Yevgeniy Aleksandrovich Nikulin was found guilty of nine felony counts of computer intrusion, aggravated identity theft, causing damage to a protected computer, trafficking in unauthorized access devices, and conspiracy. The Russian hacker was sentenced to over seven years in prison by a federal jury on September 29th. Nikulin hacked into LinkedIn, Dropbox, and Formspring over eight years ago. Using malware, he remotely downloaded user databases of over 117 million LinkedIn users and more than 68 million Dropbox users. Nikulin was arrested in Prague on October 5, 2016, by Czech law enforcement based on an Interpol red notice and working in collaboration with the FBI. He was extradited to the United States in March 2018 after a long extradition battle between the U.S. and Russia. During the trial, US officials revealed that they had interviewed Nikita Kislitsin, one of Nikulin’s hacking colleagues in Moscow. Kislitsin told US officials that Nikulin’s hacking skills were well known, and described him as the “Putin of the hacking world.” Kislitsin was also indicted by a US court, and later went on to work for the prominent Moscow-based cybersecurity company Group-IB.
Nikulin targeted an employee at LinkedIn and was able to install a Remote Access Trojan (RAT) on the employee’s workstation to gain access to the corporate Virtual Private Network (VPN). Once he had access to LinkedIn’s corporate systems, Nikulin stole a database containing LinkedIn user information, including encrypted passwords. Password theft is an extremely common tactic of threat actors because stolen passwords can be used to take over many accounts, including accounts for unrelated services such as email, banking, or social media if people use the same or similar passwords for more than one account. Using a password manager to maintain unique and complex passwords that cannot be guessed for every account. Enabling Multi-Factor Authentication (MFA) is an even more important control to keep attackers from taking over accounts using stolen or guessed passwords. The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 by congress to combat various forms of computer crime. It is codified by 18 U.S. Code § 1030. The CFAA has been amended several times since 1986 to cover a broad range of conduct. The CFAA prohibits intentionally accessing a computer without authorization. The CFAA carries harsh penalties that can include up to a 20-year sentence depending on the offense. Even when threat actors are located overseas, US law enforcement can pursue justice through international cooperation with organizations such as Interpol coordinating legal action between cooperating countries. For justice outcomes to be possible, companies that are targeted by cybercriminals must be willing to share relevant evidence information with law enforcement authorities.