United States of America, Plaintiff v. Peter Sahurovs, a/k/a "Piotrek," a/k/a "Sagade," and Marina Maslobjeva, a/k/a "Marina Sahurova," a/k/a "Aminasah," Defendants , United States District Court, District of Minnesota, May 17, 2011. Unclassified.
National Security Archive
A 2011 grand‑jury indictment reveals how bogus ad agencies hijacked a Minnesota newspaper’s website, installed malware, and sold fake antivirus to victims worldwide.
Source: United States of America, Plaintiff v. Peter Sahurovs, a/k/a "Piotrek," a/k/a "Sagade," and Marina Maslobjeva, a/k/a "Marina Sahurova," a/k/a "Aminasah," Defendants , United States District Court, District of Minnesota, May 17, 2011. Unclassified. Date: May 17, 2011 Archive: Department of Justice .
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A cyber‑fraud indictment from the heart of the Midwest
The grand‑jury indictment filed in the U.S. District Court for the District of Minnesota on May 17 2011 marks the culmination of a multi‑year investigation by the Department of Justice into a transnational “malware‑as‑a‑service” operation. The document names Peteris Sahurovs and Marina Maslobjeva—both using a string of aliases—as the alleged architects of a scheme that blended classic online advertising fraud with ransomware‑style extortion. Between February and September 2010 the defendants allegedly created bogus ad agencies, sold counterfeit ad space on legitimate publisher sites—including the Star Tribune’s flagship domain—and inserted malicious code that hijacked browsers, displayed fake security alerts, and forced users to buy a bogus product called “Antivirus Soft.” The indictment charges them under the Computer Fraud and Abuse Act, wire‑fraud statutes, and the “conspiracy to commit” provisions that bind co‑conspirators together.
The broader context: the rise of “malvertising” and the law’s lag
The case sits at a pivotal moment in the evolution of cybercrime. By 2010, cyber‑criminals had moved beyond email phishing and direct malware distribution to exploiting the ad‑tech supply chain—a practice now known as “malvertising.” Legitimate publishers sold ad inventory through a labyrinth of networks, making it possible for a single rogue agency to insert malicious payloads into otherwise trusted sites. The Star Tribune episode, detailed in the indictment, illustrates how a reputable news outlet could become an unwitting conduit for a global fraud operation. At the time, federal prosecutors were still grappling with how to apply statutes drafted for telephone and mail fraud to the fluid, border‑less world of online advertising. The inclusion of 18 U.S.C. § 1030(a)(5)(A) (the CFAA) alongside traditional wire‑fraud charges signals an early attempt to stretch existing law to cover the new threat vector.
What the indictment reveals about the actors and their methods
Although the indictment is a legal summary, its language offers a window into the operational playbook of the accused. The defendants are described as “creating fictitious advertising agencies” and contacting publishers under the pretense of representing a legitimate third‑party—here, a fabricated senior media buyer from “RevolTech Marketing.” This false identity was used to secure ad placements on the Star Tribune’s site, after which malicious code was embedded in the ad tags. The code performed a “browser hijack,” redirecting visitors to a controlled landing page that displayed urgent, fabricated security warnings. By engineering a problem (the malware) and then selling the solution (the bogus antivirus), the defendants followed a classic confidence‑trick structure, now amplified by the scale of the internet. The indictment notes that victims worldwide were defrauded of more than $2 million, underscoring the global reach of a scheme orchestrated from Minnesota.
Legacy and why the case still matters
The Sahurovs‑Maslobjeva indictment is frequently cited in scholarly works on cyber‑fraud because it was one of the first federal cases to explicitly link ad‑tech abuse with ransomware‑style extortion. It forced the DOJ to develop investigative techniques for tracing money through offshore payment processors and for dissecting the opaque ad‑exchange ecosystem—a skill set that would later prove essential in takedowns of bot‑net operators and cryptojacking schemes. Moreover, the case highlighted the vulnerability of news organizations, prompting industry‑wide audits of ad‑tech partners and the eventual adoption of stricter vetting standards. While the defendants’ ultimate fate—plea deals, convictions, or dismissals—lies beyond the scope of the indictment, the document itself remains a touchstone for policymakers debating updates to the CFAA and for technologists building safer ad delivery pipelines.
Reading between the lines
The indictment’s emphasis on “others known and unknown to the grand jury” hints at a broader criminal network that likely included overseas developers, payment‑gateway facilitators, and possibly state‑tolerated hosting services. The reference to “victim companies” that were never paid for ad space suggests a secondary revenue stream: the defendants collected fees from advertisers while short‑changing publishers, a classic double‑dip fraud. Finally, the detailed description of the fake “Lisa Polowski” email shows the DOJ’s reliance on forensic email analysis to link the aliases to real identities—a reminder that even in a digital age, traditional investigative work remains central.
The indictment therefore serves not just as a legal accusation but as a snapshot of a transitional moment in cybercrime, when the convergence of advertising technology and malware created a new frontier for fraudsters and a new set of challenges for law enforcement.
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 1 of 14
UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA
CR 11-177 ADM/JJG [illegible] SEAL
UNITED STATES OF AMERICA, Plaintiff, v. (1) PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and (2) MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah," Defendants.
) INDICTMENT ) (18 U.S.C. § 1030(a)(5)(A)) ) (18 U.S.C. § 1343) ) (18 U.S.C. § 1349) ) (18 U.S.C. § 2) ) ) ) ) ) ) )
THE UNITED STATES GRAND JURY CHARGES:
- From in or about February 2010 through at least in or about September 2010, in the State and District of Minnesota and elsewhere, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
each aiding and abetting one another, and being aided and abetted by one another, together with others known and unknown to the grand jury, devised, intended to devise, and participated in a scheme to defraud and to obtain money and property by means of materially false and fraudulent pretenses, representations, promises, and material omissions, as more fully described below.
SCANNED JUN 2 2 2011. U.S. DISTRICT COURT ST. PAUL
8
FILED MAY 17 2011 RICHARD D. SLEETEN, CLERK JUDGMENT ENTERED DEPUTY CLERK'S INITIALS
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 2 of 14
U.S. v. Peteris Sahurovs, et al.
PURPOSE OF THE SCHEME
- Defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, defrauded victim Internet users by (i) infecting their computers with malicious software ("malware") which caused the victim Internet users' computers to slow down or freeze up, and then (ii) deceiving victim Internet users into purchasing purported antivirus software products to fix the problems created by the malware the defendants caused to be installed.
MANNER AND MEANS OF THE SCHEME
Defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, created fictitious advertising agencies which in turn contacted victim companies purporting to represent legitimate third-party entities that sought to place Internet-based advertisements on the victim companies' websites, when in fact the advertisements were not authorized by the third-party entities.
It was further part of the scheme that, through the fictitious advertising agencies, defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, caused to be placed on the websites of the victim companies Internet-based advertisements that, unbeknownst to the victim companies, contained computer code which, in turn, caused
2
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 3 of 14
U.S. v. Peteris Sahurovs, et al.
the Internet browsers of victim Internet users who visited the victim companies' websites to be "hijacked" or redirected without their consent to websites controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction.
It was further part of the scheme that, after being redirected to a website controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, the victim Internet user was prompted with a series of materially false "security alert" messages which claimed that the user's computer had been infected with malware and that the victim Internet user needed to purchase an antivirus product to fix the "security issue."
It was further part of the scheme that, through the series of materially false "security alert" messages, defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, caused victim Internet users in countries throughout the world, including the United States, to purchase software products distributed by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, including "Antivirus Soft" to purportedly fix the problems caused by the malware. As a result
3
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 4 of 14
U.S. v. Peteris Sahurovs, et al.
of the scheme, victim Internet users were defrauded out of more than $2,000,000.00.
- It was further part of the scheme that defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, and others acting in concert with them or at their direction, intentionally failed to pay the victim companies the fees promised by the fictitious advertising agencies for the placement of Internet-based advertisements on the victim companies' websites. As a result of the scheme, victim companies sustained losses in the form of the non-payment of fees for advertising space on the victim companies' websites.
THE STAR TRIBUNE MALWARE ATTACK
One of the victim companies defrauded by defendants as part of the fraud scheme described above was the Minneapolis Star Tribune ("Star Tribune").
At all times relevant to this indictment, startribune.com was an Internet web site owned and operated by the Star Tribune, Minnesota's largest newspaper. Much of the content found in the Star Tribune's daily newspaper can also be found on the startribune.com web site. The computer servers hosting startribune.com are located in the United States.
The Star Tribune obtains their online advertisements for startribune.com from three categories, one of which is referred to as "third party ad tags." For this type of advertisement, the
4
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 5 of 14
U.S. v. Peteris Sahurovs, et al.
Star Tribune is typically contacted by an online advertising agency which represents a business or individual that wishes to advertise online. Such advertising agencies coordinate the details of the advertisement with online publishers like the Star Tribune. There are thousands of online advertising agencies throughout the country.
