Trial of Accused Russian Hacker Resumes After 4-Month Covid Delay

SAN FRANCISCO (CN) — After a nearly four-month hiatus, the criminal trial of accused hacker Yevgeniy Nikulin resumed Monday in federal court in San Francisco, marking the first time the Northern District has seen an in-person jury since it halted operations and suspended trials due to the coronavirus pandemic.

“It’s a much different scene than when we broke in March,” U.S. District William Alsup, who is overseeing the case, said from a courtroom outfitted with glass shields and new measures to keep jurors and witnesses six feet apart. He is hosting the trial over Zoom, though the public can also watch the proceedings at the courthouse.

In light of the unprecedented circumstances, both sides agreed carry on with as few as six out of the original 16 jurors. 

Alsup began Monday’s proceedings by polling the remaining jurors on their willingness to continue serving. The trial started March 10, but was cut short after just two days of testimony.

He added that over the weekend, one juror had notified the court that her husband’s co-worker had tested positive for Covid-19, the respiratory disease caused by the coronavirus. She said she had likely been exposed as well, though could not be tested until Tuesday. Alsup said he had advised the juror to stay home. 

“Our first order of business is to see if we can even get six to serve,” he said. “Raise your hand if you’re willing to serve and try to complete this case.”

Eleven hands went up, by Alsup’s count. He questioned the four jurors separately about their concerns. One lives with a relative dying of brain cancer and is his primary caregiver. She said he took a turn for the worse since March. Another juror, aged 70, said he has emphysema. A third is a type-1 diabetic. The fourth juror said she has a vacation planned the following week. Alsup excused the first three, but kept the fourth, as the jury is expected to get the case with time for a verdict by Friday.

Nikulin, a Russian national, has been in prison awaiting trial for four years on charges related to cyberattacks on LinkedIn, Dropbox and the now-defunct social networking site Formspring in 2012. Nikulin is accused of breaching company databases and stealing more than 100 million user passwords. He was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking, and conspiracy.

Alsup has held a series of conferences with attorneys in the intervening months to determine whether the trial could go forward at all. Though he agreed to postpone the trial multiple times due to shelter in place orders imposed by the city and county of San Francisco, Alsup told prosecutors and Nikulin’s defense attorneys repeatedly that he is troubled by how long Nikulin has been in jail.

In June, Alsup ordered the trial to resume on July 6, saying Nikulin had waited long enough. He also wondered whether prosecutors were stalling so that Alsup would declare a mistrial.

“What if our defendant lost four years of his life over a case the government can’t prove? I don’t like someone to be in pretrial detention this long,” he said.

On Monday, he gave both sides 15 minutes to recap their opening statements for the jury. 

Afterward, prosecutors called Ganesh Krishnan, a former LinkedIn employee at the time of the breach. Nikulin is accused of accessing LinkedIn’s internal database by hacking into a computer owned by LinkedIn employee Nick Berry and obtaining access to the company’s virtual private network, which employees use to connect from home to LinkedIn’s corporate system.

Krishnan, who was part of the company’s internal investigation team, confirmed Berry’s VPN logs contained suspicious logins from IP addresses in Russia, although Berry had been in the San Francisco Bay Area the entire time.

The same kind of intrusion happened to file-sharing company DropBox that same year, and lists of user passwords showed up on internet forums. Like LinkedIn, DropBox kept logs and were able to trace the origin of the attack to a Russian IP address belonging to the email account chinabig01@gmail.com.

The FBI also found another email account tied to an IP address used in the LinkedIn attack that was registered under r00talka@mail.ru, which was controlled by the same person as the one who controlled chinabig01.

They tracked one of the users of the Russian IP address to Kantemirovskaya Street in Moscow.

Nikulin also allegedly infiltrated a DropBox engineer’s work account, as well as the work credentials of a former employee of the now-shuttered Q&A site Formspring, to make off with millions of user passwords that later showed up on internet hacker forums.

The government’s indictment says Nikulin conspired with a network of other hackers to sell stolen login credentials, including a Ukrainian national named Oleksandr Ieremenko.

It claims U.S. Secret Service agents gathered from Ieremenko’s hard drive a trove of evidence showing he and Nikulin worked together as part of a clique of internet malefactors.

Ieremenko was indicted in New Jersey for a different hack, but remains at large.

The government touched on some of that hard drive evidence during direct examination Monday of Special Agent Richard LaTulip of the United States Secret Service, who traveled to Kyiv, Ukraine to help execute a search warrant on Ieremenko’s apartment. 

LaTulip verified that a bit-for-bit image of a computer hard drive recovered from the apartment was given to the FBI. The government believes photos and videos on that drive will show that Iremeneko and Nikulin worked together. 

The government also called Special Agent Anton Mlaker, who reviewed a video of a March 2012 meeting of young Russian hackers at a hotel conference room in Moscow. A portion of that video was also played for the jury, showing a group of about six young men discussing opening an Internet cafe. Mlaker could not identify Nikulin, who was shown in the video, but he pointed out Nikita Kislitsin, another Russian indicted for the Formspring hack.

Prosecutors believe Kislitsin brokered the sale of the stolen Formspring passwords to Mehment Sozen, aka “Rais,” through another hacker named Alexsey Belan, who they say put Kislitsin in touch with Nikulin. 

Mlaker interviewed Kislitsin in Moscow in 2014, where Kislitsin described Nikulin as the “Putin” of the hacking world.

Kislitsin also said in that interview that Belan was working on behalf of the Russian Federal Security Service (FSB) — the successor agency to the KGB — to hack into American commercial databases for financial gain, and that Belan was responsible for hacking online clothier Zappos and the note-taking app Evernote.

Nikulin’s defense attorney Valery Nechay told Alsup that she wanted to question the FBI on this.

“What I wish to ask some of these agents is whether they had learned that one of the co-conspirators was working with the FSB,” she told Alsup outside the presence of the jury. “My purpose in asking that is two-fold. I want to explore what the agent did with that information. Did they attempt to verify that information? What steps did they take?”

She added that she also wants to explore “whether the other co-conspirators worked with the Russian government in some way to implicate our client.”

The government urged Alsup to exclude that part of the interview as hearsay, saying the FBI would not be testifying about investigations of other co-conspirators.

“Right now I’m excluding this evidence. It’s hearsay, hearsay, hearsay all day long,” Alsup said, adding that his ruling is tentative. “I may change my mind if the government opens the door,” he said.

Testimony continues Tuesday. 

%d bloggers like this: