news

America's hunt for Russian hackers How FBI agents tracked down four of the world's biggest cyber-criminals and brought them to trial in the U.S.

Meduza
11:11, 19 september 2017

Russian hacker Dmitry (“Brave”) Smilyanets, July 12, 2011

Moscow Five / YouTube

Since the beginning of the decade, U.S. intelligence agencies have arrested at least a dozen Russian hackers in cities across the world. Some of them are already behind bars, serving out prison sentences, and others are still waiting for their verdicts. One of these hackers has already gone free and returned to Russia. In Moscow, the Foreign Ministry calls these arrests “abductions.” Around the world, Russian hackers are regularly accused of “the biggest hacks in history,” and blamed for inflicting hundreds of millions of dollars in damages. Additionally, most of these criminals have ties to state officials and law enforcement in Russia. Meduza special correspondent Daniil Turovsky looks at four Russian hackers who ended up in the crosshairs of U.S. federal police.

Roman Seleznev

As pedestrians weaved between cars, kiosks, and street cafes, it was crowded as usual on the morning of April 28, 2011, in Jamaa el Fna Square, in Marrakesh, Morocco. Among the throng was Roman Seleznev, a rough looking man who likes to keep a three-day stubble. Just a few minutes earlier, a hotel restaurant had turned Seleznev away after demanding that he wear a coat he didn’t have. So Seleznev and his wife set out for a nearby cafe, where a waiter would tell them that he could seat them in half an hour. The couple agreed to wait, and the waiter mysteriously told them, “That’s a bad idea.“ When he brought Seleznev a glass of orange juice, an explosion suddenly rocked the cafe.

A few moments later, Seleznev briefly regained consciousness. White smoke was pouring from the cafe, and a large part of the building had been destroyed. Bloodied bodies lay all around him. Officials later learned that terrorists had packed two briefcases with explosives and planted them in the cafe, triggering them with a mobile phone. Seventeen people died in the blast. The Moroccan government would blame Al-Qaeda for the attack, though the organization has refused to claim responsibility for the bombing.

Seleznev survived, but he fell into a coma. Doctors told his wife (who escaped almost unharmed) and his father (who flew to Marrakesh) that he most likely wouldn’t pull through, and that he’d be a “vegetable for life,” if he did make it. Seleznev’s father — Valery Seleznev, a State Duma deputy from Russia’s Liberal Democratic Party — arranged to have his son transferred back to Moscow, where a priest was summoned to his hospital bed to baptize him while he was unconscious. During his coma, Seleznev received a letter from Mohammed VI, the king of Morocco. It said, “The people of Morocco were deeply shocked and saddened to learn that you were injured.”

About two weeks later, Seleznev woke up. It would be another year, after numerous operations to replace part of his skull with a titanium plate, before he made a full recovery. He then divorced his wife, who moved to the United States.

That’s how Seleznev remembers the terrorist attack today, more than six years later. It’s a remarkable story, but it’s far from the most astounding thing that’s happened in his life.

nCux from Vladivostok

Seleznev was born in Vladivostok in 1984. His parents divorced when he was two. At first, he and his mother lived in a 100-square-foot room, and then she bought an apartment from her brother. Seleznev’s mother worked as a cashier at a local store and often drank. Most of the time, Seleznev was on his own, and it was on his own that he started learning how to program. At the age of 16, he enrolled in college, where he studied mathematics and computer science. One day in 2000, he returned home and found his mother drowned in the bathtub. That same day, her brother came to the apartment, collected all their valuables, and ordered Seleznev to clear out. Still a teenager, he moved in with his grandmother and found work providing computer assistance, where he was paid $5 for a day’s work.

Roman Seleznev with his girlfriend, Anna Otisko, and her daughter, July 11, 2014.
AFP / Scanpix / LETA

The criminal case documents against Seleznev state that his interest in programming led to his first hacker attacks when he was 18. He carried out these attacks under the name “nCux” (“psikh,” or “psycho,” if you read the Latin characters as Cyrillic letters). Seleznev registered on underground forums populated by “carders” — people who earn money from stealing bank cards (for example, carderplanet.com and carder.org). At first, he hacked databases in order to steal documents (names, birthdates, passport numbers, and social security numbers). Within a couple of years, he started stealing credit card numbers and selling databases to other carders.

Seleznev targeted small businesses in the U.S., hacking the processing systems they used to manage their financial transactions. Using vulnerabilities, he infected these systems and copied all the credit card transactions, collecting this information on servers he owned. By 2009, Seleznev had become one of the most successful sellers of stolen credit card information in the world.

Most of the time, Seleznev targeted small convenience stores in Washington, D.C., and other U.S. cities. In the case materials against him, prosecutors also cite a handful of pizzerias, burrito shops, and bakeries. In total, he hit about 3,700 businesses over the years. Seleznev singled out small businesses because of their poor security: these enterprises didn’t have their own cyber-security departments, and they usually used bad passwords.

U.S. federal agents started tracking Seleznev in 2005. In May 2009, FBI agents met in Moscow with representatives of Russia’s Federal Security Service (FSB), presenting evidence that the hacker nCux was actually a man named Roman Seleznev living in Vladivostok. A month later, in June 2009, nCux announced that he was shutting down his business, after which his profiles on various forums were deleted. According to the case file, it was FSB agents who warned Seleznev that American officials were onto him. The hacker’s correspondence confirms that he maintained ties to the FSB, and the emails show that Seleznev told one of his accomplices that he enjoyed the protection of the FSB’s Center for Information Security. He also claimed that the FSB knew about his identity and activities.

A source in Russia’s cyber-security field confirmed to Meduza that Russian hackers who target foreign computer systems are almost never punished, and more often they’re actually recruited to work for the Russian government. All Russian hackers know the saying: “Don’t work in the .RU” (meaning that banks and companies located inside Russia are off limits). Another source told Meduza that there is a “widespread network in place to attract illegal hackers and encourage them.” According to The New York Times, while Evgeny Bogachev (“Zeus”) — one of the most wanted Russian hackers in the world — infected millions of computers to steal money, the Russian authorities “were looking over his shoulder, searching the same computers for files and emails,” seeking classified information about Ukraine and Syria.

After destroying his original pseudonym, Seleznev soon assumed two new hacker identities as Track2 and Bulba, and before long he was doing more business than ever before. In September 2009, he launched an entire online store for selling stolen credit cards. It looked almost like Amazon.com: you could search by category and select the precise credit card company and financial institution of your choice. U.S. officials believe that Seleznev reinvented the stolen credit card market: stolen information previously appeared in separate threads on different Internet forums, but now, thanks to Seleznev, the market was optimized and automated. One day in April 2011, about a million new stolen credit card numbers appeared in Seleznev’s online store. A couple of weeks later, he flew to Morocco, and nearly died in the cafe bombing. While he recuperated in a hospital bed, Seleznev’s accomplices kept working on the project, but in January 2012 they decided to shut it down.

Arrest in the Maldives

After leaving the hospital, Seleznev assumed another hacker name — 2Pac — and launched a new online store, where other hackers could sell stolen data, as well. Then he created a website where you could find basic instructions on how to steal bank account data and use it. At the top of the website, written in English, the following message appeared: “Here I’ll explain how you can Earn Money. From $500 to $50,000 and even $500,000. Remember that this is all illegal! The whole process — from start to finish.” In June 2014, during the first month that the site was live, it had 3,500 visits.

Seleznev earned millions of dollars in this business. An analysis of just one of his servers shows that he received nearly $18 million for money-transfer services. It’s unknown exactly how much money Seleznev made throughout his career as a hacker. He was paid through Bitcoins, WebMoney, and other electronic wallets. Seleznev bought two homes in Bali, traveled by plane from Vladivostok to islands in the Indian Ocean, and often photographed expensive cars and bags full of cash. In one photo, Seleznev is standing beside a sports car against the backdrop of St. Basil’s Cathedral, posing for almost exactly the same scene as Evgeny Nikulin, another Russian hacker later arrested. (Nikulin was apprehended in Prague in October 2016 on charges of hacking LinkedIn, Dropbox, and other online services. He says police demanded that he confess to hacking Hillary Clinton’s emails on orders from Vladimir Putin.)

Aware that the FBI could be tracking his movements, Seleznev was careful about how he traveled, always choosing countries without extradition agreements with the U.S., and buying plane tickets at the last minute, in order to confuse intelligence agents monitoring his movements.

In July 2014, Seleznev set out for the Maldives, where he rented a villa for $1,400 a day. “I took the most expensive villa. I’ll have my own servant,” he said in a message to one of his accomplices.

Learning that Seleznev was in the Maldives, the FBI asked the U.S. State Department to use its contacts with local officials. Bloomberg reported the details of Seleznev’s capture. After negotiations with American diplomats, the country’s chief of police agreed to detain the hacker, even without a formal extradition treaty with the United States. According to sources, two FBI agents flew to the Maldives from Hawaii, and together with local police they monitored Seleznev’s movements. When he left for the airport, to return to Moscow, he was finally detained by officers, and put on a 12-hour chartered flight to Guam, where he was jailed at an American military base.

According to investigators, Seleznev was arrested in possession of a laptop that contained data from 1.7 million stolen credit cards, as well as stolen passwords granting access to servers, email accounts, and financial transfers.

After Guam, Seleznev was moved to Seattle, where he says FBI agents beat him. Agents denied the accusation, pointing out that they allowed him to smoke and use cutlery while in custody. A court later rejected Seleznev’s abuse claim.

Russia’s Foreign Ministry called Seleznev’s arrest an “abduction” and “another unfriendly step by Washington.” Seleznev’s father has called for economic sanctions against the Maldives. He claims that his son is transported in the U.S. in a convoy of eight armored cars, always seated in a different vehicle within the caravan. “They’re making him out to be some kind of Internet Bin Laden,” the State Duma deputy says.

A month after the arrest, the following message appeared on the 2Pac forum: “We apologize for the lack of updates. The boss has been in a car accident. He’s in the hospital.”

U.S. prosecutors say Seleznev is the most serious cybercriminal ever brought before a judge, describing him as a person with extraordinary computer skills, who’s returned to cybercrimes several times, always “escalating the scale of his attacks.” American police estimate that his actions have caused more than $170 million in damages, and prosecutors have even compared Seleznev to Tony Soprano, the fictional protagonist of an HBO television series.

“His arrest is a rare victory in the fight against Eastern European cybercriminals,” prosecutors have said. “Many hackers live in Russia, which doesn’t extradite criminals to the United States. If Seleznev is released, then he’ll act with impunity at home, given his links to Russian law-enforcement agencies.”

Before a verdict was rendered, Seleznev confessed to the charges, after initially refusing to cooperate with investigators and trying to delay his trial. His case materials contain a transcript of his phone calls to his father from prison, where the two discussed “Option Uncle Andrey” — where Seleznev would delay his hearing first by becoming ill and then by refusing to speak to any attorneys. It worked: before his hearing, the defense attorneys filed a notice of withdrawal from the case because of disagreements with their client, and the May 2015 hearing was postponed until November. The delay created additional costs for the trial, because witnesses from Sri Lanka, Honolulu, and Chicago had already been flown to Seattle to testify.

Before the verdict, Seleznev penned a handwritten letter to the court where he summarized his life history and claimed to have entered a life of crime because of a difficult childhood. “I tried to find work online, and everything went downhill from there,” he said. “I chose the wrong path and started hacking computers to steal things.”

Seleznev’s case concluded in April 2017, when allegations that Russian hackers interfered in the 2016 U.S. presidential election had been dominating American news headlines for months. Seleznev was sentenced to 27 years in prison — the longest anyone has ever been locked up for a cyber-crime in the United States. “I am a political prisoner. I’m a tool for the U.S. government,” he declared after the sentencing. “They want to send a signal to the whole world, using me as a pawn. Given my head injury, today’s ruling is as good as a life sentence.” Seleznev’s father has called the verdict a “sentence by cannibals.” In September 2017, Seleznev confessed to another two criminal charges, pleading guilty to causing an estimated $52 million in losses.

Dmitry Smilyanets and Vladimir Drinkman

“Brave” for Mother Russia

On March 22, 2012, the head of Russia’s most successful professional e-sports organization at the time, an outfit called “Moscow Five,” announced that the team had acquired a “curator.” Dmitry Smilyanets (also known as Smelyi, or “Brave”) was alluding to businessman and billionaire Sergey Matviyenko, the son of Federation Council Chairwoman Valentina Matviyenko. According to Smilyanets, the team had been in talks with Matviyenko as Moscow Five was winning victories in the League of Legends World Championship tournament. A photograph soon appeared on the team’s website showing Smilyanets and Matviyenko together, posing with a stuffed buffalo.

Dmitry Smilyanets (right) and Sergey Matviyenko (center), May 10, 2012

Dmitry Smilyanets’s personal Vkontakte page

Judging by posts on social media, Smilyanets took a general interest in politics and interacted frequently with Russian social figures. In March 2012, during Russia’s last presidential election, Smilyanets posted a photograph of his ballot showing a vote for Vladimir Putin, writing, “I believe in him! This is for a strong leader!” Sometime later, he shared another photograph from a roundtable meeting with representatives from the Putin administration. The caption read, “We discussed issues with e-sports in Russia.” Later, he posted a picture of a Russian flag with the following excerpt from the national anthem: “Our loyalty to the Fatherland gives us strength.”

Before every competition, Smilyanets publicly appealed to God. “Lord, help us claim victory at the Intel Extreme Masters in Hanover. We fight for the honor of Moscow and for Mother Russia!” he wrote online in March 2012. That same month, he shared a painting depicting angels flying over Moscow, saying it was made specially for Moscow Five by artist Nikas Safronov, whose usual clients are Russian politicians and celebrities.

In 2003, according to Bloomberg, Smilyanets got to know Vladimir Drinkman by playing Counter-Strike together online. Smilyanets often enraged the other players by using cheat codes. Eventually, the two men met up in person, and Drinkman says they soon became friends, drinking and fishing together.

Drinkman grew up in Syktyvkar, taking an interest in programming at an early age. He taught himself C++, and worked as a system administrator at a college. Smilyanets was born in Moscow, where he graduated with a degree in information security from Bauman Moscow State Technical University. In his Twitter biography, he said his interests were geopolitics, e-sports, and information security.

According to the case files, Smilyanets and Drinkman started hacking the computer networks of financial companies, payment systems, and stores in 2005, gaining access to credit card data. Smilyanets was also responsible for selling the stolen data, with each credit card number going for between $10 and $50, depending on the country of origin. They infiltrated the Nasdaq stock exchange, 7-Eleven stores, the French chain Carrefour, and other major companies. For the next 10 years, they stole almost 160 million credit cards and caused roughly $300 million in damages, according to prosecutors. The hacker Albert Gonzalez first alerted U.S. federal agents to Drinkman’s cybercrimes, and it was through him that the FBI caught up to Smilyanets. Gonzalez was already behind bars, serving out a 20-year prison sentence for stealing $130 million in credit cards.

Arrest in Amsterdam

In July 2013, intelligence officers found a photo on Smilyanets’ Instagram account showing him wearing a hoodie bearing the Russian coat of arms, posing in downtown Amsterdam. American federal agents then phoned every hotel in the area, learning that Smilyanets was staying at one of them. When they called, the receptionist said he was sleeping. The next morning, detectives came to the hotel, where it turned out that Smilyanets was renting two rooms. To the surprise of police, Vladimir Drinkman was in the second room.

In his last post on Vkontakte before he was arrested, Smilyanets shared a photo of his e-sports teammates, writing, “[Behold] the legacy of Russian e-sports. Only the CIA and MI6 could ever speak ill of them.” After he was in police custody, Smilyanets became known as the godfather of Russian e-sports. Journalists would later write, “Now everyone knows where [Smilyanets] got the money for his team.”

Smilyanets’ father, a Moscow lawyer named Viktor, says there’s no evidence to support the charges against his son, arguing that he wasn’t even in possession of a computer when police arrested him. “The amount of damages he supposedly inflicted on banks and other financial institutions raises even more questions. The figures are incredible,” Smilyanets’ father says. “The Americans love to invent astronomical figures in order to write off billions of dollars in debt.”

Investigators later said there were another three hackers working with Smilyanets and Drinkman: two Russians and one Ukrainian. These suspects remain at large.

Almost immediately, Smilyanets agreed to be extradited to the United States, where he was imprisoned in New Jersey. Behind bars, he started learning Spanish and Chinese. Drinkman, on the other hand, spent the next 2.5 years fighting extradition. After news that Holland had agreed to transfer him to the U.S., Drinkman landed in a Dutch psychiatric hospital, where he told Bloomberg in an interview that he read George R. R. Martin’s “A Song of Ice and Fire” fantasy novels, while waiting in prison.

In September 2015, both Smilyanets and Drinkman confessed to the charges against them, but a verdict in their trial has been postponed several times. Currently, the ruling is expected on September 22, 2017. They face 25 and 35 years in prison, respectively.

Nikita Kuzmin

The man with a convertible and a Playboy bunny

By 2009, twenty-five-year-old Nikita Kuzmin was a raging success both as a public entrepreneur and as an underground hacker. He became the cofounder of the company “YouDo” and wrote about the site’s launch for the tech news website Roem.ru. Back then, the project didn’t specialize in consumer services, like it does now, but was a platform for ordering advertising campaigns. It was around this time when Kuzmin learned that computer security experts had turned their attention to his work as a hacker, studying the trojan virus he developed over several years while stealing hundreds of thousands of dollars.

Kuzmin is the adopted son of the Russian musician Vladimir Kuzmin. “Nikita has his own father. I just raised him,” the singer said in 2010. “He became a businessman. Maybe he takes after his biological father, whom he’s never seen once in his life.” By 2016, the singer was humming a different tune, denying any kinship at all with the now infamous hacker. “This isn’t my son. It’s a mistake,” he told a TV news network.

“I had my son with a lover!” Kuzmin’s mother, Tatyana Artemyeva, said in 2011. “Now [my son] lives in America. He’s a real computer genius, and he regularly sends me money. I remember how Volodya [Vladimir] came to meet with Nikita’s father. I won’t give the name of this man. Kuzmin shook his hand, and wished him luck.”

The case materials against Nikita Kuzmin state that he studied at two technical universities, where he received “advanced computer skills.” Sources told Meduza that he graduated with a degree in information security from Bauman Moscow State Technical University.

Опубликовано Nikita Kouzmin 8 апреля 2015 г.
While in prison, Nikita Kuzmin had access to the Internet. For example, he shared this Facebook photograph on April 8, 2015 — a year before his verdict.

In the mid-2000s, Nikita Kuzmin started hacking ICQ, “stealing” accounts and ransoming them back to users. He made about $20,000 with this scheme. It was around this time that the hacker gained access to a database of passwords and logins for a major financial organization. For several years, he withdrew money from bank accounts all over the world, stealing another $50,000. Kuzmin periodically bought different hacker malware to steal money from bank accounts in the United States and Australia, but these programs often failed, so he decided to start designing his own.

Kuzmin then hired a programmer, and for the next 10 months he developed a banking trojan virus for him that would be called “Gozi.” Kuzmin paid the developer about $20,000 for this work.

Kuzmin first promoted this new malware using the pseudonym “76 service.” The program wasn’t just a virus; it was actually business-to-business (B2B) malware designed for criminals without any hacking prowess. He rented the malware to other hackers, who could get Gozi access and customization for specific targets at $2,000 per week.

The malware sent victims infected PDF files. After infection, Gozi downloaded a virus onto computers that collected all their secret banking information, including their account logins and passwords. This information was transferred to Gozi’s owners (investigators would later discover a data server used to store about 10,000 bank account passwords belonging to roughly 300 companies, including NASA). Gozi is known to have infected at least 40,000 computers in the United States. Gozi clients could access this information using a simple, convenient interface. American officials say hackers used this virus to inflict at least $50 million in damages.

In 2010, FBI agents set out to find the men behind Gozi. By that time, they were already studying the trojan virus itself, and they knew the IP addresses used to carry out its attacks. Then the FBI got a warrant to intercept the correspondence of an unknown Russian hacker. Some of those captured messages appear in Kuzmin’s case materials:

“Why do you want Zeus? Use my trojan. Mine is so much cooler,” the hacker wrote.

“How much will yours cost me?” an unknown person answered.

“$2k a month — all inclusive. I have a botnet and a very convenient admin interface.”

In other messages, the hacker said he recently paid to have his girlfriend’s photo published in Playboy (as a gift to her) and bragged about driving around Europe in a BMW 6-Series convertible.

From the intercepted correspondence, it’s clear that the hacker solicited the client to pay for the malware by transferring money into his Alfa Bank account in the name of Nikita Kuzmin. His email address — nikita@youdo.ru — also made it easier for FBI agents to identify him. American police also studied Kuzmin’s Odnoklassniki account, where they found photographs showing him standing beside a BMW 6-Series — apparently the same car he used to drive around Europe.

Arrest in San Francisco

On November 19, 2010, Kuzmin wrote in one of his chat conversations, “I’m leaving Thailand, and I’ll get lost somewhere there.” On November 22, 2010, he wrote, “I’m in Bangkok.” A week later, he landed in San Francisco, traveling to California on business, without even thinking that he might be arrested. Police grabbed him in the airport, arresting him and transferring him to a prison in New York.

When other hackers learned about Kuzmin’s capture, there was a mass panic. One Gozi user wrote, “Everyone who had any dealings with 76 service needs to take measures, change your contacts, be careful on forums, and avoid leaving the country unless absolutely necessary, or you’re f**ked.” Another forum user wrote, “Nikita talked a lot about himself, sitting around all day on Jabber, and then he rolled on his partners…”

At first, Kuzmin faced a possible 97-year prison sentence. His prosecutor was none other than Preet Bharara, U.S. Attorney for the Southern District of New York — a man The New Yorker once said “struck fear into Wall Street” (before the the Trump administration fired him in March 2017). Bharara argued that Kuzmin, by renting out his software, made the virus accessible to people who lacked serious computer science expertise. "Unlike most crimes, Kuzmin's crime — the creation and distribution of harmful malware — cannot be stopped simply by capturing the perpetrator, as the government has done here. Because Kuzmin sold the Gozi source code to others, Gozi can be used by others, and it is in fact still in wide use by criminals today," Bharara told the court.

In May 2011, Kuzmin agreed to cooperate with investigators and began testifying against his former accomplices. Afterwards, police arrested Deniss Calovskis in Riga and Mihai Ionut Paunescu in Bucharest. 

Kuzmin hired as his defense attorney Alan Futerfas — the same lawyer who started working for Donald Trump Jr. after reporters learned about his meeting with the Russian lawyer Natalia Veselnitskaya, who allegedly offered the Trump campaign dirt on Hillary Clinton. (Before Kuzmin, Futerfas defended several clients with reported ties to the mafia.) Kuzmin’s case was under review for a long time, with hearings repeatedly postponed.

In prison, Kuzmin apparently had access to the Internet. In 2011, he was able to sell his shares in YouDo, and in 2015 he updated his profile picture on Facebook. Two months before his verdict, Kuzmin even wrote comments on the website Roem. On March 7, 2016, for example, he participated in an online discussion about a Kremlin initiative to provide government tax police with information about all purchases Russian citizens make abroad. “Simply shocking!” Kuzmin remarked.

The hacker was convicted on May 2, 2016, and sentenced to three years in prison and fined $7 million. By that point, Kuzmin had already been living in American prisons for five years, so he was set free, and he flew home to Russia that very same day. Prosecutors wanted Kuzmin locked up for twice as long, but the judge took into account his cooperation with investigators.

Judging by Kuzmin’s Facebook updates, today he’s working on an online trading platform and traveling frequently. Since going free, he’s been to Vienna, Amsterdam, Kiev, Abu Dhabi, Sochi, and Russia’s Putorana Plateau mountain range.

Meduza met up with Nikita Kuzmin in St. Petersburg, where he lives now, but he refused to speak about his life. The time for that “hasn’t come yet,” he said.

Russian text by Daniil Turovsky, translation by Kevin Rothrock