The arrests caught the Russian hackers totally by surprise. One was at a Finnish border crossing. Another was arriving at an airport in Spain. A third was dining at a restaurant in Prague. Still others were at luxury resorts in the Maldives and Thailand.
Many have now turned up in U.S. courts. The long arm of U.S. law enforcement is spanning the globe like never before to bring criminal hackers to justice.
And it may not be just about crime. The Justice Department cites fuzzy and overlapping boundaries between criminal hackers and Russian intelligence agencies, the same ones the U.S. accuses of coordinating the hacking and subsequent disclosure of emails from the Democratic National Committee and the Hillary Clinton presidential campaign.
President Donald Trump dismisses allegations that Russia meddled in the election as “fake news,” but the FBI and congressional committees have launched probes and the Obama administration ordered the expulsion of 35 Russian diplomats in late December.
The U.S. campaign leaves Russian hackers with a dilemma: If they leave the safe confines of Russia, which has no extradition treaty with the United States, or Russia’s most ardent allies, they may get picked up and sent to the U.S.
“They no longer travel, the high-profile hackers. They understand the danger,” said Arkady Bukh, a criminal defense lawyer in New York City who has defended numerous accused Russian cybercriminals.
Still, some Russian and Eastern European hackers do enjoy holidays abroad – and live to regret it. Just this week, Maxim Senakh, a 41-year-old Russian, pleaded guilty in a Minneapolis courtroom to operating a massive robotic network that generated tens of millions of spam emails a day in a zombie criminal enterprise that purportedly brought in millions in profits.
Senakh didn’t come voluntarily. He’d been visiting a sister in Finland before that country put him on a U.S.-bound plane in January, answering a U.S. extradition request.
“He fought it, the Russian government fought it, and the Russian government put political pressure on its neighbor, Finland,” federal prosecutor Kevin S. Ueland said at a Feb. 19 hearing.
Another Russian, Mark Vartanyan, 29, pleaded guilty March 20 to computer fraud in an Atlanta courtroom after reaching a deal with prosecutors to offer far-reaching cooperation that would limit a prison term to five years or less.
Norway extradited Vartanyan to the U.S. in December.
David Hickton, a former U.S. attorney in Pittsburgh who made the city a hub for prosecutions of foreign hackers, said such actions are a sign of the new dimensions of crime.
“This is 21st century burglary. It’s no different than if someone pulled a truck up to your house and stole valuable material,” said Hickton, who now directs the Institute for Cyber Law, Policy and Security at the University of Pittsburgh.
But Hickton acknowledged that carrying off successful prosecutions is a challenge.
“These cyber investigations are very, very hard. You’re talking about evaporating evidence, borderless crimes and defendants who can hide behind the borders of countries that don’t have extradition treaties with us,” he said.
It is not easy to pigeonhole the accused and convicted hackers. Some are brainy but merely cogs in larger crime groups. Others flash their wealth and opulent lifestyles.
“Not all of them are rich,” Bukh said. “A lot of them are involved in computer intrusion and that does not bring much money.”
Bukh recalled one client, Aleksandr Panin, who was placed by authorities on a plane in the Dominican Republic to 2013 bound for Atlanta, put on trial and convicted.
“The guy couldn’t afford a car even with (having caused) a billion dollars in losses. He’s like a mad scientist geek,” Bukh said.
Then there are those on the opposite extreme, who pose for photos with piles of cash or at luxury beach resorts. One of them, Roman Seleznev, was convicted last year in Seattle on 38 counts related to cybercrime. His father is a deputy in the Russian parliament, or Duma. Prosecutors retrieved a photo from his cell phone of him standing next to a yellow Dodge Challenger muscle car in Red Square near the Kremlin.
The magnitude of damages that prosecutors have alleged can be mind-boggling.
Vartanyan, the young Russian hacker brought to Atlanta from Norway, was part of the development team that created Citadel, a “universal spyware system” sold on underground Russian criminal hacker forums that ended up lodged on 11 million infected computers around the world.
In their complaint against him, prosecutors cited industry estimates that Citadel caused “over $500 million in losses” in a three-year period.
The investigations can be incredibly complex, leading federal investigators to call in specialized cybersecurity firms to conduct forensics. In the probe of Senakh, whose guilty plea came last month, the feds turned to ESET, a cybersecurity firm with 18 offices around the world.
ESET analyzed the malicious code Senakh used, dubbed Ebury malware, and found that it had compromised 25,000 servers around the world, researcher Marc-Etienne Leveille said in an email.
Stanislav Lisov, a computer programmer from Taganrog, a town on Russia’s Black Sea coast, had arrived at Barcelona’s international airport with his wife on Jan. 13 when Spanish Civil Guard police arrested him on an FBI warrant issued through Interpol. The charges: electronic and computer fraud.
“We were detained at the airport in Barcelona, when we came to return a rented car before flying out to Lyon, to continue our trip and visit friends. When we were getting out of the car, two police officers approached, showed us the badge, and said they were detaining my husband,” Darya Lisova told the Russian state-operated RT network.
Spain has not yet extradited Lisov, who is blamed for being the architect of a sophisticated Trojan, NeverQuest, used in stealing log-in credentials for bank accounts.
Here is a rundown of some other recent cases:
▪ Yevgeniy Nikulin, 29, was arrested by police while dining with his girlfriend in a hotel restaurant in Prague’s Old Town Oct. 5. He has been indicted by a federal grand jury in northern California on charges of computer intrusion, identity theft and other crimes for penetrating into the systems of high-tech companies LinkedIn, Dropbox and Formspring. Since then, Washington and Moscow have been in a tug-of-war over Nikulin’s extradition.
▪ Olga Komova, a 26-year-old Uzbek, and Dmitry Ukrainsky, a Russian, were arrested in mid-2016 at beach resorts in Thailand and accused of stealing more than $28 million as part of a mega cyber bank fraud ring. Komova has turned up in U.S. custody and faces federal charges of wire fraud and money laundering. How she was brought to the United States is unclear. Her U.S. lawyer, Michael Soroka, declined to discuss the case.
When extradition isn’t an option, U.S. authorities lure alleged hackers to jurisdictions where they can be arrested. Such tactics have been decried by Moscow as “kidnapping.”
Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States.
U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam, a U.S. territory in the western Pacific, then flown to Seattle to face federal charges.
Upon his conviction last August, prosecutors said Seleznev had stolen millions of credit card numbers, causing 3,700 banks $169 million in losses. He faces a 40-year jail term.
No matter where the hackers travel, prosecutors say they will follow.
The U.S. attorney in Atlanta, John Horn, who has also made a name for himself in prosecuting Russian hackers, offered an unapologetic defense last year of the global reach of U.S. justice.
“Cybercrime is borderless, but increasingly, so too are our law enforcement capabilities,” Horn said.