A federal court in Detroit sentenced Russian national Illya Angelov, on Tuesday, for running a botnet operation that infected thousands of computers daily, sold backdoor access to ransomware groups and victimized 72 companies across 31 U.S. states.

The extortion scheme involving Angelov and his criminal organization, known by the FBI as “Mario Kart,” ran from 2017 to 2021. Prosecutors said Angelov and co-conspirators built a network of compromised computers that distributed malware-infected files attached to spam emails.

Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers to other criminal groups, who typically engaged in ransomware extortion schemes — locking victims out of their computer networks and demanding extortion payments to restore access.

A botnet is a network of devices secretly infected with malware and controlled remotely by an attacker without the device owners’ knowledge. The court records describe a scheme that was lucrative and prolific, sending 700,000 emails a day to computers around the world and infecting approximately 3,000 computers daily.

The Mario Kart malware provided a backdoor through which software could be uploaded to victims’ computers. Instead of directly exploiting this access, the Mario Kart group sold it to customers, that is, other cybercriminal groups. These customers typically used the backdoor access to distribute ransomware, encrypting victims’ data and demanding extortion payments to decrypt it.

Angelov’s group included software coders who developed programs to distribute spam emails and malware so advanced it could evade virus-detection software. The operation sold backdoor access at scale, functioning as a criminal wholesale supplier to ransomware operators who lacked the infrastructure to breach targets themselves.

Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. Prosecutors requested he serve 61 months in prison — a significant break from advisory sentencing guidelines calling for more than 12 years — and he was ordered to pay a $100,000 fine and a $1.6 million money judgment. The reduction reflected both his voluntary cooperation and the circumstances of his surrender.

Angelov was sentenced four years after an associate, Vyacheslav Igorevich Penchukov, was arrested in Switzerland and later extradited to the U.S. Penchukov was a member of a group that negotiated a $1 million payment to Angelov and a second individual for access to Mario Kart. A few days after Penchukov’s arrest, Angelov contacted U.S. authorities and eventually negotiated his surrender. At the time of his travel and surrender, he was living in the United Kingdom, a country from which the U.S. could have sought his extradition.

Vitlalii Alexandrovich Balint, who provided essential coding to Mario Kart, was sentenced five months earlier in federal court in Detroit to 20 months in prison. While Balint’s role in Mario Kart was significant, he was Angelov’s subordinate.

The Mario Kart case sits inside a broader DOJ enforcement pattern targeting the upstream criminal economy — the access brokers and botnet operators who supply the tools and entry points that ransomware groups deploy.

The day before Angelov’s sentencing, a separate federal court sentenced Russian access broker Aleksei Volkov to 81 months for supplying network access to the Yanluowang ransomware group across dozens of U.S. organizations.

Read: Russian Access Broker Gets Nearly 7 Yrs for Enabling Millions in Ransomware Extortion

Two Russian cybercriminals sentenced in two consecutive days across two different federal districts signals a deliberate prosecutorial push against the ransomware supply chain’s foundational layer, not just its most visible operators.

The scheme operated before the peak of ransomware extortion payments, which reached a high of $1.25 billion in 2023. That trajectory makes the infrastructure Angelov built — and the model it demonstrated — directly relevant to understanding how the ransomware economy scaled to where it stands today.