Russian Botnet Manager Sentenced to 2 Years Over BitPaymer Ransomware Attacks

Two-Year Prison Sentence for Botnet Operator Behind BitPaymer Attacks Highlights Scale of Ransomware Campaigns

A Russian national has been sentenced to two years in prison after admitting that the phishing botnet he managed was used to launch BitPaymer ransomware attacks against 72 U.S. companies. The case centers on Ilya Angelov, a 40-year-old computer intruder who operated under the online handles “milan” and “okart.” He traveled to the United States to plead guilty and face charges in the wake of Russia’s invasion of Ukraine in February 2022, a move that came after Vyacheslav Igorevich Penchukov, a member of the IcedID cybercrime gang, was arrested in Switzerland.

Angelov was identified as one of two leaders of a Russian cybercriminal operation tracked by the FBI under the name Mario Kart, a moniker that cybersecurity researchers have associated with the TA551 threat cluster, among other aliases such as Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127. As co-manager, he helped recruit members and directed the group’s malicious activities. The crew encompassed a wide spectrum of roles—from software developers building malware and creating programs to flood mailboxes with spam, to customizing tools to evade security software.

Prosecutors describe a massive phishing operation that churned out around 700,000 emails a day. Recipients who clicked on attachments would find themselves infected, with their machines added to the Mario Kart botnet. At the operation’s height, as many as 3,000 computers could be infected daily, creating a vast pool of compromised devices that could be harnessed for further crime.

The botnet’s purpose extended beyond initial infection. It was used to distribute malware on a global scale and, crucially, to provide access to infected devices to other cybercriminals. These affiliates often participated in Ransomware-as-a-Service (RaaS) activities, leveraging compromised machines to execute extortion schemes. Access to the botnet was sold to other groups, who typically demanded ransoms—often payable in cryptocurrency—to restore access to locked networks.

The Justice Department’s filing notes that the FBI identified more than 70 U.S. corporations infected by operations linked to Angelov’s group, with extortion payments totaling more than $14 million. The core BitPaymer attacks occurred between August 2018 and December 2019. In a related but separate stream of revenue, the IcedID gang paid Angelov and his associates another roughly $1 million from late 2019 to August 2021 for continued access to their botnet—though the full extent of the resulting damage remains unclear.

TA551, the threat actor cluster associated with Angelov’s outfit, has historically shown flexibility and collaboration with other crime groups. The same network has been linked to various malware operators and ransomware campaigns, including connections to TrickBot and the Conti ransomware operations through phishing campaigns and other exploit techniques. Authorities have noted collaborations with groups operating ProLock, Egregor, and DoppelPaymer payloads via Qbot/QakBot infection chains, illustrating how these criminal ecosystems intertwine to maximize reach and profit.

In a broader context of law enforcement action against cybercrime, Angelov’s sentencing coincides with other high-profile cases. For instance, Aleksey Olegovich Volkov, a 26-year-old Russian national, was sentenced to nearly seven years for acting as an initial access broker in support of Yanluowang ransomware attacks. Taken together, these sentences underscore the ongoing global crackdown on cybercriminal networks that rely on phishing, botnets, and ransomware to generate substantial profits.

The BitPaymer operation and its associated individuals highlight several enduring themes in contemporary cybercrime. First, large-scale botnets remain a favored weapon for distributing malware and for enabling subsequent rounds of extortion. A single campaign can touch dozens or hundreds of organizations across multiple sectors, with financial damage measured not only in ransom payments but also in the costs of remediation, downtime, and reputational harm. Second, the RaaS model continues to attract a wide array of participants, who specialize in different parts of the chain—from code development to distribution to monetization—creating a resilient ecosystem that can adapt quickly to takedowns or arrests. Third, law enforcement’s increasing willingness to pursue cases across borders—arresting individuals abroad or extraditing suspects—means that criminal operators can no longer rely on geography to shield their activities.

The case also serves as a reminder that the impact of these crimes often extends beyond immediate financial losses. Infected networks can suffer prolonged downtime, disrupted operations, and the costs of rebuilding defenses against future intrusions. The collaboration between federal investigators, international partners, and private sector threat researchers continues to be a crucial ingredient in identifying, interrupting, and prosecuting these sophisticated cybercrime networks.

As the cybercrime landscape evolves, the Angelov case stands as a stark example of how phishing campaigns, botnets, and ransomware operations intertwine to produce substantial illicit gains—and how determined enforcement actions are increasingly effective at dismantling these networks and delivering consequences to those who orchestrate them.