A Russian national has been sentenced to two years in prison after admitting that the phishing botnet he managed was used to launch BitPaymer ransomware attacks against 72 U.S. companies.

According to court documents, 40-year-old Ilya Angelov (who used the "milan" and "okart" online handles) decided to travel to the United States to plead guilty and face charges after the Russian invasion of Ukraine in February 2022 and after Vyacheslav Igorevich Penchukov, a member of the IcedID cybercrime gang and a criminal associate, was arrested in Switzerland.

Angelov was one of two leaders of a Russian cybercriminal operation tracked by the FBI gang as Mario Kart, and by threat analysts at various cybersecurity companies as TA551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127.

Angelov and the other co-manager recruited members and oversaw the operation's malicious activities. The gang members filled a wide range of roles, including software coders responsible for developing malware, developing programs that distributed spam email, and customizing malware to evade security software.

"Through a massive spam email campaign—which could send 700,000 emails a day—the group distributed malware around the globe," prosecutors said. "If an unwitting recipient clicked on an attachment to one of the group's emails, concealed malware would infect their computer and add it to the Mario Kart botnet. At the height of the group's operation, approximately 3,000 computers per day could be infected."

The cybercrime gang used a massive botnet to distribute malware in large-scale phishing campaigns between 2017 and 2021, then sold access to infected devices to other cybercriminals, including affiliates involved in Ransomware-as-a-Service (RaaS) operations.

"This access was sold to other criminal groups, who typically engaged in ransomware extortion schemes: locking victims out of their computer networks and demanding extortion payments — commonly in cryptocurrency — to restore access," the Justice Department said on Tuesday.

"The FBI has identified over 70 U.S. corporations that were infected with ransomware by one organization linked to Angelov's group, resulting in over $14 million in extortion payments."

While these attacks took place between August 2018 and December 2019 and were all linked to the BitPaymer ransomware operation, the IcedID cybercrime gang also paid Angelov and his accomplices another million dollars between late 2019 and August 2021 for access to their bots, but the resulting damage is not yet known.

In the past, TA551 has been linked to various malware operators and some ransomware affiliates. TA551 operators also partnered with the notorious TrickBot gang (Wizard Spider) in phishing campaigns that deployed Conti ransomware on targets' compromised systems.

France's Computer Emergency Response Team (CERT) also flagged TA551 as a collaborator in the Lockean ransomware operation, helping its affiliates drop ProLock, Egregor, and DoppelPaymer ransomware payloads on devices infected with the Qbot/QakBot banking trojan.

26-year-old Russian national Aleksey Olegovich Volkov was also sentenced to nearly 7 years in prison this week after pleading guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks.