Yevgeniy Nikulin convicted of 2012 LinkedIn, Dropbox, Formspring hacks
It took a San Francisco jury six hours to decide once they finally got the case that started in March but was interrupted by the pandemic. Yesterday afternoon, they convicted Yevgeniy Nikulin, 32, of hacking LinkedIn, Dropbox, and Formspring in 2012.
Nikulin, who had pleaded not guilty, is scheduled to be sentenced Sept. 29.
The government was represented in this case by Michelle Kane and Katherine Wawrzyniak. Nikulin was represented by Adam Gasner and Valery Nechay.
Nikulin’s attorney has indicated that there will be an appeal. The defense had tried to raise reasonable doubt by questioning why law enforcement had not investigated another individual — an individual that the prosecution claimed was totally unrelated this case. And while the defense counsel tried to convince the jury that this was a weak case based on circumstantial evidence, I wouldn’t be surprised if members of the jury had been convinced on at least one charge by exhibits showing that Nikulin’s account was linked to an IP address that showed up in a victim’s logs on the relevant date as accessing and downloading more than 3 GB of data over a continuous period of 12 hours.
Catalin Cimpanu has a nice summary of the case’s history and issues on ZDNet, while over on CyberScoop, Jeff Stone provides more background on others accused of being associated with Nikulin and more on Nikulin’s mental health.
Here’s the DOJ’s press release on the conviction:
Yevgeniy Nikulin was convicted today by a federal jury for hacking into LinkedIn, DropBox, and the social networking company formerly known as Formspring, announced United States Attorney David L. Anderson and FBI Special Agent in Charge John L. Bennett.
The jury found that Nikulin hacked into computers belonging to LinkedIn, DropBox and Formspring, damaged computers belonging to LinkedIn and Formspring by installing malware on them, stole the usernames and passwords for employees at LinkedIn and Formspring, and sold and conspired with others to sell the data he stole as a result of his hacks.
Evidence at trial showed that Nikulin, 32, of Russia, was located in Moscow when he hacked into a computer belonging to a Bay Area-based LinkedIn employee and installed malicious software on it, allowing Nikulin to control the computer remotely. Nikulin then used that remote computer as a base to steal LinkedIn users’ login information. Evidence at trial showed that Nikulin was behind similar intrusions at DropBox and at Formspring. According to trial testimony, one of the ways that investigators were able to tie Nikulin to all three incidents was by tracing an IP address from one of the hacks back to his location in Moscow. Nikulin was arrested while traveling in the Czech Republic on October 5, 2016, and extradited to the United States to face trial.
The guilty verdict followed 6 days of trial testimony before the Honorable William H. Alsup, U.S. District Court Judge. The trial initially began in March, but proceedings were suspended after just two days in light of the COVID-19 pandemic and ensuing closure of the federal courthouse. When trial resumed on July 7, 2020, the defendant, the attorneys, and Judge Alsup wore masks, and witnesses testified from behind a glass panel to allow for social distancing requirements.
“Today’s guilty verdicts are the result of our first federal jury trial in San Francisco since the beginning of shelter in place. I am immensely grateful to Judge Alsup for getting this case to trial. Trial by jury is one of the defining features of the American justice system. We need jury trials to administer justice,” said U.S. Attorney Anderson. “Nikulin’s conviction is a warning to would-be hackers, wherever they may be. Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
Nikulin, 32, of Moscow, Russia, was indicted by a federal grand jury on October 20, 2016. He was charged with multiple counts of computer hacking, fraud, and identity theft.
Nikulin has been in custody since his extradition from the Czech Republic.
Nikulin’s sentencing hearing is scheduled for September 29, 2020, before Judge Alsup in San Francisco. The maximum statutory penalty for each count of selling stolen usernames and passwords in violation of 18 U.S.C. § 1029(a)(2) and for each count of installing malware on protected computers in violation of 18 U.S.C. § 1030(a)(5) is 10 years, along with a fine of up to $250,000, plus restitution if appropriate. The maximum statutory penalty for each count of conspiracy in violation of 18 U.S.C. § 371 and computer hacking in violation of 18 U.S.C. § 1030(a)(2)(C) is five years, along with a fine of up to $250,000, plus restitution if appropriate. There is also a mandatory two year sentence for any conviction of aggravated identity theft, in violation of 18 U.S.C. § 1028A(1). However, any sentence will be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
Michelle Kane and Katherine Wawrzyniak are the Assistant U.S. Attorneys who are prosecuting the case with the assistance of Helen Yee, Jessica Rodriguez Gonzalez, and Kim Richardson. The prosecution is the result of a four-year investigation by the Federal Bureau of Investigation, with the assistance of authorities in the Czech Republic and the U.S. Secret Service and the U.S. Department of Justice’s Criminal Division, Office of International Affairs.