How a handful of cybercriminals fuel global online fraud networks
A small group of seasoned cybercriminals appears responsible for a large share of global online fraud. Research shows strong links between fake antivirus scams and spam networks, with key individuals operating across both areas. One such figure, known as 'Severa', played a central role in distributing malicious software while running spamming services.
Investigations revealed that affiliates of a major malwarebytes program shared up to 42.2% of their email addresses with those in the Glavmed/Spamit spam network. Another analysis found overlaps of 19 to 27% between affiliate marketing and the same spam operation. These connections suggest the same criminals were involved in multiple types of cybercrime.
Severa's fake AV program, called Sevantivir, spread malware like Security Shield and a spambot named Win32.Kelihos.b. This spambot reused large parts of its code from Waledac, a worm previously tied to Canadian Pharmacy spam campaigns. Microsoft had dismantled the Waledac botnet in 2010 but stated that Win32.Kelihos.b was not a direct variant.
While experienced hackers like Severa drive much of this activity, researchers note that easy access to fraud tools has also brought in less-skilled criminals. The result is a mix of veteran operators and newcomers fueling a persistent wave of online scams.
The findings highlight how a core group of cybercriminals maintains influence across different fraud schemes. By reusing tools, sharing affiliate networks, and adapting malware, they sustain large-scale operations. Authorities continue to track these connections as part of broader efforts to disrupt online crime.
