SAN FRANCISCO (CN) — Prosecutors tied up their case Wednesday against Yevgeniy Nikulin, a Russian man accused of hacking tech companies LinkedIn, DropBox and Formspring in 2012.
With FBI Special Agent Jeffrey Miller on the stand, Assistant U.S. Attorney Michelle Kane walked the jury, in meticulous detail, through a Byzantine web of connections that seemed to point to Nikulin as the hacker behind the intrusions who made off with more than 100 million user credentials.
Nikulin was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking, and conspiracy.
The FBI believes Nikulin infiltrated the LinkedIn network in March 2012 by first compromising a computer belonging to one of its engineers, Nick Berry. Prosecutors say he installed malicious software on the computer that allowed him to take control of it remotely. Using Berry’s credentials, Nikulin allegedly gained access to LinkedIn’s servers and obtained a copy of a database containing its users’ login information.
An internal investigation by the company revealed suspicious logins from Berry’s VPN — a system he could use to log into LinkedIn from his home computer — from IP addresses tied to Russia. But Berry had been in the San Francisco Bay Area the entire time.
The same kind of intrusion happened to filesharing company Dropbox that same year, after which lists of user passwords showed up on the Russian internet forum Insiderpro. Like LinkedIn, DropBox kept logs and were able to trace the origin of the attack to a Russian IP address belonging to the email account firstname.lastname@example.org.
The FBI also found another email account tied to an IP address used in the LinkedIn attack that was registered under email@example.com, which was controlled by the same person who controlled chinabig01.
Investigators connected Nikulin to the r00talka address through automated email notifications sent to r00talka from the social networking site VK.com — the Russian equivalent of Facebook — that revealed photos of Nikulin as the supposed owner of the account, along with VK messages sent to him by his girlfriend Anna Shebdova.
On Wednesday, Miller testified that Nikulin was the person behind firstname.lastname@example.org, evidenced by Skype chat logs with Oleksander Ieremenko, a Ukrainian national from whose apartment the U.S. Secret Service recovered a hard drive in November 2012 during a separate cybercrime investigation.
The logs, which were shown to the jury but not to the members of the press and public viewing the trial on Zoom, reveal an individual with the Skype name dex.007 giving another individual with the Skype moniker Vaiobro a list of LinkedIn member email addresses, usernames and password hashes in October 2012. It also shows dex.007 sending Vaiobro a link to the password “Zopaqwe1,” which Miller traced to the chinabig01 Gmail account.
The individual known as “dex.007” has been identified as Yevgeniy Lomovich, which the FBI believes is Nikulin’s alias, though his lawyers argue Lomovich could be someone else’s surname. The FBI also believes Vaiobro is Ieremenko operating under the alias Sergey Shalyapin.
Miller talked the jury through a spreadsheet he compiled showing the overlap between the IP address for dex.007’s Skype chat and the IP address used to log into employee accounts for Formspring and Dropbox, as well as a browser cookie tied to the LinkedIn intrusion.
Other information contained in the chat seems to tie Nikulin to dex.007. “Thanks a lot for the accounts,” Ieremenko (Viaobro) says, adding, “Don’t be sad about Anya, it will be ok” in reference to Nikulin’s girlfriend. On Oct. 18, 2012, Ieremenko wishes dex.007 happy birthday and encourages him to buy himself a $10,000 watch as a gift, to which dex.007 replies, “Why not $25K? 25 years old= $25K.”
Miller told the jury that Nikulin was born on Oct. 19, 1987, making him 25 years old at the time of the chat.
The FBI agent also testified a Russian hacker named Nikita Kislitsin brokered the sale of the pilfered Formspring credentials through Alexsey Belan, another hacker who prosecutors say put him in touch with Nikulin.
“Hi are you going to contact my guy and his partner?” Belan asked Kislitsin in a July 2012 email, to which Kislitsin responded “It’s done, I got in touch with him.”
Belan then said “I can completely vouch for him,” and asked what the database contains. Kislitsin replied, “It’s Formspring.”
Emails also show Kislitsin selling the Formspring credentials, for which he received $7,100 through a two wire transfers in September 2012 from someone named “Rais.”
On cross-examination, Nikulin’s defense attorney Adam Gasner argued Miller’s desire to solve the case caused him to fixate on Nikulin, to the exclusion of all other possible suspects like Ieremenko, indicted for hacking the U.S. Securities & Exchange Commission, or Evgeniy Bogachev, a hacker wanted by the FBI for the GameOverZeus malware hack that infected more than 1 million computers. Bogachev was indicted in 2012 but remains at large in Russia.
Gasner reminded Miller that Evgeniy is another spelling of Yevgeniy and has the same diminutive “Zhenya,” which also shows up in chat logs and transcripts as Nikulin’s purported nickname.
Miller vehemently denied any bias against Nikulin, saying he believes the evidence suggests that Nikulin committed the hacks.
Kane’s direct examination of Miller on Tuesday took far longer than expected, forcing closing arguments to be pushed back to Thursday.