Attorneys are using the trial of a man who allegedly stole more than 100 million usernames and passwords from U.S. social media companies to hint at the murky, long-rumored relationships between Russian cybercriminals and the Kremlin’s intelligence agencies.
Yevgeniy Nikulin, a 32-year-old St. Petersburg, Russia, native, currently is on trial in San Francisco, accused of hacking into LinkedIn, Formspring and Dropbox in 2012 and obtaining 117 million users credentials. Roughly 30 million of those credentials were taken from Formspring.
Prosecutors say he worked with a number of co-conspirators to gather and attempt to sell that data, including Nikita Kislitsin, who allegedly tried selling stolen Formspring data before he became an executive at Group-IB, and Alexsey Belan, a Latvian man who made the introduction between Nikulin and Kislitsin. In a recent filing, the government reproduced an email conversation in which, prosecutors say, Kislitsin was trying to sell the stolen Formspring data, and wanted Belan to vouch for Nikulin’s trustworthiness.
Belan would have been a qualified broker in the Russian underworld in 2012. He was indicted that year for allegedly stealing databases of information from the retailer Zappos, and in 2017 accused of helping Russian FSB officers access hacked Yahoo accounts for their own intelligence-gathering purposes.
In court documents filed in February, attorneys revealed that Kislitsin told FBI investigators he was aware of Belan’s connections in the Russian security services. During a 2014 meeting in the U.S. Embassy in Moscow, Kislitsin said “he knew Belan conspired with Russian FSB officers to target U.S. citizens to obtain ‘commercial databases with a goal to sell them for financial gain or use them for spamming.’”
During the same meeting, Kislitsin told the FBI he knew “Zhenya,” which prosecutors say was Nikulin’s screen name, lived in Moscow, and owned multiple Maserati cars. Nikulin was the “Putin” of the hacking world, Kislitsin said, according to the prosecution.
Nikulin’s defense attorneys have argued that none of the evidence sufficiently proves he was working in concert with the FSB, though the judge had ruled Kislitsin’s statements were admissible as proof of a conspiracy. The prosecution on Thursday said it did not wish to introduce Kistlitsin’s statements as evidence against Nikulin.
At one point during the 2014 meeting, according to court documents, Kislitsin told the FBI he understood that Belan had helped an FSB captain that “involved targeting specific email accounts and other data” for the purpose of helping the FSB build “profiles on various individuals using ‘compromising information.'”
Kislitsin now works as the head of network security at Group-IB, a cybersecurity vendor with offices in Moscow and Singapore. The company says it supports Kislitsin, and has confirmed that he met with U.S. officials in 2014 to discuss the Nikulin case. Kislitsin was charged in a separate indictment unsealed last week, as CyberScoop reported.
Russian FSB officers provided Belan with “sensitive FSB law enforcement information and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers, ” according to the Yahoo indictment.
At one point, according to the Yahoo charges, two FSB officers learned that Belan had access to Yahoo’s systems, then sought access to accounts belonging to investigative reporters in Russia, and a researcher who analyzed Russia’s bid for membership in the World Health Organization, among other individuals
The Justice Department has not made any similar allegations in the Nikulin case. However, if Kislitsin’s statements to the FBI during his 2014 meeting are correct, other members of the Russian cybercriminal community also knew of Belan’s connections.
Despite the intrigue, prosecutors began the trial against Nikulin in San Francisco this week by arguing that the defendant was just an “ordinary thief,” saying he stole employees’ credentials and used them to access other information. Nikulin’s defense attorneys argued that since the FSB has been involved in other hacks, it’s possible that others, not Nikulin, actually stole the data he’s charged with taking.
“The overall structure and relationship between the cyber hacker community and Russian government is very well documented,” argued defense attorney Valery Nechay.
The trial is scheduled to resume March 17.
The prosecution’s March 12 filing including details about Kislitsin’s meeting with the FBI is available in full below.