to receive payment in return for placing advertising placeholders( "ad tags") with publishers on behalf of those advertising networks. Rather than place these ad tags on real publishers' webpages, however,Z HUKOV and others rented more than 1,900 computer servers located at commercial datacenters in Dallas, Texas, and elsewhere, and used those datacenter computer servers to simulate humans viewing ads on fabricated webpages. By these means, the Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 5 of 34 PageID #: 52 Methbot defendants caused thousands of datacenter computer servers to load fabricated webpages, offer up the advertising space on the fabricated webpages for bidding, and load advertisements on the fabricated webpages through an automated computer program. This activity (the "fraudulent ad traffic") was not viewed by any real human internet users. 15. ZHUKOV and others programmed the datacenter computer servers to load fabricated webpages—that is, mostly blank webpages containing a blank space for an ad—that purported to be located at the domains of well-known publishers. ZHUKOV researched lucrative domains to fabricate and ran online searches for the "top 10000 domains" and "top 100k domains." ZHUKOV then sent TIMOKHIN "new domains to try," deliberately targeting "the top USA desktop domains" for businesses in the United States. In this way, the Methbot defendants fabricated (or "spoofed") more than 250,000 webpages distributed across more than 5,000 domains associated with online publishers, including the domains of thousands of businesses in the United States and multiple businesses in the Eastern District of New York. 16. TIMOKHIN, ANDREEV and others also programmed the datacenter computer servers to simulate the internet activity of real human internet users when loading the fabricated webpages, in order to deceive SSPs and others in the digital advertising industry and to evade fraud detection software widely used in the industry. They developed programming code that caused the datacenter computer servers to operate an automated browser, click on online advertisements a randomly determined number of times, simulate a mouse moving around and scrolling down a webpage, control and monitor video playback, and falsely appear to be signed into popular social media services. The programming code Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 6 of 34 PageID #: 53 contained explicit references to "Meth" and "Fake," including "MethBrowser," "MethFlashObjects," "FakeClient" and "FakedPixel." 17. In furtherance of their fraudulent scheme, the Methbot defendants communicated with one another about the development of this programming code using an online project management platform. For example: (a) On or about October 25,2014, ANDREEV circulated programming code and stated that it was designed to ensure that signals coming from the datacenter computer servers had the correct '"browser' parameters." (b) On or about October 28, 2014, NOVIKOV instructed TIMOKHIN to carry out "research about how to make 'mouse moves and scroll more realistic/meaningful"' on the datacenter computer servers. ZHUKOV similarly instructed TIMOKHIN to address the "lack of mouse move," an undertaking that continued over the following year. TIMOKHIN researched methods for simulating mouse movements by, for example, running an online search for "actionscript simulate mouse click." (c) On or about October 28, 2014, NOVIKOV discussed "[ejmulating 'video watch'" on the datacenter computer servers and cautioned that "[t]he videos need to be clicked on and watched for 60-90 seconds." This was because advertisers often would not pay for a video impression unless they knew that the user had watched the video for a substantial amount of time. (d) On or about November 21,2014, ANDREEV circulated programming code and stated that it was designed to set the datacenter computer servers' "IP Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 7 of 34 PageID #: 54 address time zone" to "EST"—^Eastern Standard Time—^"by default." Earlier that day, ANDREEV had run an online search for "new york timezone." (e) On or about December 1, 2014, ANDREEV circulated programming code designed to cause the datacenter computer servers to automatically start and stop an online video player, and stated, "Basically this is how it is possible to generate the events." (f) In a to-do list dated June 25, 2015,Z HUKOV instructed TIMOKHIN to cause the datacenter computer servers to appear to be signed into Facebook: "add authorization for Facebook [] users. There is Google, twitter too;[ but] no FB (There should be approximately 40% of them.)" (g) On or about August 4,2015,Z HUKOV stated that he intended to research the fraud detection software deployed by certain U.S. cybersecurity firms and "check [] out [their] filter for the possibility of fucking them over." 18. On or about October 16, 2016, after discovering that the signals coming from the datacenter computer servers did not register as fraudulent with a certain U.S. cybersecurity firm,Z HUKOV boasted to TIMOKHIN that their scheme was "magnificent." On or about December 10, 2016,Z HUKOV sent an email to a potential business partner in which he offered "100% USA traffic" that could pass through "filters" from various U.S. cybersecurity firms and amounted to "20-50 millions [sic] impressions daily." 