Administrator of ‘bulletproof’ webhosting domain charged in connection with facilitation of NetWalker ransomware

 

Date: August 11, 2023

Contact: newsroom@ci.irs.gov

An indictment was unsealed yesterday in Tampa, Florida, charging a Polish national with computer fraud conspiracy, wire fraud conspiracy, and international money laundering in connection with the provision of "bulletproof" webhosting services that facilitated the operation of ransomware attacks and the subsequent laundering of the illicit proceeds.

According to court documents, Artur Karol Grabowski operated a webhosting company named LolekHosted. Through LolekHosted, Grabowski provided "bulletproof" webhosting services, which is secure webhosting designed to facilitate malicious and criminal activities, including ransomware, brute-force attacks, and phishing. Grabowski allegedly facilitated the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement. Grabowski registered the domain "LolekHosted.net" in 2014, and advertised that its services were "bulletproof," provided "100% privacy hosting," and allowed clients to host "everything except child porn."

The NetWalker ransomware was one of the ransomware variants facilitated by LolekHosted. The NetWalker ransomware was deployed on approximately 400 victim company networks, including municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities, which resulted in the payment of more than 5,000 bitcoin in ransoms (currently valued at approximately $146 million). LolekHosted clients used its services to execute approximately 50 NetWalker ransomware attacks on victims located all over the world, including in the Middle District of Florida. Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims.

On Aug. 8, U.S. authorities seized LolekHosted.net, the domain name LolekHosted used for nearly a decade. Visitors to LolekHosted.net will now find a seizure banner that notifies them that the domain name has been seized by federal authorities. The U.S. District Court for the Middle District of Florida issued the seizure warrant.

If convicted on all counts, Grabowski faces a maximum penalty of 45 years in prison. The indictment also notifies Grabowski that the United States is seeking an order of forfeiture in the amount of $21.5 million, the proceeds of the charged criminal conduct. Grabowski remains a fugitive.

Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division and U.S. Attorney Roger B. Handberg for the Middle District of Florida made the announcement.

The FBI Tampa Field Office is investigating the case, with assistance from the Internal Revenue Service Criminal Investigation Cyber Crimes Unit.

Trial Attorney Sonia V. Jimenez of the Criminal Division's Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Carlton C. Gammons and Suzanne Nebesky for the Middle District of Florida are prosecuting the case.

Substantial assistance was provided by the Justice Department's Office of International Affairs and the FBI's Legal Attaché Office in Warsaw, Poland. Polish authorities also provided substantial assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.