SAN FRANCISCO (CN) — A 12-person jury found a trail of digital bread crumbs led to Yevgeniy Nikulin as the hacker responsible for three data breaches in 2012 at LinkedIn, Dropbox and Formspring and the theft of more than 100 million user credentials.
The trail began with Nick Berry, a LinkedIn engineer whose personal computer was hacked in March 2012. By installing a malicious software program that allowed him to gain access to Berry’s Virtual Private Network— the means by which Berry could log to log in to work remotely— the hacker infiltrated the company’s internal database of user credentials.
Using credentials stolen from LinkedIn, the hacker next targeted Dropbox employee Tom Wiegand and breached his work account, sending an invite to himself at the email address [email protected] to join a shared employee Dropbox account.
From there, he went on to compromise Formspring employee John Sanders’ work account by accessing the password database Sanders had stored in his Dropbox, then using Sanders’ work login to breach Formspring’s corporate database and make off with millions of hashed user passwords from the now shuttered Q&A site that later showed up on internet hacker forums.
“The data from one intrusion facilitated the next,” Assistant United States Attorney Katherine Wawrzyniak told the jury during closing arguments Friday.
Investigators tied all three company hacks to the [email protected] address. Wawrzyniak told the jury that the email address was a burner account intended to receive automatic messages sent to the hacker’s various aliases. Chinabig01 was also used to create a Vimeo account with username Uarebeenhacked.
Prosecutor’s believe Nikulin controlled that email address, as well as [email protected], which was used account on the gaming website Kongregate with the username and password zopaqwe1, the same username and password used by [email protected] for an account on the domain hosting site Afraid.org.
They also linked r00talka and chinagbig01 through search history— both contained searches related to Kantemirovskaya Street, the Moscow residence IP address records traced to Nikulin, as well as searches for information related to Linkedin hack. R00talka was also the recipient of numerous notifications from Nikulin’s social media account on VK—Russia’s Facebook equivalent—alerting him to messages from his brother and girlfriend, along with a message from a friend saying the two were neighbors again on Kantemirovskaya Street.
Nikulin, using the alleged pseudonym “Yevgeniy Lomovich” a surname that translates to crowbar and prosecutors believe is a play on “hacker” gave his friend Oleksander Ieremenko via Skype chat the login and password zopaqwe1 for his account on Afraid.org. Investigators later obtained records from Afraid.org showing someone was scanning its systems for vulnerabilities.
The Skype chat logs were obtained from a U.S. Secret Service search of Iremenko’s apartment in Ukraine as part of an unrelated cybercriminal investigation, and later turned over to the FBI.
"The carefully collected digital evidence proves the following: [email protected] was responsible for the hacks, and is connected to these other electronic accounts including ultimately the [email protected] address,” Wawrzyniak said. “R00talka is clearly controlled by the defendant Yevgeniy Nikulin. This is how the digital trail ties together.”
Nikulin, now 32, was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy. The jury convicted him on all counts, but found the government did not present enough evidence to prove that he committed the Dropbox and Formspring hacks for financial gain.