A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

« Microsoft's decoy zombie | Main | Spam from Iraq »

November 3, 2005

Botmaster busted

resili3nt.jpgThe FBI arrested a 20-year-old "botmaster" this morning. James Ancheta of Downey, California was indicted for profiting from a large "botnet" or network of infected computers (bots) he operated.

According to the feds, Ancheta built his botnet by infecting thousands of computers with a variant of the rxbot Trojan horse.

From June 2004 to June 2005, Ancheta, who used the online nickname resili3nt, allegedly made about $60,000 in commissions by surreptitiously installing a modified adware program, known as a "clicker," on the infected PCs. The payments came from adware companies including Gammacash.com and Loudcash.com (now known as Zango), which pay a fee to affiliates for referring traffic or getting Internet users to install their adware.

According to the indictment, Ancheta at one point told an associate, "it's immoral, but the money makes it right." (Grab a copy of the indictment -- 52 pages, 2.5 Mb PDF -- here.)

Ancheta also allegedly made around $3,000 by renting out bots to spammers or people who wanted to perform denial-of-service attacks.

Ancheta used his earnings to purchase a 1993 BMW 325is. (His license plate was j4m3zzz.)

In an online profile, Ancheta listed his occupation as "advertising." For his website address, Ancheta provided SHK-SECURITY.NET. (The site isn't currently online, but an old version of the domain registration says the initials stand for Shadow Hackers Krew.)

According to the indictment, the FBI originally raided Ancheta in December 2004 and confiscated two computers. A former Ancheta associate told me this evening that the FBI arrested Ancheta today after telling him he could pick up his equipment at the FBI office.

Strangely, Gammacash continued to make commission payments to Ancheta's Wells Fargo bank account for several months after the December bust, including a deposit of nearly $8,000 in March.

According to the former associate, "every company like zango/loudcash knows the majority of there [sic] installs come from botnets."

The Department of Justice has called the case "the first prosecution of its kind in the nation."

Posted by brian at November 3, 2005 9:29 PM


Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: