In a revealing investigation, Russian news outlet Gazeta.ru has uncovered evidence suggesting that the notorious Russian hacker Pyotr Levashov, known in cybercrime circles as "Severa," has been working as an FBI informant since 2018.
The investigation presents a complex narrative of one of Russia's most prominent cybercriminals and his transformation into a cooperative asset for U.S. law enforcement.
According to the Gazeta, Levashov was born in 1980 in Leningrad (now St. Petersburg) and built his reputation in the cybercrime world by creating and operating sophisticated botnet networks named Storm Worm, Waledac, and Kelihosin 2007, 2008, and 2010.
Among these botnets, Kelihos alone can send up to 4 billion spam messages daily, which gives Levashov the moniker "King of Spam" and consistently places him in Spamhaus Project's top 10 list of global spammers.
The turning point in Levashov's career came in 2017 when Spanish authorities arrested him in Barcelona at the request of the U.S. Department of Justice.
While initial media reports suggested his arrest was connected to potential interference in the 2016 U.S. presidential election, the actual charges focused on his role in operating the Kelihos botnet for malware distribution and cyber fraud.
According to court documents and testimony revealed in the investigation, Levashov began cooperating with the FBI in 2018, shortly after his extradition to the United States. During his imprisonment, he participated in more than 100 meetings with FBI agents – a number that Koshkin's defense lawyer described as "astounding." Perhaps more tellingly, after his release on bail, Levashov reportedly received a monthly "allowance" of $6,000 from the U.S. government.
The investigation suggests that Levashov's cooperation extended beyond his own case. He testified in the trial of Oleg Koshkin, another Russian cybercriminal charged with creating the Crypto4u service for malware concealment.
Koshkin was subsequently sentenced to four years in prison in December 2021.
After a conversation with Gazeta.ru, Dmitry Naskovets, a former cybercriminal turned lawyer at Sharova Law Firm, provided insight into the FBI's strategy with Russian hackers:
"Almost every cybercriminal from Russia and the CIS in the United States sooner or later faces an ultimatum after being arrested. They are offered a choice: plead guilty and serve, say, 10 years, not admit guilt and serve 30 years, or plead guilty, start cooperating with the special services and receive a minimum sentence or none at all."
Who is Dmitry Naskovets?
Dmitry Naskovets is a former cybercriminal from Belarus. In 2010, he was detained in the Czech Republic and extradited to the United States, where he faced a series of charges related mainly to telephone fraud. Naskovets pleaded guilty and was released in 2015, avoided deportation to Belarus and eventually legalized in the United States. In 2021, he and his wife began working at Sharova Law Firm, which defends Russian cyber criminals in American courts. — Gazeta .Ru
Gazeta's investigation also reveals an intriguing secondary identity allegedly associated with Levashov.
Evidence suggests he may be operating under the pseudonym "Bratva" on hacker forums and Telegram channels, where he publishes exposes on Russian-speaking cybercriminals.
This activity, according to cybersecurity experts interviewed by Gazeta.ru, appears designed to help U.S. authorities identify and build cases against Russian-speaking cybercriminals.
The consequences of Levashov's alleged cooperation with U.S. authorities could be severe if he returns to Russia. Igor Bederov, head of information and analytical research at T.Hunter, noted that while cooperation with foreign intelligence services represents a serious violation of military oath for a Russian army officer, the more immediate concern would be potential prosecution under other charges.
Despite the mounting evidence, Levashov maintains his innocence regarding any cooperation with U.S. authorities.
Gazeta did note that, in a December 2024 statement to Gazeta.ru, he firmly denied any collaboration with American intelligence services, asserting, "I was, am, and will be a patriot of Russia."
The Bratva-XSS Connection
The investigation reveals a fascinating timeline of events connecting Levashov to the persona of Bratva on the XSS forum, one of the largest Russian-language hacker platforms. According to Gazeta.ru's findings, Bratva first appeared on XSS in January 2022, coinciding suspiciously with Levashov's return to the platform under his known alias "Severa."
The timing is particularly noteworthy. On January 25, 2022, Levashov made his first post on XSS after his release, writing under his Severa profile in a thread titled "The 'King of Spam' Peter Levashov (Severa) was released in the United States."
In this post, he adamantly denied any cooperation with U.S. authorities. Just one day later, on January 26, the user "Bratva" registered on XSS and quickly gained prominence, eventually becoming a moderator of the forum's "Behind-the-scenes discussions" section.
The investigation uncovered that Bratva's role on XSS was particularly focused on moderating discussions about "the backstage of the hacker sphere, internal workings, historical facts, scandals, intrigues, investigations." This position gave the user significant visibility into the community's private dealings.
A pivotal moment in establishing the connection between Bratva and Levashov came during the Club1337 incident.
Club1337 was an exclusive Telegram chat group with approximately 20 members, all veteran participants of darknet hacker forums. According to a source who witnessed the events, Levashov had shown persistent interest in gaining access to this group, repeatedly inquiring about its members and activities.
The source detailed a telling sequence of events to Gazeta (who managed to talk to one of the witnesses of the confrontation between Bratva and Club1337): "Levashov came to me asking about who was in the chat. I knew four names... He said he knew five and listed them. Less than 24 hours later, around 20 hours, the Telegram administration deleted the Club1337 chat and channel. Immediately after, Bratva posted on XSS, revealing the exact same five names from Club1337 that Levashov had recently mentioned."
 | |
| Screenshot from the XSS forum in which Bratva exposes the names of Club1337 members | Image Credit: Gazeta.Ru |
This revelation caused significant upheaval in the cybercriminal community, as it violated one of their fundamental rules.
As XSS user Mikhail Lomaka explained to Gazeta.ru: "In our subculture, it is forbidden to 'dox' - to de-anonymize someone against their will. This is a prohibition, a taboo, a fundamental rule... Bratva acted in complete opposition to these principles."
The aftermath of the Club1337 incident led to increased scrutiny of Bratva's identity within the hacker community. Various XSS users, including rfm0x and Student, began publicly suggesting that Bratva was actually Levashov.
The investigation notes that while Bratva and Levashov both deny any connection, their behavioral patterns on the forum, including similar questioning styles and shared interests in specific information, suggest otherwise.
This XSS forum connection provides crucial context for understanding how Levashov may have continued to operate within the cybercriminal community while potentially serving as an FBI informant. The platform essentially became a stage where this complex drama of identity, loyalty, and betrayal played out in full view of the Russian-speaking hacker community.
Source:
https://www.gazeta.ru/tech/2025/02/04/20490440.shtml