### Guilty Plea and Sentencing **Ilya Angelov**, a 40-year-old Russian national who used the online handles "milan" and "okart," decided to travel to the United States to plead guilty after the Russian invasion of Ukraine and the arrest of his associate, **Vyacheslav Igorevich Penchukov**, a member of the **IcedID** cybercrime gang. ### The Mario Kart Botnet Angelov was identified as one of the leaders of a Russian cybercriminal operation tracked by the **FBI** as Mario Kart. The group was also known by several other names in the cybersecurity community, including TA551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127. Angelov and his co-manager recruited members and oversaw the operation's malicious activities. The gang included software coders, spam distributors, and malware customizers who worked to evade security software. "Through a massive spam email campaign—which could send 700,000 emails a day—the group distributed malware around the globe," prosecutors stated. "If an unwitting recipient clicked on an attachment to one of the group's emails, concealed malware would infect their computer and add it to the Mario Kart botnet. At the height of the group's operation, approximately 3,000 computers per day could be infected." ### Ransomware-as-a-Service (RaaS) Connection The cybercrime gang utilized the botnet to distribute malware via large-scale phishing campaigns between 2017 and 2021. They then sold access to the compromised devices to other cybercriminals, including affiliates involved in Ransomware-as-a-Service (RaaS) operations. "This access was sold to other criminal groups, who typically engaged in ransomware extortion schemes: locking victims out of their computer networks and demanding extortion payments — commonly in cryptocurrency — to restore access," the Justice Department said. The **FBI** has identified over 70 U.S. corporations that were infected with ransomware by an organization linked to Angelov's group, resulting in over $14 million in extortion payments. ### BitPaymer and IcedID Links These attacks, which occurred between August 2018 and December 2019, were linked to the **BitPaymer** ransomware operation. The **IcedID** cybercrime gang also paid Angelov and his accomplices another million dollars between late 2019 and August 2021 for access to their bots. The full extent of the resulting damage is still under investigation. ### TA551's Collaborations In the past, TA551 has been linked to various malware operators and ransomware affiliates. TA551 operators also partnered with the **TrickBot** gang (Wizard Spider) in phishing campaigns that deployed **Conti** ransomware on compromised systems. France's Computer Emergency Response Team (**CERT**) has also flagged TA551 as a collaborator in the **Lockean** ransomware operation, aiding its affiliates in deploying **ProLock**, **Egregor**, and **DoppelPaymer** ransomware payloads on devices infected with the **Qbot**/ **QakBot** banking trojan. ### Other Recent Sentencings In related news, 26-year-old Russian national **Aleksey Olegovich Volkov** was recently sentenced to nearly 7 years in prison for acting as an initial access broker (IAB) for **Yanluowang** ransomware attacks. <a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0"><img alt="tines" src="https://www.bleepstatic.com/c/p/red-report.jpg"></a> Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.