A jury found Russian hacker Yevgeniy Nikulin guilty for breaching the internal networks of LinkedIn, Dropbox, and Formspring back in 2012 and then selling their user databases on the black market.
The jury verdict was passed on Friday during what was the first trial to be held in California since the onset of the coronavirus (COVID-19) pandemic.
The three hacks
According to court documents and evidence presented at the trial, Nikulin hacked all three companies in the spring of 2012.
The hacker first breached LinkedIn between March 3 and March 4, 2012, after he infected an employee’s laptop with malware that allowed Nikulin to abuse the employee’s VPN and access LinkedIn’s internal network.
From here, the hacker stole roughly 117 million user records, data that included usernames, passwords, and emails.
Nikulin then used the LinkedIn data to send spear-phishing emails to employees at other companies, including people working at Dropbox, where he was able to breach an employee account, and then invite himself to a Dropbox folder holding company data.
This intrusion lasted from May 14, 2012, to July 25, 2012, and authorities say Nikulin was able to make off with a trove of information on 68 million Dropbox users, including usernames, emails, and hashed passwords.
Nikulin was also able to phish his way into the employee account of a Formspring engineer, from where, between June 13, 2012, and June 29, 2012, he is believed to have gained access to the company’s internal user database, consisting of 30 million user details.
Nikulin then sold the data on the underground hacker market to other cyber-criminals. The data surfaced online in 2015 and 2016, as various data traders put the data for sale on publicly-accessible forums and criminal e-commerce stores.
The arrests, extradition, and US trial
Authorities started an investigation after the three companies filed criminal complaints in California, in 2015. Nikulin was arrested a year later, in October 2016, while vacationing in Prague with his girlfriend.
A Radio Free Europe editorial published in 2016 highlighted Nikulin’s extravagant lifestyle financed by his hacking activities. This included several luxury cars, expensive watches, and travels around Europe. In an interview with Russia site AutoRambler, Nikulin admitted to owning a Lamborghini Huracan, a Bentley, a Continental GT, and a Mercedes-Benz G-Class.
Despite attempts to fight his extradition in the Czech Republic, the hacker was eventually sent to the US in the summer of 2017, where he was arraigned in front of a judge.
Since 2017, the hacker remained incarcerated. During all of this, Nikulin changed lawyers several times, refused to cooperate with the investigation or reach a plea deal, was moved through multiple jails, and was examined by psychologists under the court’s order amid concerns for his mental health from the judge after Nikulin refused to talk with councils and appear in front of the court. Nikulin was found to be mentally apt for a trial.
The actual trial was initially set for early 2020 but was delayed twice due to the coronavirus pandemic.
During the trial, which took place under special circumstances and protective measures, Nikulin pled not guilty. US prosecutors proved their case, but they also tried to pin him to other hacks and criminal conspiracies.
The judge supervising the case called the prosecution’s efforts into question just days before the trial ended, describing their efforts and evidence as “mumbo jumbo,” wondered if the prosecutors were wasting the jury’s time, and also asked out loud if the prosecutors had any real evidence against Nikulin besides private messages sent between two nicknames on internet chats.
However, despite the judge critiquing the prosecutors for their handling of the case, the jury found Nikulin guilty after only six hours of deliberations.
Nikulin’s sentencing was scheduled for September 29, 2020.