A U.S. jury has found an accused Russian hacker guilty on charges that he hacked LinkedIn and Formspring in a pair of 2012 data breaches in which he stole credentials belonging to more than 100 million Americans.
Yevgeniy Nikulin was found guilty after just hours of deliberation, roughly eight years after he first infiltrated the U.S. social media companies in a successful attempt to steal data about American web users. He also was found guilty of trafficking Formspring data, and damaging a computer belonging to a Formspring employee in excess of $5,000.
“Nikulin’s conviction is a direct threat to would-be hackers, wherever they may be,” U.S. Attorney David Anderson said in a statement. “Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
Nikulin was charged in 2016 with nine felony counts, including computer intrusion and aggravated identity theft, in connection with data breaches that occurred in 2012 at LinkedIn and Formspring. Nikulin was accused of stealing roughly 117 million usernames and passwords, then trying to sell those credentials to other users on Russian-language forums used primarily for cybercrime.
Unlike more typical computer crime cases, the Nikulin prosecution has spotlighted how an earlier generation of alleged internet scammers hacked American companies, sometimes with direct knowledge of Russian intelligence services, the Justice Department has alleged.
Prosecutors had argued that Nikulin operated as the digital equivalent of a common thief, using hacking tools to steal a database of sensitive information and then trying to sell it to fraudsters. The defense suggested that investigators could not definitively tie Nikulin to an internet alias, search history and other digital forensics that U.S. attorneys introduced as evidence. At one point, defense attorney Adam Gasner said anyone, including Russian intelligence agencies, could have used Nikulin’s email accounts to commit crimes in his name.
Through the trial, Judge William Alsup also questioned the prosecution’s evidence, telling U.S. Attorney Michelle Kane that the material was so dull that she risked boring the jury. The trial was suspended for three months amid the coronavirus pandemic, requiring the replacement of multiple jurors.
Nikulin, now 32, was arrested in 2016 by authorities in the Czech Republic as part of an Federal Bureau of Investigation operation. He was incarcerated there for two years while Czech officials weighed competing extradition requests from the U.S. and Russia, which had alleged that American police were “hunting for Russian citizens” around the globe.
Justice Department prosecutors also have tied Nikulin to a ring of hackers, data brokers and spies who were operating in and around Moscow in 2012. According to the government, Nikulin was in talks with an accused scammer, Nikita Kislitsin, about selling the data he stole from LinkedIn, a relationship brokered by another man who was an asset of the Russian security services. A court filing made public in March identified Nikulin, Kislitin and a number of other accused cybercriminals as being present at a meeting at a Russian hotel, where attendees discussed starting a business.
Nikulin, though, was one of a handful of indicted Russian men actually extradited to the U.S. in recent years amid mounting opposition from the Kremlin.
Upon his arrival in the U.S., Nikulin refused to cooperate with his defense counsel and met with Russian government officials without a lawyer present, according to his former attorney. Nikulin also was placed in solitary confinement for allegedly vandalized his jail cell and physically attacking corrections officers in the Santa Rita jail in California. He ultimately was deemed competent to stand trial after a psychiatric evaluation.
The verdict comes after a mistrial in the unrelated case of Joshua Schulte, a former CIA software engineer accused of leaking classified U.S. hacking tools to WikiLeaks. The prosecution’s failure to convict Schulte on the most serious charges in such a widely watched case had raised questions about whether the government could effectively communicate the often dense technical information to jurors unfamiliar with the matter.
Nikulin’s sentencing is scheduled for September 29.