19. To further deceive SSPs and others in the digital advertising industry into believing that the datacenter computer servers were genuine human users,Z HUKOV and others leased more than 650,000 Internet Protocol ("IP") addresses from various IP Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 8 of 34 PageID #: 55 8 address leasing companies and assigned multiple IP addresses to each of the datacenter computer servers. ZHUKOV,A VDEEV and others then created false entries for the datacenter computer servers in a global register ofI P addresses. These false entries made it appear that the datacenter computer servers controlled by the Methbot defendants were residential computers belonging to individual human internet users who were subscribed to various residential internet service providers. For example: (a) Several of the false IP address registry entries misappropriated or mimicked the corporate identities of at least six major U.S. internet service providers, including at least one provider with offices in the Eastern District of New York. ZHUKOV maintained a list of these and other false corporate names in his cloud storage account. None of the IP addresses registered in the respective U.S. internet service providers' real or mimicked names was actually in their possession, custody or control. In this way, the Methbot defendants sought to make it appear to SSPs and others that the computers in question belonged to customers of these internet service providers, rather than being located in datacenters. (b) For the same reason, the Methbot defendants also incorporated false usage and location information into the IP address registries. For example, on or about May 13,2016, AVDEEV directed an IP leasing company to change the "Usage type" for approximately 261,000 leased IP addresses from "commercial" or "datacenter" to "ISP" (internet service provider), ascribe a more diverse set of cities and states to the leased IP addresses, and reduce the number of leased IP addresses associated with certain small cities to more realistic levels commensurate with their populations. In this way, the Methbot Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 9 of 34 PageID #: 56 defendants sought to make it appear to SSPs and others that the computers in question belonged to real human internet users located in homes and businesses around the country. 20. The Methbot defendants thus created the illusion that real human internet users were visiting real internet webpages. ZHUKOV and others solicited bids on the opportunity to show advertisements to those purported users. In response, DSPs bid on those opportunities. The winning DSPs made payments to SSPs (using money provided by brands) in return for the purported impressions, and the SSPs transferred those payments to advertising networks to be passed along the chain of intermediaries described above. 21. OVSYANNIKOV collaborated with the Methbot defendants to knowingly obtain fraudulent ad traffic for his own companies. OVSY ANNIKOV did business with the Methbot defendants, purchased fraudulent ad traffic from the Methbot defendants and provided the Methbot defendants with technical advice and assistance to ensure that the fraudulent ad traffic passed as real. For example, on or about October 22, 2014, OVSY ANNIKOV instructed NOVIKOV that the datacenter computer servers' automated browsers needed to include "accept-language" in their headers—vindicating the purported user's preferred language—to evade fraud detection software. Similarly, in or about November 2014, OVSY ANNIKOV discussed the concept of" mouse move" with the Methbot defendants. 22. Over the course of the scheme, the Methbot defendants falsified billions of ad impressions. Hundreds of brands and ad agencies around the world, including many in the United States and at least one with offices in the Eastern District of New York, Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 10 of 34 PageID #: 57 10 collectively paid more than $7 million in advertising fees for fraudulent ad traffic. The Methbot defendants, in turn, reaped millions of dollars in revenue. 23. The Methbot defendants recorded the revenue from the datacenter- based scheme—which amounted to 10s of thousands of dollars daily—using an online control panel that tracked the millions of bids solicited by the datacenter computer servers each day and the millions of resulting ad impressions falsified each day. For example, during a single day in October 2016, the Methbot defendants recorded more than $56,000 in revenue from placing more than 442 million fraudulent bid requests and falsifying more than 16 million ad impressions. 24. The Methbot defendants re-invested some of the proceeds from the datacenter-based scheme to perpetuate the fraud, and they concealed other proceeds by transferring them to other companies. For example,Z HUKOV directed payments from ad networks to a corporate bank account located in the Czech Republic, which he then used to pay for servers and IP addresses used in the scheme. ZHUKOV also redirected $5.4 million from the account to a corporate bank account located in New Zealand. 25. On or about December 20,2016, researchers at a private cybersecurity firm based in New York City publicly revealed the operation of the datacenter-based scheme in a white paper titled "The Methbot Operation." 26. The Methbot defendants reacted to the publication of the white paper by attempting to delete evidence. They deleted all of their communications from the online project management platform that they used to develop the scheme, and they deleted more than 26,000 emails from an email account identified in the white paper, which was the

ebook img

Zhukov PDF

2 MB·English
by  
#additional_collections #documentcloud
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Zhukov

Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 1 of 34 PageID #: 48 korman, j. iNCL'^ vK'o OFFICE U.S. DISTRi Tr OCoRT E.D.N.Y ^ NOV 27 2018 RMT:SK/AFM/MTK GOLD, MJ . F. #2016R02228 BROOKLYM OFFICE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK X UNITED STATES OF AMERICA I NDICTMENT CH^r.lp. - against - (T. 18, U.S.C., §§ 37lT98T(a)TT5(C), ALEKSA NDR ZHUKOV, 982(a)(1), 982(a)(2)(B), 982(b)(1), BORIS TIMOKHIN, 1028A(a)(l), 1028A(b), 1028A(c)(4), MIKHAIL ANDREEV, 1030(a)(2), 1030(a)(4), 1030(a)(5), DENIS AVDEEV, 1030(b), 1030(c)(2)(A), 1030(c)(2)(B), DMITRY NOVIKOV, 1030(c)(3)(A), 1030(c)(4), 1030(i)(l), SERGEY OVSYANNIKOV, 1030(0(2), 1343,1349,1956(h), ALEKSANDRISAEV and 1957(a), 2 and 3551 et seq.: T. 21, YEVGENIY TIMCHENKO, U.S.C., § 853(p); T. 28, U.S.C., § 2461(c)) Defendants. X THE GRAND JURY CHARGES: INTRODUCTION At all times relevant to this Indictment, unless otherwise indicated: 1. Individuals and businesses ("publishers") were able to provide free content on the intemet—such as websites, search engines, translation services, video playback services and global mapping services—because advertisers paid for the opportunity to show advertisements (sometimes referred to as "ads") alongside that content. 2. The digital advertising industry was made up of a chain of specialized businesses. Publishers commonly used entities called supply-side platforms ("SSPs")t o conduct auctions that sold the advertising space on their sites. These auctions commenced Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 2 of 34 PageID #: 49 as soon as an internet user accessed a website and concluded within milliseconds, before the webpage displayed to the user. Businesses seeking to promote their goods and services online ("brands") commonly used entities called demand-side platforms( "DSPs")t o bid in these auctions and thereby had their advertisements placed on webpages that real human internet users were browsing. Brands commonly paid for advertising on a lump-sum basis, and publishers commonly received payment based on how many times users clicked on or viewed advertisements( sometimes referred to as "impressions"). The entities in between the brands and the publishers—the DSPs, SSPs and ad networks that connected SSPs with publishers—charged fees along the way. 3. The defendants in this case used sophisticated computer programming and infrastructure spread around the world to exploit the digital advertising industry through fraud. They represented to others that they ran legitimate ad networks that delivered advertisements to real human internet users accessing real internet webpages. In fact, the defendants faked both the users and the webpages: in each of the charged schemes, they programmed computers they controlled to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue. 4. In one iteration—a datacenter-based scheme referred to in the ad industry as "Methbot"—the defendants used computers they controlled that they had rented from commercial datacenters in Dallas, Texas, and elsewhere. 