Videos, statements key to conviction of Russian hacker of LinkedIn, Dropbox

13 Jul 2020 1:58 am by Amy Miller, Mike Swift

judge's gavel

Federal prosecutors lacked ample direct evidence linking a Russian man to the hacks of LinkedIn and Dropbox eight years ago. But the circumstantial evidence against Yevgeniy Nikulin, which included videos of him with known cybercriminals and his own statements that he hacked “websites 24/7,” was strong enough to convince a federal jury in San Francisco that he was guilty.

For three days last week, the prosecution’s key witness, FBI special agent Jeffrey Miller, described in minute detail how he spent years tracing the hacks to an individual in Russia through a trail of IP addresses, online search histories and social media accounts. A jury convicted Nikulin of nine felony counts Friday.

Miller, however, found little direct evidence linking those attacks to Nikulin, a point US District Judge William Alsup — who oversaw the trial — raised repeatedly. His testimony was so technical and detailed that at one point, Alsup questioned whether jurors were following the government’s case.

“This is gobbledygook,” Alsup said. “You need to think of a way to make it come alive.”

At one point during Miller’s testimony, when jurors had left for a break, Alsup told prosecutors they needed more direct evidence against Nikulin, and Assistant US Attorney Michelle Kane assured him more was coming soon.

"That's going to be like a blockbuster," Alsup said. "The room will shake when that finally comes out."

One of the FBI’s strongest pieces of evidence, Miller testified, was the discovery that that an e-mail address connected to the hacks was also connected to a social media account controlled by Nikulin. The account included posts and comments from his girlfriend and brother, both of whom are listed on Nikulin’s contact list while he has been held in federal custody awaiting trial, Miller said.

But under cross-examination, Miller admitted that the FBI never found evidence that Nikulin had ever profited financially from the attacks.

The FBI did, however, find strong circumstantial evidence that Nikulin was involved in criminal activity, including Nikulin’s own words. Nikulin said “I hack websites 24/7,” on a phone call recorded while he was being held in federal custody. That statement was likely influential in the jury’s decision to convict the Russian national, his defense lawyer said today.

The defense believed the recording was “very prejudicial” to Nikulin, defense lawyer Adam Gasner said, and “likely had an impact on the jury’s decision in this case. Often, the worst evidence against my clients comes out of their own mouth.”

Gasner said he and fellow defense lawyer Valery Nechay believed they made clear to jurors the government’s lack of direct evidence implicating Nikulin in the hacks of LinkedIn, Dropbox and now-defunct Formspring. Under US law in a criminal trial, a jury is charged with deciding that the evidence shows guilt beyond a “reasonable doubt” to convict a defendant.

“The defense really did believe we contested the important evidence again Mr. Nikulin in a way that ought to have raised reasonable doubt in any person’s mind,” Gasner told MLex. “However, I think the circumstantial evidence did point to Mr. Nikulin possibly being the culprit, and I think the jury obviously believed there was sufficient circumstantial evidence to support that Mr. Nikulin was guilty.”

A video showing Nikulin driving an expensive Bentley Motors car in a desolate part of Moscow, and zooming in on those less fortunate standing by the side of the road, which the defense tried to keep out of the trial, also didn’t help the defense.

The jury also saw video of Nikulin socializing in a Moscow hotel with known cybercriminals, including Oleksandr Ieremenko, a Ukrainian who was charged with breaking into the US Securities and Exchange Commission’s computer system and stealing non-public financial information to sell before it was available to other investors. Nikita Kislitsin, who had been charged with trafficking in stolen passwords and credentials from Formspring, is also seen in the videos.

Gasner argued it was a recording of a business meeting with young entrepreneurs discussing the possibility of opening an Internet cafe. Prosecutors pointed out that people in the video are also making obscene gestures, something most professionals don’t do in business meetings.

Gasner said he believes the Covid-19 pandemic also played a role in the conviction by pausing the trial for nearly four months after a positive start for the defense.

While the jury was “very diligent” in agreeing to return to Alsup’s courtroom even as viral cases grew in the San Francisco Bay Area, Gasner said the pandemic reduced the ability of the defense to try to build a connection between the jury and the defendant when everyone in the courtroom was separated by clear plexiglass screens, facemasks and by the social distancing of jurors spaced around the courtroom. Those Covid problems could be part of an appeal the defense may file, he said.

Having to resume a trial in July that began in early March was as “mentally and physically exhausting” as running the first 21 miles of a marathon before stopping, and “finishing the last six miles three months later,” Gasner said.

The prosecution also had the benefit of many Americans’ distrust of Russia as a result of years of news about Russian cyber-attacks and disinformation campaigns on social media, he said. A spokesman for the San Francisco US Attorneys’ Office did not reply to a request for comment from MLex.

“When the accused is a Russian national who is being charged with intruding into large American corporations and stealing lots of personal information from regular, everyday citizens, I tend to think the presumption of innocence is given a little less weight than if this is a similar-aged American working out of the basement of their parents’ house,” Gasner said.

“Whether there’s a vestige of the Cold War, or a vestige of the accusation that American intelligence has been making against the Russians for the speculation they might have been involved in hacking the 2016 American elections, it’s hard for me to tell, but the reality is it has to have an impact on people’s ability to judge this case.”

LinkedIn said in a statement today that it was pleased with Friday’s verdict. "We’re appreciative of the outcome and the jury’s time, and the hard work of the government and prosecutors to resolve this case,” LinkedIn said in a written statement.

Jurors contacted by MLex for comment didn't respond immediately.

Related Articles