Tangled Web of Russia's Cyber Underground Further Exposed in US Hacker
March 9, 2020
In March 2012, a 25-year-old Russian computer whiz named Yevgeny Nikulin
sat with several others in a conference room in a hotel in eastern
Moscow. A video taken by a Ukrainian named Oleksandr Ieremenko showed
them discussing plans for an Internet cafe business and other matters.
In an earlier part of the video, Ieremenko, 19, drives to the hotel to
meet the group, which he calls a "summit of bad [expletives]."
That same month, according to U.S. prosecutors, Nikulin broke into a
social media company engineer's computer a half a world away, in
California — and allegedly stole the usernames and passwords used by
tens of millions of people to access their LinkedIn accounts. Some of
that data was put up for sale on a notorious Russian hacker forum that
These details and other evidence were contained in pretrial motions
prosecutors filed this week ahead of the opening of Nikulin's trial in
U.S. federal court in San Francisco. Jury selection is scheduled to
The case against Nikulin, who was arrested in 2016 in Prague and
extradited to the United States in 2018, is the latest example of a
Russian citizen facing prosecution in the United States for cybercrimes.
It's a trend that has infuriated the Russian Foreign Ministry, which
complains that the United States is "hunting" Russians around the globe.
But the pretrial motions add yet more evidence of the web of
relationships among Russia's cyber underworld, allegedly tying Nikulin,
now 32, to people who have been charged with even bigger, more serious
hacks. That includes a hacker who allegedly worked for Russian
intelligence to steal hundreds of millions of Yahoo user credentials —
possibly used in the 2016 hack of the U.S. Democratic National
Committee, according to cyberexperts.
Nikulin, who was examined by court-ordered psychologists last year amid
concerns about his mental health, has pleaded not guilty to the charges.
Arkady Bukh, one of Nikulin's lawyers, said prosecution lawyers appeared
to be trying to pressure Nikulin to plead guilty ahead of the trial —
particularly, he said, since the conviction rate for such cybercases is
Nikulin, however, has refused his lawyer's counsel to change his plea to
'Zhenya' from Moscow
According to prosecutors' evidence, the video showing Nikulin, Ieremenko
and others was from a hard drive seized by Ukrainian authorities who
raided Ieremenko's home in Kyiv, and the homes of several other alleged
Ukrainian hackers, in November 2012.
An FBI affidavit said photographs found on the hard drive included
photos that said "Zhenya from Moscow" — a diminutive form of the name
The U.S. Secret Service obtained the hard drive as part of an
investigation into hacks of several business newswires, a scheme that
involved selling unreleased corporate information to stock traders who
then made trades based on the nonpublic information.
Ieremenko, now 27, was implicated in that scheme, but he gained wider
notoriety in 2019 when U.S. authorities indicted him and another
Ukrainian in connection with a similar scam that traded on corporate
earnings reports stolen from a database of the U.S. Securities and
Exchange Commission. Ieremenko is believed to be in Russia.
According to the trial motions, Nikulin worked closely with Ieremenko in
2012, sharing hacked passwords and coding tips, using Skype accounts. A
Skype address they tied to Nikulin — dex.007 — was used to send
Ieremenko a link containing the password to one of Nikulin's accounts on
a domain hosting site, along with stolen LinkedIn credentials.
'Reporting on the spot'
The video, one of eight copied from Ieremenko's hard drive, was shot on
March 18 or 19, 2012. In it, the person making the video narrates it,
saying: "In short, we are reporting on the spot. Now, here at this Vega
Izmailovo Hotel, there will be a f****** summit of bad motherf*****s,"
according to the U.S. transcript submitted in the court record.
Nikulin also worked closely with another Russian, Nikita Kislitsin, who
was indicted in the United States in 2014 on conspiracy charges related
to the hack of another, lesser-known social media company called
Formspring. Kislitsin's indictment, which was under seal since being
filed, was unsealed earlier this week.
U.S. prosecutors say that, three months after the Moscow meeting,
Nikulin himself stole 30 million user credentials from Formspring and
utilized some of those credentials when he hacked into the LinkedIn
According to the court documents, the FBI used "court-ordered electronic
interceptions" — phone and email taps — to track Nikulin in 2012 and
U.S. investigators discovered overlap with another Russian, Aleksei
Belan, under investigation in connection with a separate hack: the theft
of user credentials from the Internet giant Yahoo, beginning in 2013.
Yahoo eventually revealed all 3 billion of its users had had their
credentials compromised in what is today considered one of the largest
data breaches in the history of the internet.
Prosecutors said the FBI, which had obtained a court-authorized warrant
to search Belan's e-mail and tap his phones, found that Belan, along
with Kislitsin, purchased the Formspring passwords in July 2012.
That same year, Belan was put on the FBI's Ten Most Wanted list for
cyberthieves. The following year, he was arrested in Greece at the
request of U.S. authorities. But he avoided being extradited and escaped
back into Russia, according to U.S. and European authorities.
In 2014, according to previous U.S. documents, Belan was recruited by
Russia's main intelligence and security agency, the Federal Security
Service (FSB) and its cyberunit, known as the Center for Information
Belan, according to the 2016 Yahoo hack indictment, was ordered by the
FSB cyberunit to conduct the breach of Yahoo accounts.
In all, U.S. officials charged four people with the Yahoo breach,
including two FSB officers. Those officers themselves were later
arrested by the FSB itself and charged with state treason, allegedly for
passing classified intelligence to U.S. agencies.
One, Sergei Mikhailov, pleaded not guilty to the Russian charges and was
sentenced last year to 22 years in prison. The other, Dmitry Dokuchaev,
pleaded guilty and agreed to cooperate with investigators. He was handed
a six-year sentence.
In December 2016, in response to the U.S. intelligence community's
conclusion that Russia had tried to meddle in the presidential election
won by Donald Trump that year, the administration of outgoing President
Barack Obama announced sweeping sanctions against Belan and another
Russian, who also allegedly had ties to Russian intelligence, Yevgeny
The interference, according to U.S. intelligence, included the hack of
the U.S. Democratic National Committee and the theft of emails that were
later leaked publicly during the election campaign. U.S. officials, and
cyberanalysts, have said the FSB was among those responsible for the
hack, and that the stolen Yahoo credentials may been used to trick
victims into letting hackers steal their emails.
A further illustration of the web of ties among Russia's cyber
underground comes in the case of Kislitsin, who attended the March 2012
meeting in Moscow with Nikulin and Ieremenko.
Kislitsin, according the U.S. prosecutors, allegedly partnered with
Belan to get the Formspring data from Nikulin in July 2012.
The following year, in 2013, Kislitsin met with an official from the
U.S. Justice Department to discuss "research into the [cyber]underground,"
according to Group IB, a prominent Russian cybersecurity and research
Kislitsin was joined in the meeting with the Justice Department official
by representatives from Group IB, according to a Group IB statement
provided to RFE/RL.
Group IB later hired Kislitsin, and he is currently listed as the "head
of network security" for the company.
Asked for comment about the newly unsealed charges, which include
conspiracy and trafficking in stolen user names and passwords, against
Kislitsin, Group IB said that they predated his employment.
"The information that has become public contains only allegations, and
no findings have been made that Nikita Kislitsin has engaged in any
wrongdoing," the company said in the statement to RFE/RL.
The company also said that after the 2013 meeting with the Justice
Department official, "neither Group-IB nor Nikita Kislitsin has been
officially approached with any additional questions."
And there's one other connection involving Kislitsin. He previously
worked as editor in chief for a well-known Russian cybermagazine called
Hacker, where the ex-FSB officer Dokuchaev worked for him, writing under
his nickname, Forb.
'I want to hack the prison'
Nikulin was arrested in Prague in October 2016 after his entrance into
the country a few days earlier triggered a notification among Czech law
He and his lawyers strenuously fought the U.S. request for his
extradition. Ultimately, he was sent to the United States in March 2018,
prompting an angry statement from the Russian Foreign Ministry, which
called it "a conscious, politically motivated step by the Czech side
aimed at undermining the constructive basis of bilateral cooperation."
in U.S. custody, Nikulin was reported by prison authorities as behaving
strangely, prompting a judge to order a psychological examination. He
was later deemed competent to stand trial.
"He is refusing to accept a guilty plea, and this is another example of
his mental condition," Bukh told RFE/RL.
The evidence that will be introduced in the trial also included other
less significant but revealing comments, including a transcript of a
phone conversation Nikulin had with a woman named Anya in November 2018.
In the conversation, Nikulin complained that he had not received food,
books or magazines, as he requested. He also joked with Anya.
"I want to hack the prison," he is quoted as saying. "The rules here are