Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Saturday, May 18, 2024 | Back issues
Courthouse News Service Courthouse News Service

Ninth Circuit probes restitution award for corporate victims of Russian hacker

The 3-judge panel questioned whether four tech companies hacked by Yevgeniy Nikulin in 2012 are entitled to a $1.7 million restitution award ordered by a federal judge.

SAN FRANCISCO (CN) — A federal judge’s $1.7 million restitution award to four corporations hacked by Russian national Yevgeniy Nikulin took center stage at a hearing before three Ninth Circuit judges Friday as Nikulin’s attorney argued that the companies did not substantiate their losses.

In 2020, a jury found Nikulin responsible for three data breaches in 2012 at LinkedIn, Dropbox and now-defunct social media platform Formspring, and stealing more than 100 million encrypted user passwords that he sold to associates.

Nikulin was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy

A web of circumstantial evidence turned out to be his undoing, as investigators connected Nikulin to malware installed on a LinkedIn engineer’s computer. Using credentials stolen from LinkedIn, the hacker next targeted a Dropbox employee and breached his work account, sending an invite to himself at the email address [email protected] to join a shared employee Dropbox account. 

From there, he went on to compromise a Formspring employee work account by accessing the password database he had stored in his Dropbox, then using the employee’s work login to breach Formspring’s corporate database and pilfer millions of hashed user passwords that showed up on internet hacker forums.

Nikulin’s corporate victims said they immediately flew into panic mode upon learning of the intrusions, estimating in victim in impact statements submitted to the court that they spent hundreds of hours trying to undo the damage.

LinkedIn, for example, said it set up a “war room” lasting 24 hours a day, seven days a week, for approximately two months, diverting time and resources away from other projects. It also hired outside security consultants to diagnose and fix the breach.

U.S. District Judge William Alsup sentenced him to 88 months in federal prison and ordered him to pay $1,734,000 in restitution: $1 million to LinkedIn — reduced from a requested $2 million — $514,000 to Dropbox, and $20,000 to Formspring. He also awarded WordPress parent company Automattic $200,000, though Nikulin was not charged for that intrusion because there was no evidence that he stole any user credentials.

Nikulin’s appellate attorney Karen Landau said Friday that the companies did not state their losses with enough specificity.

U.S. Circuit Judge Lawrence VanDyke, a Donald Trump appointee, said the companies just have to show by clear and convincing evidence that they lost more than $550,000, the standard by which Alsup imposed Nikulin’s sentence.

“If there's clear and convincing evidence that it was above $550,000 we don't need to know whether it was $550,001 or whether it was $5 million,” he said.

Landau protested, “The difficulty here is there's just no facts.”

“Well there's no receipts so to speak, which is maybe a problem under restitution, but there is a lot of facts,” VanDyke countered. “There was a lot of testimony about a huge company — LinkedIn — and a huge team working on it for weeks. You put any kind of number on those and it's like saying 'I don't know what I spent for lunch but I ate lunch, and so I know it was more than $5.’ It's seems like we're kind of in that land, it's pretty clear that it had to be over $550,000.”

“There are facts but none of them are even borderline specific,” Landau said. “So what we have is a lot of hours and we have nothing to tie that to value.”

Assistant U.S. Attorney Michelle Kane said the district court’s loss figure was conservative and “amply supported by trial evidence and the victim impact statements.”

But Chief U.S. Circuit Judge Mary Murguia said she had difficulty reconciling the $1.7 million restitution award with the $550,000 standard the court used in calculating Nikulin’s sentence.

“It just struck me that the restitution amount far exceeded the loss amount. Is that common? I don’t know that I’ve ever seen that. Why is that not a big red flag,” the Barack Obama appointee said.

Kane said Alsup used a “cautionary, conservative” loss amount for determining Nikulin’s punishment, which he reduced to $550,000 for his benefit. She said it should not affect the amount of restitution required to make his victims whole. “It’s not a problem for them to be different,” she said.

The court took the arguments under submission, indicating it may send the restitution award back to Alsup for reconsideration.

Follow @MariaDinzeo
Categories / Appeals, Business, Criminal

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.