The Russian hacker accused of raiding LinkedIn, Dropbox and Formspring, and obtaining data on 213 million user accounts, has been found guilty.
On Friday, Yevgeniy Nikulin was convicted [PDF] by a San Francisco jury of committing computer intrusion, data theft, and other charges [PDF] relating to the databases he broke into and siphoned off in 2012.
The jury reckoned Nikulin probably swiped the LinkedIn account details, all 117 million of them, for commercial gain, though they didn't think greed played a role in his theft of 28 million account records from Formspring and 68 million from Dropbox. The Linkedin info was put up for sale, and leaked online along with the Dropbox data and at least a portion of the Formspring haul. The data contained usernames, email addresses, and hashed passwords.
The prosecution outlined how Nikulin had stolen the login credentials of employees at a bunch of US tech firms, and then used them to access back-end systems before downloading vast amounts of personal data that he later sold. Much of the case rested on persuading the jury that various pseudonyms used by the hacker were, in fact, Nikulin.
Despite the unanimous jury decision, it was far from certain Nikulin would be found guilty, with district judge William Alsup repeatedly criticizing the prosecution’s case, at one point calling it “gobbledygook,” and the next day “mumbo jumbo,” as prosecutors tried to connect Nikulin to a wider hacking conspiracy.
Nikulin’s defense team argued the only solid evidence connecting him to the hacker was a document provided by the Russian government whose reliability it questioned, arguing that Nikulin had been set up by the Russians, who were feeding misinformation. Nikulin himself may have been hacked, his lawyer argued.
The FBI in response said that it had tracked Nikulin down to his Moscow apartment by following the hacker’s IP addresses and then confirmed it was him by observing his communications with others. As one example, an FBI agent testified that the hacker, using the alias “dex.007”, had told another hacker that he was going to buy himself a $25,000 watch for his 25th birthday. Nikulin turned 25 the day afterwards, said the agent.
Flash the cash... then dash
It was Nikulin’s ostentatious taste that finally led to his downfall. He was a wanted man, and Interpol, at the request of the US, had issued a Red Notice for his arrest. He attracted the attention of the Czech police when he visited Prague in 2016 with his girlfriend, driving around in a flashy car and spending liberally. The cops nabbed him in a restaurant.
Despite having been arrested four years ago, the trial has been dogged by delays; first by Russian authorities who tried to prevent him being extradited to America, and then following a lengthy dispute over whether he was mentally fit to stand trial.
When the trial finally began, it was almost immediately put on hold due to the coronavirus outbreak and was nearly abandoned after jury members made it plain they were uncomfortable spending the whole day in a confined space.
But thanks to some radical distancing measures in which the defendant, attorneys, and judge wore masks and witnesses testified behind a glass panel, the trial started again this month. The jury’s guilty decision is one of the first federal criminal cases to be decided through lockdown conditions in the US.
Judge Alsup noted the unusual circumstances just prior to the verdict being read, telling the jury that they were “a tremendous group of people and our country should be extremely proud to have citizens like you who will come in and do this in the middle of a terrible pandemic and put yourself at risk so that our criminal justice system can survive."
The man who headed the case, US Attorney David Anderson, also recognized the case's unusual nature: “Today’s guilty verdicts are the result of our first federal jury trial in San Francisco since the beginning of shelter in place. I am immensely grateful to Judge Alsup for getting this case to trial.”
He went on: “Nikulin’s conviction is a warning to would-be hackers, wherever they may be. Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
Nikulin is due to be sentenced on September 29, 2020, and faces up to a decade behind bars and a fine of up to $250,000. ®