By all measures, Georg Avanesov was very good at his job -- until he was arrested earlier this week.
Just 27 years old, he had amassed a tidy fortune, allegedly running an efficient clandestine network of hacked computers around the world.
Those computers were infected with Bredolab, a piece of malicious software responsible for sending spam, conducting attacks on websites and enabling other cybercriminals to steal money from online bank accounts.
Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions.
Dutch prosecutors believe that Avanesov made up to €100,000 ($139,000) a month from renting and selling his botnet just for spam, said Wim De Bruin, spokesman for the Public Prosecution Service in Rotterdam. Avanesov was able to sell parts of the botnet off "because it was very easy for him to extend the botnet again," by infecting more PCs, he said.
Avanesov may have netted more money, in other ways.
"We don't have more financial information about what he did," De Bruin said. "Our investigation was focused on dismantling the network then getting a hold of our main suspect, but this criminal investigation hasn't stopped yet. We hope to get a better picture of the money and his business relationships."
As a result, Avanesov may have made millions in a career spanning more than a decade, according to a source close to law enforcement. He vacationed in the Seychelles with an attractive girlfriend and reportedly even had a side hobby as a DJ, the source said.
But Avanesov is now being held by Armenian authorities after a sting operation earlier this week by Dutch police and computer security experts with help from Russian authorities. He was arrested earlier this week after taking a late flight on Monday night from Moscow to Yerevan, Armenia's capital.
The bust wasn't supposed to happen that way, however, according to the source. Avanesov nearly got away.
Dutch authorities tried to lure Avanesov to Schipol airport near Amsterdam, where police there planned to follow him and wait until he took control of the Bredolab botnet, bust down the door and arrest him on computer hacking charges. He was expected to be on a flight into Schipol but never arrived.
"They [the police] were waiting for him, but he didn't come," according to the source.
In the meantime, the people in control of Bredolab had took noticed something strange was happening with their botnet. Around 2 p.m. CET on Monday, the Dutch High Tech Crime Team began taking over command-and-control servers used to issue instructions to the 29 million infected computers with help from the Dutch Forensic Institute, the Dutch computer emergency response team Govcert, and the security vendor Fox IT.
Bredolab used 143 servers that were part of a network run by LeaseWeb, one of the largest hosting providers in Europe. LeaseWeb had known of the problem since August and cooperated with the investigation.
As Bredolab was shut down, a denial-of-service attack -- which involved bombarding servers with meaningless traffic to shut them down -- was launched against the infrastructure used by the Dutch authorities. Some 225,000 computers were used in the attack, which actually slowed Internet service down in the Netherlands for a short time but was repelled within a couple of hours.
It isn't easy to track down people who run botnets, as they use sophisticated methods to keep from being identified. Botnet controllers -- also known as "herders" -- take up 20 measures to ensure their anonymity, said Ronald Prins, who helped with the takedown. But if one step is left out, it means investigators can grasp a thread. The trail led to Avanesov.
Armenia is detaining Avanesov, said Sona Truzyan, press secretary for the Prosecutor General's Office, on Friday. The Netherlands has 40 days to file an extradition request, she said. De Bruin said his office is working on the request.