A Russian cybercriminal received a two-year federal prison sentence for helping run a botnet (a network of devices) that enabled ransomware attacks against more than 70 US corporations.
What happened
The DOJ announced that Ilya Angelov, 40, of Tolyatti, Russia known online as "Milan" and "Okart" was sentenced to 24 months in federal prison, fined $100,000, and hit with a $1.6 million money judgment allowing the government to seize assets tied to his criminal proceeds. Angelov co-managed a threat group the FBI tracked as Mario Kart, and which the cybersecurity community tracked under multiple aliases including TA-551, Shathak, Gold Cabin, Monster Libra, G0127, and ATK236. Between 2017 and 2021, the group built a botnet by distributing malware through spam email attachments, then sold access to compromised machines to ransomware operators. The botnet facilitated attacks against more than 70 US corporations, generating over $14 million in ransom payments. Angelov has been in custody since 2023 and pleaded guilty to his role in the operation prior to sentencing.
Going deeper
TA-551 distributed several well-known malware strains to build and expand its botnet, including:
- Emotet – a modular banking trojan frequently used as a malware dropper
- IcedID – a banking trojan known for enabling follow-on attacks
- Qbot (also known as QakBot) – used for credential theft and ransomware delivery
- Ursnif – a banking trojan used for data exfiltration
The group's model was largely that of a malware-as-a-service operation. They would infect machines via spam, aggregate them into a botnet, then sell entry points to ransomware groups who would lock victims out of their networks and demand cryptocurrency payments to restore access. One ransomware group alone paid Angelov's group over a million dollars for botnet access.
The case was investigated by the FBI Detroit Cyber Task Force with assistance from Dutch and German authorities, and prosecuted by Assistant United States Attorney Timothy Wyse.
Learn more: What is Malware-as-a-Service?
What was said
U.S. Attorney Jerome F. Gorgon Jr. addressed the broader threat posed by foreign cybercriminals, stating, "Foreigner cybercriminals like this defendant target American citizens and corporations. Their methods grow in sophistication. But their motive remains the same — to rip-off and harm us. We are grateful to the FBI and our other partners for their continued vigilance."
Special Agent in Charge Jennifer Runyan of the FBI Detroit Field Office issued a direct warning to cybercriminals, "May this sentencing serve as a strong message to cyber criminals who believe they can hide behind screens and false identities: you cannot escape the FBI's reach. You will be held accountable." Runyan added that the case reflects the FBI's ongoing commitment to "identifying, tracking, and dismantling the criminal networks that financially exploit individuals and U.S. corporations."
By the numbers
- $14 million+ in ransom payments generated through botnet-facilitated attacks
- $1 million+ paid to Angelov's group by a single ransomware organization for botnet access
- 70+ US corporations targeted
- 2017–2021 period of criminal activity
- 24 months federal prison sentence
- $100,000 fine imposed
- $1.6 million money judgment to enable asset seizure
- 2023 year Angelov was taken into custody
Why it matters
The botnet-as-a-service model is an enabler of the broader ransomware system, and prosecuting administrators like Angelov targets the supply chain that ransomware groups depend on.
The $14 million in ransom payments across 70+ US corporations also shows the damage a single botnet operation can cause. For healthcare organizations and other HIPAA-covered entities, botnet-distributed malware like Emotet and IcedID have historically been behind ransomware deployments, this means that the initial spam email attachment is often the first step in a breach that ends in patient data exposure.
Angelov's sentencing follows closely on the DOJ's announcement that fellow Russian national Aleksei Volkov received 81 months in prison for his role in ransomware attacks, showing US prosecutorial focus on dismantling ransomware infrastructure at every level.
The bottom line
For organizations still relying on perimeter defenses alone, cases like this are a reminder that the threat enters through the inbox. Reviewing email security controls and ensuring staff can identify malicious attachments remains an effective way to prevent malware-as-a-service attacks.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a botnet?
A botnet is a network of computers infected with malware and controlled remotely by cybercriminals, often without the device owners' knowledge.
How do ransomware groups gain access to corporate networks?
Ransomware groups frequently purchase access to already-compromised machines from botnet operators rather than infiltrating networks themselves.
What is cryptocurrency's role in ransomware attacks?
Cybercriminals normally demand ransom payments in cryptocurrency because it makes transactions harder to trace and seize.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
