A U.S. federal court has sentenced a Russian national to two years in prison after he admitted to co-managing a massive phishing botnet that fuelled BitPaymer ransomware attacks against 72 American companies. The sentencing is one of a pair of DOJ actions this week targeting the ransomware supply chain — a deliberate prosecution strategy aimed at dismantling the criminal infrastructure that enables extortion campaigns, not just the ransomware operators themselves.
The Convicted: Ilya Angelov and the Mario Kart Gang
Ilya Angelov, 40, operating under the aliases "milan" and "okart," was one of two co-leaders of a Russian cybercriminal organisation tracked by the FBI as "Mario Kart" — and by threat intelligence analysts under a range of names including TA551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127.
Angelov's decision to travel to the United States to surrender and plead guilty came after his criminal associate Vyacheslav Igorevich Penchukov was arrested in Switzerland and the Russian invasion of Ukraine began in February 2022 — a confluence of events that apparently led him to cooperate voluntarily with U.S. authorities.
The Operation: Industrial-Scale Phishing
The Mario Kart operation ran from 2017 to 2021 and represented one of the most prolific phishing-as-a-service operations of that period. At its peak:
- The gang sent up to 700,000 phishing emails per day
- This resulted in the infection of approximately 3,000 computers per day
- Over its lifetime, the botnet infected systems belonging to 72 companies across 31 U.S. states, including businesses in Detroit, Rochester Hills, and Saginaw
The operation's core business model was access brokerage: rather than directly extorting victims, Angelov and his co-manager monetised the botnet by selling access to individual compromised computers to other criminal groups.
Ransomware Connections
The botnet's access was purchased by multiple ransomware operations:
| Partner Group | Period | Ransomware / Activity |
|---|---|---|
| BitPaymer | August 2018 – December 2019 | Ransomware attacks against all 72 victim companies |
| IcedID (Hive0006) | Late 2019 – August 2021 | Paid TA551 ~$1M for bot access |
| TrickBot / Wizard Spider | Various | Joint phishing campaigns deploying Conti ransomware |
| Lockean affiliates | Various | Facilitated ProLock, Egregor, and DoppelPaymer drops |
The BitPaymer ransomware campaign specifically linked to Angelov's network caused losses across dozens of U.S. businesses over an 18-month period.
Sentencing and Penalty
Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. At sentencing, prosecutors requested 61 months (just over 5 years) — already a significant reduction from advisory guidelines that called for more than 12 years. The court imposed a sentence of 24 months, reflecting both Angelov's voluntary surrender and his cooperation with investigators.
Financial penalties include:
- $100,000 fine
- $1.6 million money judgment
Prosecutorial Context: Two Sentences in Two Days
The Angelov sentencing comes one day after U.S. courts sentenced Aleksei Volkov to 81 months (nearly 7 years) for serving as an initial access broker who supplied compromised network access to the Yanluowang ransomware group across dozens of U.S. organisations. Two Russian cybercriminals sentenced on consecutive days in separate federal districts signals a coordinated prosecutorial push by the DOJ against the ransomware supply chain's foundational layer — the brokers, botnet operators, and access sellers who enable ransomware attacks without pulling the encryption trigger themselves.
The Bigger Picture
The Mario Kart prosecution illustrates how ransomware ecosystems function as layered criminal enterprises. The actors who physically infect systems and collect stolen credentials are often distinct from those who deploy ransomware and negotiate ransoms. By targeting the supply chain — botnets, initial access brokers, and phishing operations — the DOJ is attempting to raise costs and risks for the entire ecosystem, not just its most visible participants.
For defenders, TA551 remains a cautionary example of how commodity phishing infrastructure, running at mass scale, becomes the foundation for the most damaging ransomware campaigns. Even after law enforcement action, the techniques and tooling from operations like Mario Kart continue to influence successor groups.