About three years ago, some of Google’s security engineers came to company attorneys with a gigantic mess.
The security team had discovered that Google unwittingly was enabling the spread of malicious software known as Glupteba. The malware had corrupted more than 1 million Windows computers, turning them into vehicles to mine cryptocurrency and spy on users. By hijacking Google accounts, purchasing Google ads to lure in users, and misusing Google cloud tools, the hackers behind the operation were on their way to infecting even more computers.
Tech giants such as Google long have had a playbook for destroying botnets like Glupteba. They call up fellow companies and US authorities and together coordinate a massive takedown operation. Sometimes, the cops file criminal charges. But this time around, Google’s legal team recommended an approach that the company hadn’t pursued in years: Sue the hackers for money.
The eventual lawsuit against two Russian men and a dozen unnamed individuals allegedly behind Glupteba would be the first of a run of at least eight cases that Google has filed against various hackers and scammers, adding to a sporadic few filings in the past. The tactic, which Google calls affirmative litigation, is meant to scare off would-be fraudsters and generate public awareness about scams. Now, for the first time, Google is opening up about this strategy.
Leaders of Google’s security and legal teams tell WIRED they believe going after people in court has paid off. Google hasn’t yet lost a case; it has collected almost all of the more than $2 million that it has won through the legal process, and forced hundreds of companies or websites to shut down. The awards are trivial to Google and its parent Alphabet, a $2 trillion company, but can be devastating for the defendants.
“We’re disrupting bad actors and deterring future activity, because it’s clear that the consequences and the costs are high,” says Chester Day, lead of the three-person “litigation advance” team at Google that’s focused on taking people to court. Google, he adds, is “making it clear that we’re willing to invest our resources into taking action to protect our users.”
Google blog posts and similar content about the lawsuits and the underlying scams have drawn more than 1 billion views, according to the company. Google representatives say that the awareness increases vigilance among consumers and shrinks the pool of vulnerable targets. “Educating people about how these crimes work may be the best thing we can do to stop the crime,” says Harold Chun, director of Google’s security legal team.
Several Big Tech companies have pursued affirmative litigation, though not necessarily under that name and with varying strategies. Microsoft has filed more than two dozen lawsuits since 2008 with a focus on securing court permission to dismantle botnets and other hacking tools. Amazon has been a prolific complainant since 2018, filing at least 42 cases over counterfeit products, 38 for reviews fraud, three for copyright abuse, and, recently, two for bogus product returns. Amazon has been filing so many counterfeit cases, in fact, that the federal court in western Washington assigned three magistrate judges to focus on them.
Since 2019, Meta has filed at least seven counterfeiting or data theft cases, with settlements or default judgments in four so far, including one in which it won nearly $300,000 in damages. Like Meta, Apple has sued Israeli spyware developer NSO Group for alleged hacking. (NSO is fighting the lawsuits. Trials are scheduled for next year.)
Some attorneys who’ve studied how the private sector uses litigation to enforce the law are skeptical about the payoff for the plaintiffs. David Noll, a Rutgers University law professor and author of a forthcoming book on state-supported private enforcement, Vigilante Nation, says it’s difficult to imagine that companies could bring the volume of cases needed to significantly stop abuse. “The fact that there is a small chance you might be named in a suit isn’t really going to deter you,” he says.
Noll believes the big risk is that Google and other tech companies could be burdening the court system with cases that ultimately secure some favorable headlines but do less to make the internet safer than the companies could achieve through investing in better antifraud measures.
Still, of the six outside legal experts who spoke to WIRED, all of them say that overall Google deserves credit for complementing the work of underfunded government agencies that are struggling to rein in online abuse. At an estimated hundreds of thousands of dollars per case, it’s a low-risk endeavor for the tech giant, former prosecutors say.
“Reliable and regular enforcement when folks step outside the law brings us closer to a society where less of us are harmed,” says Kathleen Morris, resident scholar of law at UC Berkeley’s Institute of Governmental Studies. “This is healthy and robust collaboration on law enforcement by the public and private sectors.”
Google’s general counsel, Halimah DeLaine Prado, tells WIRED she wants to send a message to other companies that the corporate legal department can do more than be the team that says “no” to wild ideas. “Legal can be a proactive protector,” she says.
Marketing Scams
DeLaine Prado says that from its earliest days, Google has considered pursuing litigation against people abusing its platforms and intellectual property. But the first case she and other leaders within Google recall filing was in 2015. Google accused Local Lighthouse, a California marketing company, of placing robocalls to dupe small businesses into paying to improve their ranking in search results. Google alleged trademark infringement, unfair competition, and false advertising. As part of a settlement, Lighthouse stopped the problematic calls.
Since then, Google has filed complaints against five similar allegedly scammy marketers, with three of them ending in settlements so far. A Florida business and its owners agreed to pay Google $850,000, and a Los Angeles man who allegedly posted 14,000 fake reviews on Google Maps agreed to stop. Terms of the third deal, with an Illinois company, were not disclosed in court files, but Google spokesperson José Castañeda says it involved a seven-figure payment to Google.
Castañeda says Google has donated all the money it has collected to recipients such as the Better Business Bureau Institute, the National Consumers League, Partnership to End Addiction, Cybercrime Support Network, and various US chambers of commerce.
Another genre of cases has targeted individuals submitting false copyright complaints to Google to get content removed from the company’s services. A man in Omaha, Nebraska, whom Google accused of falsely claiming ownership of YouTube videos to extort money from their real owners, agreed to pay $25,000 to Google. Two individuals in Vietnam sued by Google never responded—a common issue.
