The Russian hacker accused of raiding LinkedIn, Dropbox and Formspring, and obtaining data on 213 million user accounts, has been found guilty.
On Friday, Yevgeniy Nikulin was convicted [PDF] by a San Francisco jury of committing computer intrusion, data theft, and other charges [PDF] relating to the databases he broke into and siphoned off in 2012.
The jury reckoned Nikulin probably swiped the LinkedIn account details, all 117 million of them, for commercial gain, though they didn’t think greed played a role in his theft of 28 million account records from Formspring and 68 million from Dropbox. The Linkedin info was put up for sale, and leaked online along with the Dropbox data and at least a portion of the Formspring haul. The data contained usernames, email addresses, and hashed passwords.
The prosecution outlined how Nikulin had stolen the login credentials of employees at a bunch of US tech firms, and then used them to access back-end systems before downloading vast amounts of personal data that he later sold. Much of the case rested on persuading the jury that various pseudonyms used by the hacker were, in fact, Nikulin.
Despite the unanimous jury decision, it was far from certain Nikulin would be found guilty, with district judge William Alsup repeatedly criticizing the prosecution’s case, at one point calling it “gobbledygook,” and the next day “mumbo jumbo,” as prosecutors tried to connect Nikulin to a wider hacking conspiracy.
Nikulin’s defense team argued the only solid evidence connecting him to the hacker was a document provided by the Russian government whose reliability it questioned, arguing that Nikulin had been set up by the Russians, who were feeding misinformation. Nikulin himself may have been hacked, his lawyer argued.
The FBI in response said that it had tracked Nikulin down to his Moscow apartment by following the hacker’s IP addresses and then confirmed it was him by observing his communications with others. As one example, an FBI agent testified that the hacker, using the alias “dex.007”, had told another hacker that he was going to buy himself a $25,000 watch for his 25th birthday. Nikulin turned 25 the day afterwards, said the agent.
Flash the cash… then dash
It was Nikulin’s ostentatious taste that finally led to his downfall. He was a wanted man, and Interpol, at the request of the US, had issued a Red Notice for his arrest. He attracted the attention of the Czech police when he visited Prague in 2016 with his girlfriend, driving around in a flashy car and spending liberally. The cops nabbed him in a restaurant.
Despite having been arrested four years ago, the trial has been dogged by delays; first by Russian authorities who tried to prevent him being extradited to America, and then following a lengthy dispute over whether he was mentally fit to stand trial.
When the trial finally began, it was almost immediately put on hold due to the coronavirus outbreak and was nearly abandoned after jury members made it plain they were uncomfortable spending the whole day in a confined space.