On or about February 17, 2010, defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction, sent an email to the Star Tribune in Minneapolis, Minnesota, purporting to be from "Lisa Polowski" (hereinafter "Polowski"), who claimed to be the Senior Media Buyer for "RevolTech Marketing" (hereinafter "RevolTech"), of Miami, Florida. The email indicated that RevolTech was an advertising agency representing Best Western International ("Best Western"), and that the agency wanted to place online ads for Best Western on startribune.com. In truth and in fact, RevolTech is not a real advertising agency and Best Western had not retained RevolTech to place online advertisements on its behalf.
On or about February 19, 2010, defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction, sent to startribune.com the "ad-tag" for the online advertisement for the purported Best Western advertising campaign. An ad-tag is a short computer file that is
5
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 6 of 14
U.S. v. Peteris Sahurovs, et al.
placed on a web page that redirects the users' web browser to another Internet site to download content. This download happens without any user interaction.
The Star Tribune began running the Best Western ad-tag on startribune.com on or about February 19, 2010. Visitors to startribune.com were redirected by the ad-tag to a web server in the Netherlands controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction. Initially, the web server in the Netherlands downloaded only an image containing the purported Best Western advertisement. On or about February 21, 2010, unbeknownst to startribune.com or visitors to the website, the web server in the Netherlands redirected visitors' web browsers to a different web server in Latvia, which began downloading malware onto the visitors' computers.
On or about February 21, and continuing through February 22, 2010, visitors to the startribune.com website began experiencing slow system performance, unwanted pop-ups, and total system failure. When the Star Tribune learned of the problems experienced by visitors to startribune.com, it pulled all the online advertising from the website and later determined that the source of the infections was the advertisement provided by RevolTech. The Star Tribune immediately reported the incident to
6
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 7 of 14
U.S. v. Peteris Sahurovs, et al.
law enforcement and also published articles in both its print and
online newspapers to notify its readers of the virus-infected
advertisement.
15. Before the Best Western ad-tag was removed, visitors to
the startribune.com website began receiving pop-ups containing a
fraudulent "Windows Security Alert," originating from a web server
controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA,
or others acting in concert with them or at their direction. The
"Windows Security Alert" read:
Windows reports that computer is infected. Antivirus
software helps to protect your computer against viruses
and other security threats. Click here for the scan you
computer [sic]. Your system might be at risk now.
Thereafter, additional pop-ups appeared on the victim users'
computer screens, indicating that they needed to purchase the
"Antivirus Soft" computer program for $49.95 to fix the "security
issue." To purchase "Antivirus Soft," the victim users clicked on
an option on one of the pop-ups to "upgrade the 'anti-virus'"
program. Victim users who clicked on this option were presented
with an online order form from a web server, "avgroupwebsite.com,"
where Antivirus Soft could be purchased. The web server
"avgroupwebsite.com" was located in Latvia and controlled by
defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others
acting in concert with them or at their direction. Victim users
were instructed to provide their credit card numbers in payment for
7
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 8 of 14
U.S. v. Peteris Sahurovs, et al.
"Antivirus Soft." Payments were processed by a bank in Latvia controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction.
Victim computer users who did not purchase "Antivirus Soft" immediately became inundated with pop-ups containing fraudulent "security alerts" from a web server controlled by defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction. All information, data, and files stored on the computer became inaccessible.
Victim computer users who paid the defendants $49.95 received a download of the "Antivirus Soft" program which "unfroze" their computer and stopped the pop-ups and security notifications. Victim computer users had to either pay $49.95 to defendants PETERIS SAHUROVS and MARINA MASLOBOJEVA, or others acting in concert with them or at their direction, or over-write the computer hard-drive and lose all applications and data.
COUNT ONE (Wire Fraud)
- The Grand Jury hereby realleges and incorporates paragraphs 1 through 17 of this Indictment as if stated in full herein.
8
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 9 of 14
U.S. v. Peteris Sahurovs, et al.
- On or about February 19, 2010, in the State and District of Minnesota and elsewhere, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
each aiding and abetting one another, and being aided and abetted by one another, together with others known and unknown to the grand jury, for the purpose of executing the aforesaid scheme and attempting to do so, did knowingly cause to be transmitted in interstate and foreign commerce from the Netherlands to Minnesota by means of wire and radio communications, certain writings, signs, signals and sounds; to wit: an electronic mail communication to startribune.com in order to place an Internet-based advertisement containing malicious computer code on the website of startribune.com; in violation of Title 18, United States Code, Sections 1343 and 2.
