One of the most-watched cybercrime cases in recent memory has come to a close.
A U.S. judge on Tuesday sentenced Yevgeniy Nikulin to 88 months in prison, or more than seven years, capping an international legal drama that’s involved three countries over a span of eight years. Prosecutors had requested nearly 12 years in prison.
A jury in California found Nikulin, now 33, guilty in July of hacking LinkedIn and Formspring in a pair of 2012 data breaches in which he stole credentials belonging to 117 million Americans. He was charged in 2016 with felony counts including computer intrusion and aggravated identity theft for stealing Americans’ usernames and passwords, then trying to sell them to other members of a Russian-speaking cybercriminal forum.
“This is a hard one because when he returns [to Russia] I think he will return to being a hacker again,” Judge William Alsup said during. the sentencing hearing. “But we can’t just lock him up and throw away the key.”
Nikulin has been in jail for nearly 48 months, his attorney said.
During the hearing, Nikulin’s defense had argued that the government’s proposed sentencing was based on loss figures from LinkedIn and other hacking victims that were not based in reality. Of the more than 100 million people whose information Nikulin accessed, defense attorney Adam Gasner argued, none had come forward to say the identity theft cost them money. The reported millions of dollars in losses also were overstated, Gasner said.
“These are corporate victims to whom no actual losses has been evidenced,” he said Tuesday.
Through the trial, which was interrupted for weeks due to the coronavirus pandemic, prosecutors had described Nikulin as a digital version of a common thief who simply stole vast troves of data in an unsophisticated attempt to monetize it. Defense attorneys, meanwhile, had suggested a different perpetrator, perhaps a state-sponsored hacker, was behind the crime. It took jurors a matter of hours to convict Nikulin.
Judge Alsup of the Northern District of California repeatedly sought to accelerate the trial, reminding government prosecutors that Nikulin had been incarcerated for years by the time the trial began earlier this year in San Francisco. Alsup also denied a motion for re-trial during the hearing Tuesday.
Since his conviction in July, Nikulin has repeatedly written letters to the judge, asking Alsup to order correctional officers to allow him to use hand-held video game devices. An attorney for Nikulin’s family also has been preparing to appeal the verdict for months.
The case spotlighted how accused scammers sometimes carried out their work with the direct knowledge of Russian intelligence services. Earlier this year, the U.S. Department of Justice unsealed court documents accusing other Russian men of being involved in Nikulin’s scheme to traffic in stolen user credentials.
One suspect, Nikita Kislitsin, was charged with trying to sell roughly 30 million usernames and passwords taken in the Formspring breach. U.S. prosecutors have alleged that a third man, Alexsey Belan, engineered the introduction between Kislitin and Nikulin in an apparent attempt to facilitate the sale of the stolen data.
Belan, a Latvian, ranks among the FBI’s most wanted accused cybercriminals, and allegedly has operated as an asset for Russia’s FSB intelligence service. As of March 2020, Kislitsin, who remains in Russia, was employed by the security firm Group-IB, which has offices in Singapore and Moscow. The company previously told CyberScoop it would continue to “support” Kistlitin after the charges were made public.
Law enforcement authorities in the Czech Republic initially arrested Nikulin in 2016, then extradited him to the U.S. after the Russian government filed its own extradition request. The case was among a number of criminal indictments from the time charging various Russian men with a range of cybercrimes, an uptick in U.S. enforcement that led one Russian lawmaker to complain that American police were “hunting for Russian citizens” around the globe.