Hackers accused of carrying out separate attacks on social network LinkedIn and public relations firms for financial gain worked together as part of a “a criminal clique” in which scammers from Ukraine and Russia pooled their resources, according to the U.S. Justice Department.
Yevgeniy Nikulin, a Russian man who allegedly stole 117 million usernames and passwords from LinkedIn, Dropbox and Formspring in 2012, was in regular contact with Oleksandr Ieremenko, a Ukrainian national charged in New Jersey for allegedly hacking the U.S. Securities and Exchange Commission, prosecutors say in a new court filing.
Nikulin is set to stand trial in San Francisco for allegedly stealing credentials from LinkedIn and Formspring, then trying to sell that database on a Russian-language internet forum. Ieremenko was previously charged, along with six other individuals, in connection with a scheme to steal nonpublic information from the SEC and PR firms for the purpose of illegal trading. Both cases have made headlines, though the alleged link between the two only was revealed in a pre-trial document filed Tuesday by prosecutors in the Nikulin case.
The filing is yet another indication that the Russian criminal underground has a distinct level of organization among those accused of carrying out high-profile hacking crimes.
U.S. attorneys preparing to argue the case in San Francisco detailed how the Secret Service in 2012 obtained a copy of the documents on a hard drive belonging to Ieremenko, only to find more evidence in the Nikulin case. Nikulin has pleaded not guilty to all the charges against him.
“The contents of Ieremenko’s hard drive as a whole show that Ieremenko and Nikulin worked together on (1) the stolen news release, (2) stolen LinkedIn information, and (3) other uncharged hacking activity,” the filing states. “In general, the government views Ieremenko and Nikulin as co-conspirators. In 2012 specifically, they were both part of a small cohort of Ukrainian and Russian hackers — a criminal clique — whose members consulted with one another and sometimes shared resources.”
Ieremenko has not been publicly charged in connection with stealing credentials from LinkedIn or Formspring. He is not publicly known to be in U.S. custody.
Prosecutors go on to describe how a Skype address they tied to Nikulin, dex.007, in 2012 sent Ieremenko a link containing the password to one of Nikulin’s accounts on a domain hosting site, and unencrypted LinkedIn usernames and passwords apparently stolen from the site.
Investigators also say they found a series of videos filmed in March 2012 in Moscow during a meeting that was attended by the alleged conspirators. In one video that prosecutors intend to introduce at trial, Ieremenko apparently narrates himself driving to a hotel, where a meeting of “bad motherf—ers” is scheduled. Later, he describes another car as being driven by an “angry hacker,” and in a second video shows Nikulin and two other men discussing plans to form an internet café business.
U.S. officials and private security researchers long have asserted that alleged cybercriminals operate in organized crime networks, though evidence proving such arguments typically is elusive. The alleged teamwork here is similar to the Methbot/3ve case, where a network of fraudsters shared tips on how to artificially boost web traffic and avoid detection while collecting nearly $30 million in an advertising fraud scheme.
Prosecutors in the Nikulin case also said Tuesday they intend to introduce victim intrusion logs, showing how external IP addresses extracted sensitive information from the U.S. technology companies, and other records seized from Ieremenko’s computer obtained via Mutual Legal Assistance treaty with Ukrainian officials.
The latest court filing is available in full below.