At the end of the trial, Judge William Alsup in the San Francisco District Court addressed a few personal words to the defendant. The judge said that the verdict against Yevgeny Nikulin should also be a deterrent message to international cyber criminals. The message is loud: 32-year-old Nikulin has to go to prison for 88 months. In 2012, the Russian stole login data for the LinkedIn and Dropbox platforms, among others. For the conditions at the time, the data theft was gigantic: Nikulin stole 117 million login data during his actions. Today, the number of credentials stolen in the event of major data leaks or hacks sometimes even runs into the billions.
The USA vs. Nikulin is exciting for other reasons too. The Russian, who had repeatedly voiced his sympathy for fast cars on social media and posed with the daughters of high-ranking Russian politicians, was arrested in 2016 while on a short vacation in Prague. The high-profile access in a hotel came just two days before then-US President Barack Obama publicly accused Russia of being responsible for the hack of the US Democrats’ election campaign committee (DNC). Therefore it was first in the Czech magazine respect It has been speculated that the US also tried so hard to get Nikulin because the hacker might know something about the hack against the DNC.
A diplomatic skirmish ensued between the US and Russia over Nikulin’s extradition. The government in Moscow suddenly wanted to indict its citizen as well. The argument of Russia: Nikulin hacked a Russian website in 2009 and caused 3500 dollars in damage, so he must be indicted in Moscow. At the same time it was heard from the Kremlin that the US was illegally hunting Russians abroad. According to the Czech media, Nikulin’s lawyer spoke of a politically motivated charge at the time. His client never had anything to do with computers, he was actually a car mechanic. That would at least be a resourceful explanation for the Instagram photos with Lamborghinis, Mercedes and other luxury cars.
The head of the private cyber investigative firm Intel 471, Mark Arena, thinks it is hard to imagine that Nikulin would have been punished in Russia as well. His undercover agents obtain information from the cyber underworld for companies and authorities. “It has been the tactic of Russians lately to extradite their citizens to Russia on the pretext of minor crimes,” Arena said SZ. “But this is nothing more than a transparent and cynical attempt to spare criminal Russians prison terms in the USA.”
Expert considers punishment to be comparatively mild
According to Arena, it is doubtful whether the “deterrent message” from US judge Alsup will be heard in Russia. Cybercriminals have little to fear there. At least as long as there are no Russian victims, the criminal activities there are either tolerated or there is even active cooperation if it serves Russian state goals. In Nikulin’s case, both are conceivable, says Arena. 100 million login details for LinkedIn are certainly also interesting for the security apparatus.
Arena considers the verdict to be comparatively mild. The act had a direct negative impact on every one of the millions of LinkedIn users hacked. The victims would probably have received a lot of spam, it cost the LinkedIn company money and reputation.
In the Czech Republic the case had become a real state affair. Both Russia and the United States put pressure on the country’s politicians. President Miloš Zeman was ultimately for extradition to Russia, Prime Minister Andrej Babiš wanted to hand over Nikulin to the USA. Finally, Attorney General Robert Pelikán decided to extradite to the United States, only to resign a few weeks later. In 2019, the Constitutional Court finally ruled that the extradition had taken place unjustly. At this point, however, Nikulin was already in the United States.