In December of 2021, Google filed a civil lawsuit against two Russian nationals, and 15 “John Doe” defendants, thought to be responsible for operating Glupteba, one of the Internet’s oldest and largest botnets. 

Google alleged that the defendants were in violation of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.

In June of 2022, Google and the named defendants agreed to proceed with the case as a nonjury action, since Google withdrew its claim for damages and was seeking only injunctive relief to halt the botnet’s operations.

The defendants worked for Valtron, a Russian firm also named in the lawsuit.  They told Google they were interested in settling, and could potentially help Google by taking the botnet offline. 

But the defendants left the court frustrated by the fact that they refused to consent to a permanent injunction. They were not, however, able to explain why an injunction forbidding them from participating in unlawful activities would be an issue.

“The Defendants insisted that they were not engaged in criminal activity, and that any alleged activity in which they were engaged was legitimate,” U.S. District Court Judge Denise Cote wrote. “Nevertheless, the Defendants resisted entry of a permanent injunction, asserting that Google’s use of the preliminary injunction had disrupted their normal business operations.”

Though the defendants indicated that they could dismantle the Glupteba botnet, the attorney for the defendants, Igor Litvak, told the court at the time of discovery - when information is exchanged between parties regarding evidence that will be presented at trial - that his clients had been fired by Valtron in late 2021, and therefore no longer had access to their laptops, work, or the botnet itself.

Litvak stated that he first learned about his clients’ dismissal from Valtron on May 20.  However, statements made by Litvak after that date indicated his clients had access to the botnet.

Ultimately, the court suspended the discovery process, stating there was reason to believe that the defendants only sought discovery “to learn whether they could circumvent the steps Google has taken to block the malware.”

On September 6, Litvak emailed Google that his clients were willing to discuss a settlement.  Two days later, a call was held in which Litvak stated the defendants would be willing to provide Google with the private keys for Bitcoin addresses associated with Glupteba, and would promise, without any admission of wrongdoing, not to engage in alleged criminal activity going forward.  The defendants stated that, though they did not currently have access to the keys, Valtron would be willing to provide them if the case were settled.  They also stated they believed these keys would help Google to shut down the Glupteba botnet.

In return, the defendants sought to receive an agreement from Google not to report them to law enforcement, and to pay $1 million to each defendant plus $110,000 in attorney’s fees.

Unsurprisingly, Google rejected the defendants’ offer as extortionate, and reported it to law enforcement.  The judge on the case also found Litvak complicit in his defendants’ attempt to mislead the court, and ordered that he join the defendants in paying Google’s legal fees.

“It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” Judge Cote wrote.

Litvak states the judge was wrong to issue sanctions, and has filed a motion to reconsider.  He has stated if the court does not decide to vacate the sanctions, that his goal is to get the case back in a court room for appeal.

Meanwhile, Google states they’ve observed a 78% drop in the number of hosts infected by the Glupteba virus since its technical and legal attacks began on the botnet last year.  This could have something to do with the fact that having a legal spotlight on the group makes it less appealing for other criminal operations to work with them.

From KrebsonSecurity.com