SAN FRANCISCO (CN) — A 12-person jury found a trail of digital bread crumbs led to Yevgeniy Nikulin as the hacker responsible for three data breaches in 2012 at LinkedIn, Dropbox and Formspring and the theft of more than 100 million user credentials.
The trail began with Nick Berry, a LinkedIn engineer whose personal computer was hacked in March 2012. By installing a malicious software program that allowed him to gain access to Berry’s Virtual Private Network— the means by which Berry could log to log in to work remotely— the hacker infiltrated the company’s internal database of user credentials.
Using credentials stolen from LinkedIn, the hacker next targeted Dropbox employee Tom Wiegand and breached his work account, sending an invite to himself at the email address firstname.lastname@example.org to join a shared employee Dropbox account.
From there, he went on to compromise Formspring employee John Sanders’ work account by accessing the password database Sanders had stored in his Dropbox, then using Sanders’ work login to breach Formspring’s corporate database and make off with millions of hashed user passwords from the now shuttered Q&A site that later showed up on internet hacker forums.
“The data from one intrusion facilitated the next,” Assistant United States Attorney Katherine Wawrzyniak told the jury during closing arguments Friday.
Investigators tied all three company hacks to the email@example.com address. Wawrzyniak told the jury that the email address was a burner account intended to receive automatic messages sent to the hacker’s various aliases. Chinabig01 was also used to create a Vimeo account with username Uarebeenhacked.
Prosecutor’s believe Nikulin controlled that email address, as well as firstname.lastname@example.org, which was used account on the gaming website Kongregate with the username and password zopaqwe1, the same username and password used by email@example.com for an account on the domain hosting site Afraid.org.
They also linked r00talka and chinagbig01 through search history— both contained searches related to Kantemirovskaya Street, the Moscow residence IP address records traced to Nikulin, as well as searches for information related to Linkedin hack. R00talka was also the recipient of numerous notifications from Nikulin’s social media account on VK—Russia’s Facebook equivalent—alerting him to messages from his brother and girlfriend, along with a message from a friend saying the two were neighbors again on Kantemirovskaya Street.
Nikulin, using the alleged pseudonym “Yevgeniy Lomovich” a surname that translates to crowbar and prosecutors believe is a play on “hacker” gave his friend Oleksander Ieremenko via Skype chat the login and password zopaqwe1 for his account on Afraid.org. Investigators later obtained records from Afraid.org showing someone was scanning its systems for vulnerabilities.
The Skype chat logs were obtained from a U.S. Secret Service search of Iremenko’s apartment in Ukraine as part of an unrelated cybercriminal investigation, and later turned over to the FBI.
“The carefully collected digital evidence proves the following: Chinabig01@gmail.com was responsible for the hacks, and is connected to these other electronic accounts including ultimately the firstname.lastname@example.org address,” Wawrzyniak said. “R00talka is clearly controlled by the defendant Yevgeniy Nikulin. This is how the digital trail ties together.”
Nikulin, now 32, was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy. The jury convicted him on all counts, but found the government did not present enough evidence to prove that he committed the Dropbox and Formspring hacks for financial gain.
Wawrzyniak painted Nikulin as part of a close clique of hacker friends. Ieremenko and Nikulin talked about his problems with his girlfriend Anna, and Nikulin, Iremenko and other hackers supposedly met at a Moscow hotel conference room in March 2012.
Nikita Kislitsin, indicted for trying to sell the stolen Formspring data, was also at that hotel meeting. Wawrzyniak said Kislitsin was acquainted with Nikulin through a mutual friend named Alexsey Belan, who urged Kislitsin through email to contact Nikulin, though he did not explicitly name Nikulin in the email exchange.
In his closing, Nikulin’s counsel Adam Gasner said the government’s evidence was “unreliable, circumstantial, and at times confusing.” He said prosecutors had no direct evidence of Nikulin’s guilt, only “weak and unclear connections.” He attacked the reliability of the information prosecutors received from the Russian government connecting Nikulin’s IP address to the LinkedIn hack.
“The source of that evidence is the Russian government itself,” he said. The source of the evidence comes from an entity that actually supports criminal activity and any evidence they provide should be suspect and given little weight.”
He made much of the questionable authenticity of documents returned to the FBI through a mutual legal assistance treaty with Russia, and suggested that Nikulin might have been framed by his own government.
“The actual certificate of authenticity is straight up not filled out correctly,” he said. “It’s missing essential information that should not give you any confidence in the quality of this evidence.”
Gasner said FBI Special Agent Jeffrey Miller, the government’s star witness in the case, had tunnel vision that prevented him from considering the possibility that at-large hacker Evgeniy Bogachev could have been responsible for the crime.
After all, Bogachev is still wanted by the FBI in connection with a devastating malware attack that compromised 100 million bank accounts around the world.
Zeroing in on Russia’s history of conspiring with hacker mercenaries, he added, “Why would the Russian government provide misinformation to the U.S.? Perhaps allowing a real culprit to be caught and tried in the U.S. would lead to a lot of revelations the Russians don’t want us to know.”
Prosecutors urged the jury not to consider this.
“Nothing was similar about these hacks and the allegations against Evgeniy Bogachev,” Assistant U.S. Attorney Michelle Kane said on rebuttal. “The defendant is literally pointing to some other guy with the same first name and saying ‘maybe he did it.’ There’s not a shred of evidence that points to that.”
Kane also scoffed at the idea of a possible frame-up by the Russian government. “If you think about that for more than one second it completely falls apart,” she said, noting the IP address records were obtained by the FBI from Russia in 2013, while Nikulin’s Skype chat logs with Ieremenko were from October 2012.
“It would have required the Russian government to go back to 2012 and plant evidence on a computer in Ukraine to frame the defendant.”
The jury, as it turned out, didn’t buy the defense team’s alternate theories.
After the verdict was read, U.S. Attorney David Anderson issued a statement hailing it as a warning to “would-be hackers” and congratulating the Northern District for holding its first jury trial during the Covid-19 pandemic.
“Today’s guilty verdicts are the result of our first federal jury trial in San Francisco since the beginning of shelter in place. I am immensely grateful to Judge Alsup for getting this case to trial. Trial by jury is one of the defining features of the American justice system. We need jury trials to administer justice,” said U.S. Attorney Anderson.
“Nikulin’s conviction is a warning to would-be hackers, wherever they may be. Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
U.S. District Judge William Alsup also praised the jury.
“You are a tremendous group of people and our country should be proud to have a group of citizens willing to come in during a pandemic and put yourself at risk so our criminal justice system can survive,” he told them. “You are the first jury to sit as a jury in this district since the pandemic. A lot of the country has been following the case in order to learn about how we can continue the criminal justice system in this time.”