Russian hacker gets 2 years in U.S. prison over TA551 botnet and ransomware access sales
4 min. read 
Published on
A U.S. federal judge has sentenced Russian national Ilya Angelov to 24 months in prison for helping run a botnet that fed ransomware attacks against American companies. The court also imposed a $100,000 fine and a $1.6 million money judgment, according to the U.S. Department of Justice.
Prosecutors said Angelov, 40, of Tolyatti, Russia, co-managed the cybercrime group known to the FBI as Mario Kart between 2017 and 2021. Private security firms have tracked the same cluster under several other names, including TA551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127.
The DOJ says the group spread malware through spam emails with malicious attachments, built a botnet of infected machines, and then sold access to those systems to other criminal crews. U.S. investigators linked more than 70 American corporate ransomware infections to one organization that used access tied to Angelov’s group, with extortion payments topping $14 million.
How the TA551 operation worked
According to court records cited by the DOJ, Angelov and a co-manager turned phishing into a business. They sent malware-laced email attachments, compromised computers, and then monetized those infected endpoints by selling access to other threat actors. Those buyers then used the footholds for ransomware and other follow-on attacks.
Federal authorities said one ransomware-linked organization infected over 70 U.S. corporations after obtaining access tied to the botnet. The DOJ also said another ransomware-distributing group paid Angelov’s operation more than $1 million for access to the Mario Kart botnet.
Threat intelligence reporting published during the TA551 campaign helps explain why the group mattered. In early 2021, Mandiant described TA551-linked activity that used password-protected phishing archives, a Word macro downloader called MOUSEISLAND, and an intermediary payload called PHOTOLOADER to install IcedID, which often served as an entry point for later hands-on intrusions and ransomware activity.
Case at a glance
| Detail | Verified information |
|---|---|
| Defendant | Ilya Angelov, 40, of Tolyatti, Russia |
| Sentence | 24 months in prison |
| Financial penalties | $100,000 fine and $1.6 million money judgment |
| Activity period | 2017 to 2021 |
| Group names | Mario Kart, TA551, Shathak, GOLD CABIN, Monster Libra, ATK236, G0127 |
| Main tactic | Spam emails carrying malicious files to build a botnet and sell access |
Why this case matters
This case highlights a core ransomware reality in 2026. Many major attacks no longer begin with the ransomware operators themselves. They often start with access brokers or malware distribution crews that compromise networks first and then sell or hand off that access to extortion groups.
TA551 has appeared repeatedly in public reporting tied to follow-on malware and ransomware ecosystems. Cybereason reported in late 2021 that the Shathak or TA551 threat group partnered with the TrickBot gang to distribute malware used in Conti ransomware attacks. France’s CERT-FR also linked TA551 distribution services to campaigns involving QakBot in incidents associated with the Lockean group.
The sentencing also arrived the same week the DOJ announced prison time for another Russian national, Aleksei Volkov, in a separate case tied to enabling ransomware attacks against U.S. companies. That parallel action shows U.S. prosecutors still want to target the access and infrastructure layer behind ransomware, not just the final extortion brands.
Key takeaways for businesses
- Phishing remains a reliable entry point for major cybercrime operations.
- Botnet operators can profit even when they do not deploy the ransomware themselves.
- Access sales continue to connect spam campaigns, malware loaders, and enterprise ransomware incidents.
- Law enforcement cases increasingly focus on the broader criminal supply chain behind intrusions.
Official statements
U.S. Attorney Jerome F. Gorgon Jr. said foreign cybercriminals target American citizens and corporations, and that investigators remain committed to stopping them. The FBI’s Detroit field office said the sentence should send a message that cybercriminals who hide behind aliases and screens can still face prosecution.
The DOJ also said the FBI Detroit Cyber Task Force led the case with help from Dutch and German authorities, while the Department of Justice’s Office of International Affairs supported the investigation.
Official statements and source pages
- U.S. Department of Justice press release on Angelov’s sentencing:
- FBI Detroit field office release on the same case:
- Mandiant research on TA551, MOUSEISLAND, PHOTOLOADER, and IcedID delivery chains:
- DOJ release on Aleksei Volkov’s separate ransomware-access case:
FAQ
He is a Russian national from Tolyatti whom U.S. authorities say co-managed the botnet operation known as Mario Kart, also tracked as TA551 and Shathak.
A federal judge sentenced him to 24 months in prison, plus a $100,000 fine and a $1.6 million money judgment.
The group spread malware through spam emails, built a botnet of compromised computers, and sold access to those infected systems to other criminal groups, including ransomware actors.
The FBI identified more than 70 U.S. corporations hit by ransomware through one organization linked to Angelov’s group, with extortion payments exceeding $14 million.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages