Russian national pleads guilty to building now-dismantled IPStorm proxy botnet

The FBI says it has dismantled another botnet after collaring its operator, who admitted hijacking tens of thousands of machines around the world to create his network of obedient nodes.

Sergei Makinin, a Russian and Moldovan national, was cuffed in Florida in January and sent to Puerto Rico, where he pleaded guilty [PDF] in September, details of which were only publicized today by the US Department of Justice (DoJ). Makinin specifically coughed to three counts of violating Title 18 1030(a)(5)(A) of the US Code, which makes it illegal to knowingly transmitting computer software that intentionally causes damage to protected systems.

Makinin admitted that in 2019 he created a botnet that became known as IPStorm for its abuse of the grandiosely named InterPlanetary File System (IPFS) peer-to-peer (P2P) network. IPFS is a decentralized, distributed file system that allows one to store and share data in a P2P network.

First discovered in May of that year, IPStorm used its own P2P protocol that piggybacked IPFS to mask its activities and hide itself among legitimate IPFS traffic, a known problem with the underlying protocol The Register reported on previously. 

Technically speaking, IPStorm is Windows malware that infects PCs and then sits on top of IPFS, and uses that network to receive and run arbitrary PowerShell code from its operator. Thus the compromised machines could be instructed to potentially perform all kinds of malicious things.

The software nasty later expanded to target Mac, Linux, and Android devices, the DoJ said. But rather than using the botnet to steal or ransom data, Makinin appears to have simply been out to make a few (hundred thousand) bucks letting others use his network of nodes as a set of proxies through which traffic could be directed, obfuscating the source of connections. The botnet effectively helped paying miscreants operate anonymously online, hiding themselves behind victims’ infected equipment. It’s said IPStorm got itself onto people’s devices via brute-force attacks on SSH servers.

“The main purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites,” the DoJ said today in a statement on Makinin’s guilty plea. “Through those websites, Makinin sold illegitimate access to the infected, controlled devices to customers seeking to hide their Internet activities.” 

Per the DoJ, Manikin marketed his underground proxy network as having over 23,000 infected nodes, and he made “at least” $550,000 between June 2019 and December 2022. The FBI has since dismantled the network, as part of a deal with Makinin to plead guilty, the DoJ said. He faces a maximum of 10 years in prison for each count. 

What’s one botnet?

Botnets have proliferated in recent years with the rise of insecure IoT devices and other internet-connected gear, and attempts to take them out have had limited success.

Take Qakbot, for example, which managed to evade disruption for years before finally being “taken down” by US law enforcement in August. As of October, the folks behind it are reportedly still in business and using methods similar to those in use before the FBI-led Operation Duck Hunt caused a brief interlude in their operations. 

• KmsdBot botnet is down after operator sends typo in command
• Notorious Emotet botnet returns after a few months off
• Veilid: A secure peer-to-peer network for apps that flips off the surveillance economy
• Mirai reloads exploit arsenal as botnet embarks on another expansion drive

Makinin’s botnet is no more, but that doesn’t mean others won’t rise to abuse IPFS in its place.

As we reported last year, IPFS is already used by plenty of criminals – not just Makinin – and is an ideal environment for exploitation. According to Trustwave researchers writing about IPFS last year, its decentralized, peer-to-peer design means data, legitimate or malicious, is persistent and accessible even if a malicious node is removed. 

“With data persistence, robust network, and little regulation, IPFS is perhaps an ideal platform for attackers to host and share malicious content,” Trustwave said. Their research focused on IPFS’s use for phishing attacks, but where there’s one botnet, there’s sure to be more. ®