Euro Security Watch with Mathew J. Schwartz

Data Loss Prevention (DLP) , Incident & Breach Response , Legislation & Litigation

Russia's Accused Hacker Repeat Play: Extradition Tug of War

Alleged Russian Cybercriminals Vacation Abroad at Their Peril
Russia's Accused Hacker Repeat Play: Extradition Tug of War
Russian citizen Yevgeniy Nikulin, incarcerated in Prague, is the focus of competing U.S. and Russian extradition requests. (Photo: YouTube)

Are you an accused Russian hacker who's been detained on foreign soil at the request of U.S. authorities, perhaps while you were vacationing with friends or family? Don't worry, Mother Russia will go to court to try to bring you home.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

So goes the repeat move by the Russian government when it comes to citizens who have been detained abroad on cybercrime charges at the request of the U.S. Justice Department. To combat these detentions and the subsequent U.S. extradition requests, the Kremlin will often file its own competing extradition requests.

Bad news for alleged Russian hackers: None of these Russian extradition requests appear to have ever been successful. That's if success gets measured in terms of bringing citizens home, of course, without their having to face a U.S. court. Viewed in a more cynical light, these Russian extradition requests are a chance for some political theater, as the Kremlin gets to denounce what it says is America's global manhunt against its citizens.

Most people arrested abroad on any charge would likely want their government to attempt to bring them home. But as one ongoing case demonstrates, the Kremlin's track record for freeing Russians accused of hacking who have been arrested abroad isn't good.

In October 2016, police in Prague, acting on a red notice issued by Interpol, arrested Russian national Yevgeniy Aleksandrovich Nikulin, who was then 29 years old (see Hackers' Vacation Plans in Disarray After Prague Arrest).

Nikulin Arrested in Prague

Footage of Yevgeniy Aleksandrovich Nikulin being arrested in Prague in Oct. 5, 2016. (Source: Czech Republic Police)

An unsealed U.S. federal grand jury indictment accused Nikulin of hacking U.S. social media firms Dropbox, LinkedIn and Formspring in 2012. If convicted of all the charges filed against him, Nikulin faces more than 50 years in jail and more than $2 million in fines.

Russia Makes Play For Nikulin

First the U.S. and then the Russian government filed an extradition request for Nikulin, who said he was innocent of the charges. Russia's extradition request belatedly accused Nikulin of having allegedly stolen $3,450 via Webmoney in 2009, the Czech Justice Ministry said. The Foreign Ministry in Moscow said that it was "actively working with the Czech authorities to prevent the extradition of a Russian citizen to the United States."

Nikulin initially appealed his extradition request to both countries, but later withdrew his attempt to quash Russia's extradition request.

In May, a Czech court ruled that the country could extradite the defendant to either the United States or Russia.

On Friday, the Prague High Court ruled that Nikulin can be extradited to the United States, Radio Praha reports.

The decision to do so now rests with Czech Justice Minister Robert Pelikan.

In what appears to be a last-ditch maneuver, Nikulin's attorney, Martin Sadilek, tells CNN that he plans to file a complaint with the Czech Republic's constitutional court, alleging that his client's "basic human rights and freedoms" as guaranteed under the Czech constitution have been violated.

Feds Pursue Alleged Cybercriminals Abroad

The U.S. government doesn't only pursue suspected hackers operating from Russia. Last December, three Romanian men accused of running a cybercrime ring that used custom-built "Bayrob" malware and money mules to steal at least $4 million from victims were extradited from Romania to face charges in the United States. At least two of the men have pleaded not guilty.

Earlier this year, Canada extradited to the United States Karim Baratov, 22, who's been accused of working as a "hacker for hire" for two Russian intelligence agents that allegedly perpetrated a massive hack of Yahoo in 2014. Baratov, who resided near Toronto, has pleaded not guilty.

When Vacations Turn Bad

Unlike Romania and Canada, however, Russia has never extradited one of its citizens to face U.S. hacking charges. As a result, the United States has pursued other methods to bring these suspects to justice.

Nikulin is only the latest in a long line of suspected Russian hackers who have been detained at the request of U.S. authorities while vacationing abroad.

In August, Spain's high court approved the extradition of Russian national Stanislav Lisov, who was arrested in Barcelona in January while on his honeymoon (see Spanish Court Approves Suspected Hacker's Extradition).

Lisov, who's accused of operating online using the monikers "Black" and "Blackf," was indicted by a U.S. federal grand jury for crimes related to the Neverquest - a.k.a. Vawtrak, Snifula - banking Trojan. The U.S. Department of Justice alleges that between June 2012 and January 2015, Lisov's actions resulted in $855,000 being stolen from U.S. banking customers.

In July, Greek police arrested Russian national Alexander Vinnik for allegedly running a massive money laundering operation that processed $4 billion in bitcoins via a cryptocurrency exchange called BTC-e, according to a 21-count federal indictment. Both the U.S. and Russian governments have filed extradition requests for Vinnik.

Record-Setting Sentence For Seleznev

Roman Seleznev, in an undated photograph. (Source: U.S. indictment)

In April, Roman Valeryevich Seleznev, aka "Track2," was sentenced to serve 27 years in prison.

Seleznev, a Russian national, was seized by U.S. Secret Service agents in July 2014 at an airport in Maldives, while he was vacationing and about to board a plane. Instead, the agents flew him to the U.S. Pacific island of Guam, where was arrested. Experts say this type of move is described by U.S. authorities as "informal extradition" (see Fighting U.S. Card Data Fraud Overseas).

Seleznev's sentencing followed a jury in August 2016 finding him guilty of 38 counts related to defrauding 3,700 financial institutions in the United States of at least $169 million.

His 27-year sentence appears to be the most severe U.S. prison sentence ever handed down to a Russian hacker.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.