SAN FRANCISCO (CN) – The criminal trial of accused Russian hacker Yevgeniy Nikulin opened Tuesday, with lawyers from the Justice Department painting him as a run-of-the-mill thief who breached LinkedIn, DropBox, and Formspring computer networks in 2012 and made off with millions of usernames and passwords.
Nikulin is charged with three counts of computer intrusion, two counts of transmitting code to damage a computer, two counts of identity theft, one count of trafficking in unauthorized access devices, and one count of conspiracy. The 32-year-old Moscow native was arrested in the Czech Republic in 2016, leading to a protracted extradition fight that eventually landed him in U.S. custody in 2018.
If convicted, Nikulin could spend more than 30 years in prison and pay more than $1 million in fines.
“In the end, the evidence will show that despite the high-tech methods, the defendant was just a thief. An ordinary thief. He used other people’s credentials, other people’s key’s, to break into computers, to steal valuable information and cause damage and loss in the process,” said Assistant U.S. Attorney Michelle Kane in her opening remarks to the jury. “He did it for the same reason openly steal anything – so he could use it or sell it.”
Kane said Nikulin infiltrated the LinkedIn network in March 2012 by first compromising a computer belonging to one of its engineers, Nicholas Berry. He allegedly installed malicious software on the computer that allowed him to take control of it remotely. Using Berry’s credentials, Nikulin allegedly gained access to LinkedIn’s servers and obtained a copy of a database containing its users’ login information.
Bruce Connelly, LinkedIn’s vice president of engineering, testified he first learned about the breach from a colleague. A list of LinkedIn user passwords had been posted to an online hacker forum.
Connelly said the company immediately flew into war room mode. A team of roughly 100 engineers worked for at least six weeks to remedy the problem, starting with an examination of LinkedIn’s log files.
“Log files are usually an indication of any kind of trace or trail left behind – anything abnormal. You usually look there to see if you can find any kind of fingerprints,” Connelly said.
What they found were suspicious logins from Berry’s VPN – a system he could use to log into LinkedIn from his home computer – from IP addresses tied to Russia. But Berry had been in the San Francisco Bay Area the entire time.
The same kind of intrusion happened to file-sharing company DropBox that same year, where lists of user passwords showed up on internet forums. Like LinkedIn, DropBox kept logs and were able to trace the origin of the attack to a Russian IP address belonging to the email account firstname.lastname@example.org.
The FBI also found another email account tied to an IP address used in the LinkedIn attack that was registered under email@example.com, which was controlled by the same person as the one who controlled chinabig01.
They tracked one of the users of the Russian IP address to Kantemirovskaya Street in Moscow.
The government’s indictment says Nikulin conspired with a network of other hackers to sell stolen login credentials, including a Ukrainian national named Oleksandr Ieremenko, who was arrested for a different hack in 2012.
It claims U.S. Secret Service agents gathered from Ieremenko’s hard drive a trove of evidence showing he and Nikulin worked together as part of a clique of internet malefactors.
Nikulin also allegedly shared his stolen Formspring information database with Nikita Kislitsin, an employee of a Russian cybersecurity firm. Kislitsin is accused of trying to sell that information for 5,500 euroes ($6,200) and was indicted for cybercrime in 2014.
But Nikulin’s lawyer Adam Gasner said his client is merely a hapless fall guy in the U.S. government’s investigation of other cybercriminals.
“The question here is who is Yevgeniy? He could be another Yevgeniy, which in Russian is as common as John or Bob in the United States,” Gasner said, adding that the ChinaBig01 email account “could be used by anyone in the world.”
Gasner also had an explanation for the Russian IP address. “Any time the internet is accessed it is associated with an IP address. The evidence will show the IP address will not tell you who accessed the internet from that router.”
He said video evidence will show that Nikulin met with Ieremenko and Kislitsin in 2012, but the video “does not show discussion of databases, hacks or plans or details of any plan to effectuate intrusion. What it will show is a startup discussing nothing more and nothing less than an internet cafe. That was the connection of this defendant to these other people.”
Gasner said Nikulin never made a cent from the data he supposedly stole, because he never stole it to begin with.
Nikulin’s attorneys had fought to get him declared incompetent to stand trial, a gambit that failed with U.S. District Judge William Alsup.
Though Nikulin has been at times hostile and uncooperative, Alsup ruled in May 2019 that any refusal to participate in his own defense is up to him.
“While all agree that defendant is currently suffering from some form of mental disorder, the record demonstrates that defendant is still able to understand the nature and consequences of these proceedings and assist his attorneys in his own defense,” Alsup wrote.
On Tuesday, a subdued Nikulin appeared in court without shackles, wearing dark slacks and a black sweater over a dark button-down shirt.
The jury is expected to hear testimony through March 27.