In U.S. Hacker Trial, The Tangled Web Of Russia's Cyberunderground Is Further Exposed
By Mike Eckel March 06, 2020
In March 2012, a 25-year-old Russian computer whiz named Yevgeny Nikulin sat with several others in a conference room in a hotel in eastern Moscow. A video taken by a Ukrainian named Oleksandr Ieremenko showed them discussing plans for an Internet cafe business and other matters.
In an earlier part of the video, Ieremenko, 19, drives to the hotel to meet the group, which he calls a "summit of bad motherf*****s."
That same month, according to U.S. prosecutors, Nikulin broke into a social-media company engineer's computer a half a world away, in California -- and allegedly stole the usernames and passwords used by tens of millions of people to access their LinkedIn accounts. Some of that data was put up for sale on a notorious Russian hacker forum that June.
These details and other evidence were contained in pretrial motions filed by prosecutors this week ahead of the opening of Nikulin's trial in U.S. federal court in San Francisco. Jury selection is scheduled to begin on March 9.
The case against Nikulin, who was arrested in 2016 in Prague and extradited to the United States in 2018, is the latest example of a Russian citizen facing prosecution in the United States for cybercrimes, a trend that has infuriated the Russian Foreign Ministry, which complains that the United States is "hunting" Russians around the globe.
But the pretrial motions add yet more evidence of the web of relationships among Russia's cyberunderworld, allegedly tying Nikulin, now 32, to people who have been charged with even bigger, more serious hacks. That includes a hacker who allegedly worked for Russian intelligence to steal hundreds of millions of Yahoo user credentials -- possibly used in the 2016 hack of the U.S. Democratic National Committee, according to cyberexperts.
Nikulin, who was examined by court-ordered psychologists last year amid concerns about his mental health, has pleaded not guilty to the charges.
Arkady Bukh, one of Nikulin's defense lawyers, said prosecution lawyers appeared to be trying to pressure Nikulin to plead guilty ahead of the trial; particularly, he said, since the conviction rate for such cybercases is high.
Nikulin, however, has refused his lawyer's counsel to change his plea to guilty.
'Zhenya' From Moscow
According to prosecutors evidence, the video showing Nikulin, Ieremenko, and others was from a hard drive seized by Ukrainian authorities who raided Ieremenko's home in Kyiv, and the homes of several other alleged Ukrainian hackers, in November 2012.
An FBI affidavit said photographs found on the hard drive included photos that said "Zhenya from Moscow" -- a diminutive form of the name Yevgeny.
The U.S. Secret Service obtained the hard drive as part of an investigation into hacks of several business newswires, a scheme that involved selling unreleased corporate information to stock traders who then made trades based on the nonpublic information.
Ieremenko, now 27, was implicated in that scheme, but he gained wider notoriety in 2019 when U.S. authorities indicted him and another Ukrainian with a similar scam that traded on corporate earnings reports stolen from a database of the U.S. Securities and Exchange Commission. Ieremenko is believed to be in Russia.
According to the trial motions, Nikulin worked closely with Ieremenko in 2012, sharing hacked passwords and coding tips, using Skype accounts. A Skype address they tied to Nikulin -- dex.007 -- was used to send Ieremenko a link containing the password to one of Nikulin's accounts on a domain hosting site, along with stolen LinkedIn credentials.
'Reporting On The Spot'
The video, one of eight copied from Ieremenko's hard drive, was shot on March 18 or 19, 2012. In it, the person making the video narrates it, saying: "In short, we are reporting on the spot. Now, here at this Vega Izmailovo Hotel, there will be a fucking summit of bad motherf*****s," according to the U.S. transcript submitted in the court record.
Nikulin also worked closely with another Russian, Nikita Kislitsin, who was indicted in the United States in 2014 on conspiracy charges related to the hack another, lesser-known social media company called Formspring. Kislitsin's indictment, which was under seal since being filed, was unsealed earlier this week.
U.S. prosecutors say that, three months after the Moscow meeting, Nikulin himself stole 30 million user credentials from the social-networking service Formspring, and utilized some of those credentials when he hacked into the LinkedIn engineer's computer.
According to the court documents, the FBI used "court-ordered electronic interceptions" -- phone and e-mail taps -- to track Nikulin in 2012 and 2013.
U.S. investigators discovered overlap with another Russian, Aleksei Belan, under investigation in connection with a separate hack: the theft of user credentials from the Internet giant Yahoo, beginning in 2013.
