This article is more than 1 year old

San Francisco trial of Russian bloke extradited and accused of hacking LinkedIn, Dropbox, Formspring stalls again amid pandemic lockdown

Case that has rumbled on since 2016 may have to be started again from scratch

The man accused of hacking LinkedIn, Dropbox and the Formspring Q&A forum, and later selling the stolen data of hundreds of millions of users, has seen his trial disrupted a third time by the coronavirus pandemic.

At a hearing on Tuesday, Judge William Alsup again delayed the US trial of alleged Russian hacker Yevgeniy Nikulin until June 1; the third such delay since the COVID-19 virus appeared in San Francisco, where proceedings are unfolding. The judge also reviewed responses [PDF] from jurors who were asked last week whether they would be happy to return to the courthouse given the potential health risk.

A majority said no, as did several key witnesses. So it's back to jail for a bloke arrested in 2016 on suspicion of hacking the home computers of corporate workers and compromising over 200 million accounts.

Two days of the estimated seven-day trial of Nikulin have already taken place, on March 10 and 11. When the governor of California put the US state on lockdown to curb the coronavirus's spread, hearings were put on hold. Its resumption has been repeatedly delayed: first it was due to restart on April 13, and then after a lockdown extension, on May 4.

Nikulin was arrested in the Czech Republic in October 2016 for his alleged role in hacks that took place more than three years earlier. He was staying at a hotel in Prague with his girlfriend, and reportedly driving around in an expensive car. Soon after, international crime police organization Interpol identified him, issued a Red Notice, and the city's plod grabbed him in a restaurant.

As soon as he was collared, American prosecutors applied to have him extradited to the US to face nine felony counts for hacking the systems of LinkedIn, Dropbox and Formspring, as well as trying to break into Wordpress maker Automattic’s systems, by posing as employees of each company. He faces ten years in prison if found guilty.

Not so fast

The extradition took 18 months, in large part because the Russian authorities – who, it is claimed, had recruited Nikulin to assist in its own hacking efforts – put in an extradition request over a much smaller hacking charge. Eventually, Nikulin was flown to the US where he pleaded not guilty to the charges, and a trial by jury was scheduled.


US and Russia engaged in legal tug of war over LinkedIn hack suspect


However, that process was again delayed over concerns for Nikulin’s mental health. His defense team said he was suffering from a mental illness, and was unable to fully understand what was happening. Judge Alsup agreed to an evaluation following reports of Nikulin being violent and non-communicative behind bars, which has resulted in him being placed in shackles during his pre-trial hearings.

Nikulin refused to meet his defense team’s psychiatrist, however, resulting in the suspect being sent to a secure facility in Los Angeles for an eight-week evaluation by a psychologist. The subsequent report [PDF] revealed some disturbing details about Nikulin including his father’s abuse, his brother’s suicide, and a family history of mental-health issues.

However, the court agreed with the assessment that he was able to understand the charges put against him and the situation he was in, and that he was able to follow the trial’s proceedings with the help of a Russian translator.

His behavior was put down to a narcissistic personality disorder: “Essential features of which are ‘a pervasive pattern of grandiosity, need for admiration, and lack of empathy’.” His defense argued he was suffering from Post-traumatic Chronic Stress Disorder – a diagnosis the judge decided was “significantly less credible.”

That process took an additional nine months, so by the time the decision was made to move forward with a jury trial, the “voluminous discovery” was reviewed, a date set for the trial, and the opening statements made, Nikulin has already been in the clink for 41 months, or nearly three-and-a-half years.

I see sea shells

During the two days of the trial that did take place, witnesses from the tech companies in question walked through the evidence [PDF] they had of how their systems were hacked by someone posing as an employee.

The intruder had managed to access the home machines of employees and install malicious software on them, including an “r57” backdoor shell. Their login credentials were then stolen and used to log into their employers' systems via a VPN. Logs from those attempts were sent for forensic analysis and were eventually tracked back to Nikulin by the FBI, it is claimed.

The goal of the hacks was to steal, and then sell on the underground, user account credentials from LinkedIn, Dropbox, and Formspring, and the intrusions were enormously successful: despite initially announcing that 6.5 million accounts had been compromised, LinkedIn later admitted that figure should have been no fewer than 117 million. Dropbox confirmed that 68 million of its accounts were hacked. And Formspring reset 28 million passwords as a result of the heist.

An FBI special agent is expected to testify about the underground market for usernames and passwords, including encrypted and hashed passwords that are cracked via brute-force attacks.

Despite repeated attempts to restart the trial, including reconfiguring the courthouse to allow for social distancing, the stay-at-home orders, the trouble will flying in expert witnesses from Washington and Southern California, and jurors and witnesses' health concerns have prevented it.

In a memorandum [PDF] the judge requested the prosecution team put together, the legal justifications and case history to postpone and/or call a mistrial have been pulled together. Fundamentally, the issue is the fact that the trial started and then there has been a significant delay in proceedings, during which time the jury is likely to have forgotten key details of testimony and there is a far greater likelihood that jurors will have read coverage of the case.

With the lockdown in San Francisco now extended to the end of May, Judge Alsup is likely at the limit of what he could allow to ensure a fair trial. If it gets extended past June 1, it is very likely he will declare a mistrial and the whole process will have to start over.

Either way, Yevgeniy Nikulin is going to have to spend many more months in prison until he is given an opportunity to respond to the hacking charges. ®

More about


Send us news

Other stories you might like