5. In another iteration—a botnet-based scheme referred to in the ad industry as "3ve.2 Template A"—the defendants used computers to which they had gained unauthorized access (i.e. that had been "hacked"), including computers belonging to Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 3 of 34 PageID #: 50 individuals and businesses in the United States and elsewhere, including in the Eastern District of New York. 1. The Defendants 6. The defendant ALEKSANDR ZHUKOV was a citizen of the Russian Federation. He led the development of the datacenter-based scheme. ZHUKOV served as the chief executive officer of Ad Network #1, the identity of which is known to the Grand Jury. Ad Network #1 was a private corporation owned by ZHUKOV with offices in the Russian Federation and the Republic of Bulgaria. It purported to assist customers with delivering advertisements to real human internet users via its ad network. 7. The defendant BORIS TIMOKHIN was a citizen of the Russian Federation and worked for Ad Network #1. TIMOKHIN handled programming aspects of the datacenter-based scheme. 8. The defendant MIKHAIL ANDREEV was a resident of the Russian Federation and the Ukraine and worked for Ad Network #1. ANDREEV handled programming aspects of the datacenter-based scheme. 9. The defendant DENIS AVDEEV was a citizen of the Russian Federation and worked for Ad Network #1. AVDEEV handled technical and business aspects of the datacenter-based scheme. 10. The defendant DMITRY NOVIKOV was a resident of the Russian Federation and worked for Ad Network #1. NOVIKOV handled administrative and coordination aspects of the datacenter-based scheme. 11. The defendant SERGEY OVSYANNIKOV was a citizen of the Republic of Kazakhstan. He led the development of the botnet-based scheme and provided Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 4 of 34 PageID #: 51 technical assistance to the operators of the datacenter-based scheme. OVSYANNIKOV served as a principal and owner of Ad Network #2, the identity of which is known to the Grand Jury. Ad Network #2 was a private corporation owned by OVSYANNIKOV and ALEKSANDRISAEV with a registration address in Edinburgh, Scotland. It purported to assist customers with delivering advertisements to real human internet users via its ad networks. 12. The defendant ALEKSANDR ISAEV was a citizen of the Russian Federation and served as a principal, owner and chief executive officer of Ad Network #2. ISAEV handled business and contracting aspects of the botnet-based scheme. 13. The defendant YEVGENIY TIMCHENKO was a resident of the Republic of Kazakhstan and worked at Ad Network #2. TIMCHENKO handled logistical and administrative aspects of the botnet-based scheme. II. The Schemes to Defraud A. The Datacenter-Based Scheme 14. In or about September 2014,Z HUKOV,T IMOKHIN,A NDREEV, AVDEEV and NOVIKOV (collectively, the "Methbot defendants") launched a digital advertising fraud scheme under the guise of operating Ad Network #1. Ad Network #1 had business arrangements with other advertising networks that enabled it to receive payment in return for placing advertising placeholders( "ad tags") with publishers on behalf of those advertising networks. Rather than place these ad tags on real publishers' webpages, however,Z HUKOV and others rented more than 1,900 computer servers located at commercial datacenters in Dallas, Texas, and elsewhere, and used those datacenter computer servers to simulate humans viewing ads on fabricated webpages. By these means, the Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 5 of 34 PageID #: 52 Methbot defendants caused thousands of datacenter computer servers to load fabricated webpages, offer up the advertising space on the fabricated webpages for bidding, and load advertisements on the fabricated webpages through an automated computer program. This activity (the "fraudulent ad traffic") was not viewed by any real human internet users. 15. ZHUKOV and others programmed the datacenter computer servers to load fabricated webpages—that is, mostly blank webpages containing a blank space for an ad—that purported to be located at the domains of well-known publishers. ZHUKOV researched lucrative domains to fabricate and ran online searches for the "top 10000 domains" and "top 100k domains." ZHUKOV then sent TIMOKHIN "new domains to try," deliberately targeting "the top USA desktop domains" for businesses in the United States. In this way, the Methbot defendants fabricated (or "spoofed") more than 250,000 webpages distributed across more than 5,000 domains associated with online publishers, including the domains of thousands of businesses in the United States and multiple businesses in the Eastern District of New