Yahoo eventually revealed all 3 billion of its users had had their credentials compromised in what is today considered one of the largest data breaches in the history of the Internet.
Prosecutors said the FBI, which had obtained a court-authorized warrant to search Belan's e-mail and tap his phones, found that Belan, along with Kislitsin, purchased the Formspring passwords in July 2012.
That same year, Belan was put on the FBI's Top Ten Most Wanted list for cyberthieves. The following year, he was arrested in Greece at the request of U.S. authorities. But he avoided being extradited and escaped back into Russia, according to the U.S. and European authorities.
In 2014, according to previous U.S. documents, Belan was recruited by Russia's main intelligence and security agency, the Federal Security Service (FSB) and its cyberunit, known as the Center for Information Security.
Belan, according to the 2016 Yahoo hack indictment, was ordered by the FSB cyberunit to conduct the breach of Yahoo accounts.
In all, U.S. officials charged four people with the Yahoo breach, including two FSB officers. Those officers themselves were later arrested by the FSB itself, and charged with state treason, allegedly for passing classified intelligence to U.S. agencies.
One, Sergei Mikhailov, pleaded not guilty to the Russian charges, and was sentenced last year to 22 years in prison. The other, Dmitry Dokuchaev, pleaded guilty, and agreed to cooperate with investigators. He was handed a six-year sentence.
In December 2016, in response to the U.S. intelligence community's conclusion that Russia had tried to meddle in the presidential election won by Donald Trump that year, the administration of outgoing President Barack Obama announced sweeping sanctions against Belan and another Russian, who also allegedly had ties to Russian intelligence, Yevgeny Bogachev.
The interference, according to U.S. intelligence, included the hack of the U.S. Democratic National Committee, and the theft of e-mails that were later leaked publicly during the election campaign. U.S. officials, and cyberanalysts, have said the FSB was among those responsible for the hack, and that the stolen Yahoo credentials may been used to trick victims into letting hackers steal their e-mails.
A further illustration of the web of ties among Russia's cyberunderground comes in the case of Kislitsin, who attended the March 2012 meeting in Moscow with Nikulin and Ieremenko.
Kislitsin, according the U.S. prosecutors, allegedly partnered with Belan to get the Formspring data from Nikulin in July 2012.
The following year, in 2013, Kislitsin met with an official from the U.S. Justice Department to discuss "research into the [cyber]underground," according to Group IB, a prominent Russian cybersecurity and research firm.
Kislitsin was joined in the meeting with the Justice Department official by representatives from Group IB, according to a Group IB statement provided to RFE/RL.
Group IB later hired Kislitsin, and he is currently listed as the "head of network security" for the company.
Asked for comment about the newly unsealed charges, which include conspiracy and trafficking in stolen user names and passwords, against Kislitsin, Group IB said that they predate his employment.
"The information that has become public contains only allegations, and no findings have been made that Nikita Kislitsin has engaged in any wrongdoing," the company said in the statement to RFE/RL.
The company also said that after the 2013 meeting with the Justice Department official, "neither Group-IB nor Nikita Kislitsin have been officially approached with any additional questions."
And there's one other connection involving Kislitsin. He previously worked as editor in chief for a well-known Russian cybermagazine called Hacker, where the ex-FSB officer Dokuchaev worked for him, writing under his nickname, Forb.
'I Want To Hack The Prison'
Nikulin was arrested in Prague in October 2016 after his entrance into the country a few days earlier triggered a notification among Czech law enforcement.
He and his lawyers strenuously fought the U.S. request for his extradition. Ultimately, he was sent to the United States in March 2018, prompting an angry statement from the Russian Foreign Ministry, which called it "a conscious, politically motivated step by the Czech side aimed at undermining the constructive basis of bilateral cooperation."
While in U.S. custody, Nikulin was reported by prison authorities as behaving strangely, prompting a judge to order a psychological examination. He was later deemed competent to stand trial.
"He is refusing to accept a guilty plea, and this is another example of his mental condition," Bukh told RFE/RL.
The evidence that will be introduced in the trial also included other less significant, but revealing comments, including a transcript of a phone conversation Nikulin had with a woman named Anya in November 2018.
In the conversation, Nikulin complained that he had not received food, or books and magazines, as he requested. He also jokes with Anya.
"I want to hack the prison," he is quoted as saying. "The rules here are stupid."
Copyright (c) 2020. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036.
|Join the GlobalSecurity.org mailing list|