Latvian National Pleads Guilty to “Scareware” Hacking Scheme That Targeted Minneapolis Star Tribune Website

A Latvian man pleaded guilty today in Minneapolis for participating in a lucrative “scareware” hacking scheme that targeted visitors to the Minneapolis Star Tribune’s website.  Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division, U.S. Attorney Gregory G. Brooker of the District of Minnesota and Special Agent in Charge Richard T. Thornton of the FBI’s Minneapolis Field Office made the announcement.

Peteris Sahurovs aka Piotrek and Sagade, 28, pleaded guilty to one count of conspiracy to commit wire fraud before District Judge Ann D. Montgomery of the District of Minnesota.  Sahurovs was arrested on a District of Minnesota indictment in Latvia in June of 2011, but was released by a Latvian court and later fled.  In November of 2016, Sahurovs was located in Poland and apprehended by Polish law enforcement and extradited to the United States in June 2017. Sahurovs was at one time the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction.  He will be sentenced on June 6.

According to admissions made in connection with his plea, from at least May 2009 to June 2011, Sahurovs operated a “bullet-proof” web hosting service in Latvia, through which he leased server space to customers seeking to carry out criminal schemes without being identified or taken offline.  The defendant admitted that he knew his customers were using his servers to perpetrate criminal schemes, including the transmission of malware, fake anti-virus software, spam, and botnets to unwitting victims, and he received notices from Internet governance entities (such as Spamhaus) that his servers were hosting malicious activity.  Nonetheless, Sahurovs admitted he took steps to protect the criminal schemes from being discovered or disrupted, and hosted them on his servers for financial gain.

Sahurovs admitted that from in or about February 2010 to in or about September 2010, he registered domain names, provided bullet-proof hosting services, and gave technical support to a “scareware” scheme targeting visitors to the Minneapolis Star Tribune’s website.  On Feb. 19, 2010, the Minneapolis Star Tribune began hosting an online advertisement, purporting to be for Best Western hotels, on its website, startribune.com.  Two days later, however, the advertisement began causing the computers of visitors to the website to be infected with malware.  This malware, also known as “scareware,” caused visitors to experience slow system performance, unwanted pop-ups and total system failure.  Website visitors also received a fake “Windows Security Alert” pop-up informing them that their computer had been infected with a virus and another pop-up that falsely represented that they needed to purchase the “Antivirus Soft” computer program to fix their security issues, at a price of $49.95.

Website visitors who clicked the “Antivirus Soft” window were presented with an online order form to purchase a purported security program called “Antivirus Soft.”  Users who purchased “Antivirus Soft” would receive a file download that “unfroze” their computers and stopped the pop-ups and security notifications.  However, the defendant admitted, the file was not a real anti-virus product and did not perform legitimate computer security functions, and merely caused malware that members of the conspiracy had previously installed to cease operating.  Meanwhile, the defendant admitted, victim users who did not choose to purchase “Antivirus Soft” became immediately inundated with so many pop-ups containing fraudulent “security alerts” that all information, data, and files on their computers were rendered inaccessible.  Members of the conspiracy defrauded victims out of substantial amounts of money as a result of the scheme.  The defendant admitted that as a result of his participation, he made between $150,000 and $250,000 U.S. dollars.

This case was investigated by the FBI’s Minneapolis Field Office.  The Criminal Division’s Office of International Affairs, as well as the Polish National Police, the National Prosecutor’s Office, and the Ministry of Justice provided substantial assistance. Assistant U.S. Attorney Timothy C. Rank of the District of Minnesota and Trial Attorney Aaron R. Cooper of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case. The Department’s Office of International Affairs also provided substantial assistance in this matter.