York. 16. TIMOKHIN, ANDREEV and others also programmed the datacenter computer servers to simulate the internet activity of real human internet users when loading the fabricated webpages, in order to deceive SSPs and others in the digital advertising industry and to evade fraud detection software widely used in the industry. They developed programming code that caused the datacenter computer servers to operate an automated browser, click on online advertisements a randomly determined number of times, simulate a mouse moving around and scrolling down a webpage, control and monitor video playback, and falsely appear to be signed into popular social media services. The programming code Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 6 of 34 PageID #: 53 contained explicit references to "Meth" and "Fake," including "MethBrowser," "MethFlashObjects," "FakeClient" and "FakedPixel." 17. In furtherance of their fraudulent scheme, the Methbot defendants communicated with one another about the development of this programming code using an online project management platform. For example: (a) On or about October 25,2014, ANDREEV circulated programming code and stated that it was designed to ensure that signals coming from the datacenter computer servers had the correct '"browser' parameters." (b) On or about October 28, 2014, NOVIKOV instructed TIMOKHIN to carry out "research about how to make 'mouse moves and scroll more realistic/meaningful"' on the datacenter computer servers. ZHUKOV similarly instructed TIMOKHIN to address the "lack of mouse move," an undertaking that continued over the following year. TIMOKHIN researched methods for simulating mouse movements by, for example, running an online search for "actionscript simulate mouse click." (c) On or about October 28, 2014, NOVIKOV discussed "[ejmulating 'video watch'" on the datacenter computer servers and cautioned that "[t]he videos need to be clicked on and watched for 60-90 seconds." This was because advertisers often would not pay for a video impression unless they knew that the user had watched the video for a substantial amount of time. (d) On or about November 21,2014, ANDREEV circulated programming code and stated that it was designed to set the datacenter computer servers' "IP Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 7 of 34 PageID #: 54 address time zone" to "EST"—^Eastern Standard Time—^"by default." Earlier that day, ANDREEV had run an online search for "new york timezone." (e) On or about December 1, 2014, ANDREEV circulated programming code designed to cause the datacenter computer servers to automatically start and stop an online video player, and stated, "Basically this is how it is possible to generate the events." (f) In a to-do list dated June 25, 2015,Z HUKOV instructed TIMOKHIN to cause the datacenter computer servers to appear to be signed into Facebook: "add authorization for Facebook [] users. There is Google, twitter too;[ but] no FB (There should be approximately 40% of them.)" (g) On or about August 4,2015,Z HUKOV stated that he intended to research the fraud detection software deployed by certain U.S. cybersecurity firms and "check [] out [their] filter for the possibility of fucking them over." 18. On or about October 16, 2016, after discovering that the signals coming from the datacenter computer servers did not register as fraudulent with a certain U.S. cybersecurity firm,Z HUKOV boasted to TIMOKHIN that their scheme was "magnificent." On or about December 10, 2016,Z HUKOV sent an email to a potential business partner in which he offered "100% USA traffic" that could pass through "filters" from various U.S. cybersecurity firms and amounted to "20-50 millions [sic] impressions daily." 19. To further deceive SSPs and others in the digital advertising industry into believing that the datacenter computer servers were genuine human users,Z HUKOV and others leased more than 650,000 Internet Protocol ("IP") addresses from various IP Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 8 of 34 PageID #: 55 8 address leasing companies and assigned multiple IP addresses to each of the datacenter computer servers. ZHUKOV,A VDEEV and others then created false entries for the datacenter computer servers in a global register ofI P addresses. These false entries made it appear that the datacenter computer servers controlled by the Methbot defendants were residential computers belonging to individual human internet users who were subscribed to various residential internet service providers. For example: (a) Several of the false IP address registry entries misappropriated or mimicked the corporate identities of at least six major U.S. internet service providers, including at least one provider with offices in the Eastern District of New York. ZHUKOV maintained a list of these and other false corporate names in his cloud storage account. None of the IP addresses registered in the respective U.S. internet service providers' real or mimicked names was actually in their possession, custody or control. In this way, the Methbot defendants sought to make it appear to SSPs and others that the computers in question belonged to customers of these internet service providers, rather than being located in datacenters. (b) For the same reason, the Methbot defendants also incorporated false usage and location information into the IP address registries. For example, on or about May 13,2016, AVDEEV directed an IP leasing company to change the "Usage type" for approximately 261,000 leased IP addresses from "commercial" or "datacenter" to "ISP" (internet service provider), ascribe a more diverse set of cities and states to the leased IP addresses, and reduce the number of leased IP addresses associated with certain small cities to more realistic levels commensurate with their populations. In this way, the Methbot Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 9 of 34 PageID #: 56 defendants sought to make it appear to SSPs and others that the computers in question belonged to real human internet users located in homes and businesses around the country. 20. The Methbot defendants thus created the illusion that real human internet users were visiting real internet webpages. ZHUKOV and others solicited bids on the opportunity to show advertisements to those purported users. In response, DSPs bid on those opportunities. The winning DSPs made payments to SSPs (using money provided by brands) in return for the purported impressions, and the SSPs transferred those payments to advertising networks to be passed along the chain of intermediaries described above. 21. OVSYANNIKOV collaborated with the Methbot defendants to knowingly obtain fraudulent ad traffic for his own companies. OVSY ANNIKOV did business with the Methbot defendants, purchased fraudulent ad traffic from the Methbot defendants and provided the Methbot defendants with technical advice and assistance to ensure that the fraudulent ad traffic passed as real. For example, on or about October 22, 2014, OVSY ANNIKOV instructed NOVIKOV that the datacenter computer servers' automated browsers needed to include "accept-language" in their headers—vindicating the purported user's preferred language—to evade fraud detection software. Similarly, in or about November 2014, OVSY ANNIKOV discussed the concept of" mouse move" with the Methbot defendants. 22. Over the course of the scheme, the Methbot defendants falsified billions of ad impressions. Hundreds of brands and ad agencies around the world, including many in the United States and at least one with offices in the Eastern District of New York, Case 1:18-cr-00633-ERK Document 8 Filed 11/27/18 Page 10 of 34 PageID #: 57 10 collectively paid more than $7 million in advertising fees for fraudulent ad traffic. The Methbot defendants, in turn, reaped millions of dollars in revenue. 23. The Methbot defendants recorded the revenue from the datacenter- based scheme—which amounted to 10s of thousands of dollars daily—using an online control panel that tracked the millions of bids solicited by the datacenter computer servers each day and the millions of resulting ad impressions falsified each day. For example, during a single day in October 2016, the Methbot defendants recorded more than $56,000 in revenue from placing more than 442 million fraudulent bid requests and falsifying more than 16 million ad impressions. 24. The Methbot defendants re-invested some of the proceeds from the datacenter-based scheme to perpetuate the fraud, and they concealed other proceeds by transferring them to other companies. For example,Z HUKOV directed payments from ad networks to a corporate bank account located in the Czech Republic, which he then used to pay for servers and IP addresses used in the scheme. ZHUKOV also redirected $5.4 million from the account to a corporate bank account located in New Zealand. 25. On or about December 20,2016, researchers at a private cybersecurity firm based in New York City publicly revealed the operation of the datacenter-based scheme in a white paper titled "The Methbot Operation." 26. The Methbot defendants reacted to the publication of the white paper by attempting to delete evidence. They deleted all of their communications from the online project management platform that they used to develop the scheme, and they deleted more than 26,000 emails from an email account identified in the white paper, which was the

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users