The U.S. Department of Justice on Monday unsealed a 2014 indictment alleging that a current cybersecurity executive was involved a conspiracy to sell usernames and passwords belonging to American customers of the social media company Formspring in 2012.
The man identified in the indictment, Nikita Kislitsin, allegedly received data stolen from Formspring, then tried to sell that information to others. Kislitsin currently works as head of network security at Group-IB, a cybersecurity vendor with offices in Moscow and Singapore. He joined the company in January 2013, roughly six months after prosecutors say a hacker provided Kislitsin with credentials from Formspring to sell.
U.S. prosecutors have not alleged any wrongdoing by Group-IB.
In a statement to CyberScoop, the company said Kistlitsin still is an employee, and that Group-IB considers the accusations as “only allegations,” arguing that “no findings have been made that Nikita Kislitsin has engaged in any wrongdoing.”
At one point in 2013, Group-IB representatives and Kislitsin himself met with members of the Justice Department to discuss Kislitsin’s “research” into the “underground,” which he conducted before joining the company, a Group-IB spokesperson said in a statement to CyberScoop. Prior to joining the company, he worked as a researcher and as the editor of a magazine called “Hacker,” and he never concealed his prior activity during the hiring process, according to Group-IB. He also worked as an independent threat researcher in the U.S. in 2012.
The company intends to “support” Kislitsin, and now is consulting with international lawyers to discuss next steps. The firm maintains that it is dedicated to working with global law enforcement agencies to stop cybercriminal activity.
“We are aware that the decision we have taken may carry reputational risks for Group-IB and treat this fact with the utmost seriousness,” the statement continued.
Ties to @Udalite
U.S. prosecutors say Nikita Kislitsin used the aliases “Dor Fyo” and “Udalite.”
Clues in the indictment pointed to a connection between Kislitsin, Udalite, and Group-IB. A Twitter account with the handle @Udalite uses a profile picture that appears strikingly similar to Kislitsin’s professional picture on Group-IB’s website. The same page lists the account owner’s name as “Nikita K.,” though it does not appear to have sent any tweets since 2012, two years before the indictment.
A Group-IB press release from 2013 describes Kislitsin as the head of organizational and strategic development with a focus on a botnet-monitoring service.
An agenda for a DEF CON Moscow event in 2015 lists Kislitsin as a presenter who spoke about targeted attacks in the financial sector. The hyperlink highlighting Kislitsin’s name points back to the @Udalite Twitter page. Group-IB’s Kislitsin appears in a number of YouTube videos filmed at Russian cybersecurity conferences, mostly in the Moscow area, and posted in 2013, 2014 and 2015.
The Nikulin case
The indictment is short on details. It describes a conspiracy involving Kislitsin and a conspirator who allegedly breached Formspring in June 2012, then stole the company’s “user information database,” including encrypted passwords. Kislitsin then tried to sell that information to another co-conspirator for €5,500, according to the charges.
But this case is related to charges against Yevgeniy Nikulin, a Russian man set to stand trial in San Francisco for allegedly stealing roughly 117 million usernames and passwords from Formspring, LinkedIn and Dropbox. Nikulin is unnamed in the unsealed indictment, though Kislitsin was identified by prosecutors in the Nikulin case. That trial is scheduled to begin March 9.
A court filing made public Tuesday identifies Nikulin, Kislitsin and two alleged cybercriminals, Oleg Tolstikh and Oleksandr Ieremenko, as being present during a 2012 meeting at a Moscow hotel, where participants allegedly discussed starting an internet café business. The filing represents another indication that alleged members of the Russian criminal underground share resources before, during and after high-profile cybercrimes.
Group-IB is a private security company founded in 2003 by Illya Sachkov, a Russian technology entrepreneur. The company has assisted in cybercrime-related investigations by Europol, and regularly publishes research about payment fraud techniques and other cyber threat intelligence.
Neither Group-IB nor Kistlitsin have received “any official subpoenas, notifications or invitations to the upcoming trial” of Yevgeniy Nikulin, the company said in a statement. Group-IB did not say whether Kistlitsin had received any notification from the U.S. Department of Justice regarding his own case. Kislistin, himself, did not respond to messages seeking comment.
There are no reports of Kislitsin being held by authorities from the U.S. or any other country.
When U.S. prosecutors unseal high-profile indictments against foreign suspects before they are arrested, it can be an implicit acknowledgement that individual is not likely to be apprehended and extradited to U.S. court soon. John Demers, assistant attorney general for national security, said last week that, if prosecutors believe an arrest is likely to occur “within a reasonable timeframe,” the government will keep charges sealed.
“In other cases … the value of unsealing the indictment and telling people who stole the data outweighs the slim chance we might be able to catch them,” he said.
You can read the full Kislitsin indictment below.
Update, 3/5/20: This story was updated after publication to include a statement from Group-IB.