Latvian Cybercriminal Extradited For "Scareware" Hacking Scheme That Caused Millions of Dollars in Loss

A Latvian man made his initial appearance today in Minneapolis following extradition from Poland for his involvement in a “scareware” hacking scheme that targeted the Minneapolis Star Tribune’s website and caused millions of dollars in losses to Internet users. Acting Assistant Attorney General Kenneth A. Blanco of the Department of Justice’s Criminal Division; Acting U.S. Attorney Gregory G. Brooker of the District of Minnesota; and Special Agent in Charge Richard T. Thornton of the FBI’s Minneapolis Field Office made the announcement.

Peteris Sahurovs aka “Piotrek” aka “Sagade,” was indicted in 2011 in the District of Minnesota on charges of wire fraud, computer fraud and conspiracy. Sahurovs was arrested on the indictment in Latvia in June of 2011. He was released by a Latvian court and later fled. In November of 2016, Sahurovs was located in Poland and apprehended by Polish law enforcement, after which the U.S. began extradition proceedings. Sahurovs was at one time the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction.

Scareware is a type of malicious software, or malware, that poses as legitimate computer security software and purports to detect a variety of threats on the affected computer that do not actually exist. Computer users are informed they must purchase what they are told is anti-virus software in order to repair their computers. The users are then barraged with aggressive and disruptive notifications – and sometimes prevented from using their computer – until they supply their credit card number and pay for a fraudulent “anti-virus” product.

According to the indictment, Sahurovs and members of the conspiracy relied on fraudulent online advertising to spread their malware. The defendants created a phony advertising agency and claimed that they represented an American hotel chain that wanted to purchase online advertising space on the Minneapolis Star Tribune’s news website, startribune.com. After their advertisement began running on the website, the defendants changed the computer code in the ad so that the computers of visitors to the startribune.com were infected with malware.

The indictment alleges that the malware caused users’ computers to “freeze up” and then generate a series of pop-up warnings in an attempt to trick users into purchasing purported “antivirus” software to fix the problems created by the malware. The “antivirus” software, if purchased, “unfroze” victim computers and stopped the pop-ups and security notifications, but the malware remained hidden on their computers. Users who failed to purchase the “antivirus” software found that all information, data and files stored on the computer became inaccessible. The scheme generated more than $2 million in proceeds.

An indictment is merely an allegation and defendants are presumed innocent until proven guilty.

This case is being investigated by the FBI’s Minneapolis Field Office. Assistant U.S. Attorney Timothy C. Rank of the District of Minnesota and Trial Attorney Aaron R. Cooper of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case. The Department’s Office of International Affairs provided substantial assistance in this matter. The Latvian State Police; and the Polish National Police, the National Prosecutor’s Office, and the Ministry of Justice also provided significant assistance and cooperation.