In 2022, Google won default judgment against an individual in Cameroon who never responded to charges that he was using Gmail to scam people into paying for fake puppies, including a $700 basset hound. After the lawsuit, complaints about the scammer dried up, according to Google.
But legal experts say the most fascinating cases of Google’s affirmative litigation are four that it filed against alleged computer hackers. The suits emerged after months of investigation into Glupteba.
Security engineers at Google realized that eradicating Glupteba through the typical approach of taking down associated servers would be difficult. The hackers behind it had designed a backup system involving a blockchain that enabled Glupteba to resurrect itself and keep pilfering away.
That’s in part why Google’s attorneys suggested suing. Chun, the security legal director, had pursued cases against botnets as a federal prosecutor. “I thought this would be something good to do from a civil angle for a company as well,” he says. “Law enforcement agencies have limits on what they can do. And Google has a large voice and the litigation capacity.”
Chun and other attorneys cautioned their bosses that the hackers might use the lawsuit to reverse engineer Google’s investigation methods and make Glupteba more evasive and resilient. But ultimately, DeLaine Prado, who has final say over lawsuits, signed off. Chun says his former colleagues from the government applauded the complaint.
Google sued Dmitry Starovikov and Alexander Filippov, alleging that they were the Russia-based masterminds behind Glupteba after linking websites associated with the virus to Google accounts in their name. The search giant accused the duo (and unknown co-conspirators) of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. The lawsuit also alleged a trademark law violation for hiding Glupteba in a tool that claimed to download videos from YouTube.
Google argued that it had suffered substantial harm, having never received payment for ads it had sold to the hackers, who allegedly were using fraudulent credit cards. Users also had their experiences with Google services degraded, putting them at risk and impairing the value of the company’s brand, according to the lawsuit.
In court papers, Starovikov and Filippov stated they learned of the lawsuit only through friends and then decided to hire a New York attorney, Igor Litvak, to fight on their behalf. The defendants initially offered innocent explanations for their software related to Glupteba and said that their projects had not targeted the US market. At one point, they countersued Google for $10 million, and at another, they allegedly demanded $1 million each to hand over the keys to shut down the botnet. They eventually denied the allegations against them.
Following an ordeal over whether the defendants could obtain Russian passports, sit for depositions in Europe, and turn over work files, Google’s attorneys and Litvak traded accusations of lying. In 2022, US district judge Denise Cote sided with Google. She found in a 48-page ruling that the defendants “intentionally withheld information” and “misrepresented their willingness and ability” to disclose it to “avoid liability and further profit” from Glupteba. “The record here is sufficient to find a willful attempt to defraud the Court,” Cote wrote.
Cote sanctioned Litvak, and he agreed to pay Google $250,000 in total through 2027 to settle. The jurist also ordered Starovikov and Filippov to pay nearly $526,000 combined to cover Google’s attorneys fees. Castañeda says Google has received payment from all three.
Litvak tells WIRED that he still disagrees with the judge’s findings and that Russia’s strained relationship with the US may have weighed on whom the judge trusted. “It’s telling that after I filed a motion to reconsider, pointing out serious issues with the court’s decision, the court went back on its original decision and referred [the] case to mediation, which ended with … me not having to admit to doing anything wrong,” he says in an email.
Google’s Castañeda says the case achieved the intended effect: The Russian hackers stopped misusing Google services and shut down their marketplace for stolen logins, while the number of Glupteba-infected computers fell 78 percent.
Not every case delivers measurable results. Defendants in Google’s other three hacking cases haven’t responded to the accusations. That led to Google last year winning default judgment against three individuals in Pakistan accused of infecting more than 672,000 computers by masquerading malware as downloads of Google’s Chrome browser. Unopposed victories are also expected in the remaining cases, including one in which overseas app developers allegedly stole money through bogus investment apps and are being sued for violating YouTube Community Guidelines.
Royal Hansen, Google’s vice president for privacy, safety, and security engineering, says lawsuits that don’t result in defendants paying up or agreeing to stop the alleged misuse still can make alleged perpetrators’ lives more difficult. Google uses the rulings as evidence to persuade businesses such as banks and cloud providers to cut off the defendants. Other hackers might not want to work with them knowing they have been outed. Defendants also could be more cautious about crossing international borders and becoming newly subject to scrutiny from local authorities. “That’s a win as well,” Hansen says.
More to Come
These days, Google’s small litigation advance team meets about twice a week with other units across the company to discuss potential lawsuits. They weigh whether a case could set a helpful precedent to give extra teeth to Google’s policies or draw awareness to an emerging threat.
Team leader Day says that as Google has honed its process, filing cases has become more affordable. That should lead to more lawsuits each year, including some for the first time potentially filed outside the US or representing specific users who have been harmed, he says.
The tech giants’ ever-sprawling empires leave no shortage of novel cases to pursue. Google’s sibling company Waymo recently adopted the affirmative litigation approach and sued two people who allegedly smashed and slashed its self-driving taxis. Microsoft, meanwhile, is weighing cases against people using generative AI technology for malicious or fraudulent purposes, says Steven Masada, assistant general counsel of the company’s Digital Crimes Unit.
The questions remain whether the increasing cadence of litigation has left cybercriminals any bit deterred and whether a broader range of internet companies will go on the legal offense.
Erin Bernstein, who runs the law firm Bradley Bernstein Sands, which helps governments pursue civil lawsuits, says she recently pitched a handful of companies across industries on doing their own affirmative litigation. Though none have accepted her offer, she’s optimistic. “It will be a growing area,” Bernstein says.
But Google’s DeLaine Prado hopes affirmative litigation eventually slows. “In a perfect world, this work would disappear over time if it’s successful,” she says. “I actually want to make sure that our success kind of makes us almost obsolete, at least as it relates to this type of work.”