COUNT TWO (Wire Fraud)
- The Grand Jury hereby realleges and incorporates paragraphs 1 through 17 of this Indictment as if stated in full herein.
9
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 10 of 14
U.S. v. Peteris Sahurovs, et al.
- On or about February 21, 2010, in the State and District of Minnesota and elsewhere, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
each aiding and abetting one another, and being aided and abetted by one another, together with others known and unknown to the grand jury, for the purpose of executing the aforesaid scheme and attempting to do so, did knowingly cause to be transmitted in interstate and foreign commerce from Latvia to Minnesota by means of wire and radio communications, certain writings, signs, signals and sounds; to wit: an electronic communication that included an Internet advertisement containing malicious code through which defendants intentionally caused impairment to the computer of Victim A, a visitor to the startribune.com website; in violation of Title 18, United States Code, Sections 1343 and 2.
COUNT THREE (Conspiracy to Commit Wire Fraud)
- The Grand Jury hereby realleges and incorporates paragraphs 1 through 21 of this Indictment as if stated in full herein.
10
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 11 of 14
U.S. v. Peteris Sahurovs, et al.
- From in or about February 2010 through in or about September 2010, in the State and District of Minnesota and elsewhere, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
along with others known and unknown to the grand jury, did knowingly and willfully combine, conspire, and agree with each other, and other persons known and unknown to the Grand Jury, to commit offenses against the United States, including executing a scheme to defraud and to obtain money and property by means of materially false and fraudulent pretenses, representations, promises, and material omissions, as set forth above in paragraphs 2 through 17, in interstate commerce, by means of wire communication, certain signals and sounds, in violation of Title 18, United States Code, Section 1343; all in violation of Title 18, United States Code, Section 1349.
COUNT FOUR (Unauthorized Access to a Protected Computer)
- The Grand Jury hereby realleges and incorporates paragraphs 1 through 23 of this Indictment as if stated in full herein.
11
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 12 of 14
U.S. v. Peteris Sahurovs, et al.
- In or about February 21, 2010, in the State and District of Minnesota and elsewhere, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
each aiding and abetting one another, and being aided and abetted by one another, together with others known and unknown to the grand jury, did knowingly cause the transmissions of programs, information, codes, and commands, from Latvia to Minnesota; to wit: an electronic communication to startribune.com that included an Internet advertisement containing malicious code through which defendants intentionally caused impairment to the integrity and availability of data, programs, systems, and information on the startribune.com website without startribune.com's authorization by "hijacking" or redirecting the visitors to startribune.com's website away from the intended content of startribune.com's website to a web server controlled by defendants, or others acting in concert with them or at their direction, and as a result of such conduct, intentionally caused damage, without authorization, to protected computers, in violation of Title 18, United States Code, Section 1030(a)(5)(A).
12
CASE 0:11-cr-00177-ADM-HB Document 8 Filed 05/17/11 Page 13 of 14
U.S. v. Peteris Sahurovs, et al.
FORFEITURE ALLEGATIONS
The allegations in Counts 1, 2 and 3 are hereby realleged as if fully stated herein for the purpose of alleging forfeitures pursuant to 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C. § 2461.
As the result of the offense alleged in Counts 1, 2 and 3 of this Indictment, the defendants,
PETERIS SAHUROVS, a/k/a "Piotrek," a/k/a "Sagade," and MARINA MASLOBOJEVA, a/k/a "Marina Sahurova," a/k/a "Aminasah,"
shall forfeit to the United States pursuant to Title 18, United States Code, Section 981(a)(1)(C), any property constituting, and derived from, proceeds they obtained directly or indirectly as the result of such violations.
The allegations in Count 4 are hereby realleged as if fully stated herein for the purposes of alleging forfeitures pursuant to 18 U.S.C. §§ 982(a)(2)(B), 1030(i), and 1030(j).
As the result of the offense alleged in Count 4 of this Indictment, the defendants shall forfeit any and all property constituting or traceable to proceeds obtained directly or indirectly as a result of such violation, as well as any personal property that was used or intended to be used to commit or to facilitate the commission of such violation.
13
U.S. v. Peteris Sahurovs, et al. 30. If any of the above-described forfeitable property is unavailable for forfeiture, the United States intends to seek the forfeiture of substitute property as provided for in Title 21, United States Code, Section 853(p), as incorporated by Title 28, United States Code, Section 2461(c).
A TRUE BILL [illegible] UNITED STATES ATTORNEY Lynne Kendall FOREPERSON
14
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu