Trial of accused LinkedIn, Dropbox hacker could shine light on international cybercrime rings

A trial set to begin Monday of a Russian man charged with hacking into LinkedIn and Dropbox may open a window on a shadowy international network of hackers — “a criminal clique” — that sought to use cyberattacks to manipulate financial markets as well as breach online platforms.

The trial of Yevgeniy Alexandrovich Nikulin in US District Court in San Francisco will be over charges by federal prosecutors that he hacked into LinkedIn, Dropbox and now-defunct social network Formspring in 2012, stealing the computer credentials of employees with access to the most sensitive areas of their networks.

But as the US Department of Justice lawyers unveiled details of their case against Nikulin for the first time in a trial brief today, prosecutors said Nikulin also was a member of a cabal of Russian and Ukrainian computer criminals who stole advance, insider information to capitalize on the stock of companies such as Caterpillar, Hewlett-Packard, Home Depot and Panera Bread.

Nikulin’s trial will focus on allegations that his sophisticated cyberattacks allowed him to identify employees with deep access to the computer networks of LinkedIn, Dropbox and Formspring, and to worm his way into their accounts to steal passwords and other valuable data from those companies.

But to assign Nikulin’s computer fingerprints to those crimes, the government said it will rely in part on Nikulin’s connection to Oleksandr Ieremenko, 27, a twice-indicted Ukrainian. Ieremenko was charged by the DOJ last year with breaking into the computer system of the US Securities and Exchange Commission, stealing advance copies of non-public, financial information such as quarterly financial reports that publicly traded companies are required to disclose to the SEC. The hackers then sold access to that confidential information before it was available to other investors.

Ieremenko was also part of a group of nine people charged by US prosecutors in 2015 in federal court in New Jersey that allegedly made $30 million in illegal profits by breaking into the computer systems of PR Newswire Association, Business Wire and other news wires to steal company press releases before they became public, and trade in information not yet available to most investors.

The hackers were “a well organized group” who stole more than 150,000 news releases from the news wires’ servers between 2010 and 2015, selling access to more than 800 stolen press releases before their public release, the government said in that 2015 indictment.

While federal prosecutors don’t plan to cite all that background as evidence in Nikulin’s trial, they plan to use evidence from Ieremenko’s computer to tie Nikulin to the LinkedIn, Dropbox and Formspring attacks. US investigators gained access to Ieremenko’s computer after it was seized during a search executed by Ukrainian officials.

“The contents of Ieremenko’s hard drive as a whole show that Ieremenko and Nikulin worked together on (1) the stolen news releases, (2) stolen LinkedIn information, and (3) other uncharged hacking activity,” prosecutors said in the trial brief. “In general, the government views Ieremenko and Nikulin as co-conspirators. In 2012 specifically, they were both part of a small cohort of Ukranian and Russian hackers — a criminal clique — whose members consulted with one another and sometimes shared resources.”

The government plans to use Skype chats, videos and other data it got from Ieremenko’s computer to provide “important context” tying Nikulin to the LinkedIn, Dropbox and Formspring attacks, including the transmission of stolen LinkedIn passwords between Nikulin and Ieremenko, according to the trial brief filed with the court.

For example, prosecutors want to use videos taken from Ieremenko’s computer that they say show Nikulin attending a summit of computer hackers in 2012, prosecutors said in the trial brief. In one video narrated by Ieremenko, he describes the approach to a “summit of bad motherfuckers” at a Moscow hotel, the trial brief says.

“The person making the video says at the outset, ‘In short, we are reporting on the spot. Now, here at this Vega Izmailovo Hotel, there will be a fucking summit of bad motherfuckers,’ ” the trial brief said, referring to one of a series of eight videos taken from Ieremenko’s computer. “The probative value of the video is that it puts three of the alleged co-conspirators in the same room approximately two months before the Formspring hack.”

Nikulin’s is among the relatively rare cases where a man accused of international cybercrimes is arrested and returned to the United States to face trial.

Nikulin was arrested in the Czech Republic in 2016, and extradited to San Francisco, near the headquarters of the breached tech companies, in 2018. His trial was delayed for about a year when his previous legal team unsuccessfully tried to get US District Judge William Alsup to declare him incompetent to stand trial.

Based on witness lists filed by the government, Nikulin will face a battery of agents from the FBI and the United States Secret Service who will testify to his hacking exploits during a three-week trial, as well as current and former employees of LinkedIn, Dropbox and Formspring who will provide other testimony about how Nikulin allegedly breached their systems.

The government said it also plans to call a witness from Automattic, the company that owns Wordpress and Tumblr, to testify about a hack that the government says Nikulin committed in 2013, although he is not charged with that attack as part of this trial.

A LinkedIn spokeswoman said the professional social network has been closely watching the investigation. “We’ve been actively monitoring the FBI's case to pursue those responsible for the 2012 breach of LinkedIn member data," MK Juric. "We appreciate the hard work of the government and prosecutors to resolve this case.”

Dropbox did not reply to a request for comment from MLex today about the impact of the hacking on their companies. Adam Gasner, Nikulin’s lead defense lawyer, did not return a phone call seeking comment today. A spokesman for the US Attorney’s Office in San Francisco, Abraham Simmons, declined to comment on the upcoming trial.

Alsup said at a recent pretrial conference that he expects to select a jury on Monday, with opening statements expected Tuesday.

In the LinkedIn, Dropbox and Formspring attacks, Nikulin is charged with three counts of computer intrusion, two counts of intentional transmission of information, code, or command causing damage to a protected computer; two counts of aggravated identity theft, as well as several other violations of federal law.

To break into LinkedIn, for example, Nikulin hacked into the personal computer of LinkedIn engineer Nicholas Berry, the government says, planting malicious software in the virtual machine running in Berry’s home computer, software that allowed Nikulin to steal the credentials to the Virtual Private Network Berry used to access LinkedIn’s network.

“Berry had access to core LinkedIn data,” the government said in its trial brief. “Once he had access to LinkedIn’s servers, Nikulin could obtain a copy of LinkedIn’s user credential database. Although the  passwords in that database were encrypted, the copy that Nikulin gained access to was not yet ‘salted,’ which was a stronger form of encryption that LinkedIn was in the process of instituting.”

LinkedIn did not detect the intrusion and theft of that sensitive data until it was posted on a Russian hacker forum with a request for help with decryption, the government said in the brief.