Kseniya Kirillova is a Russian journalist. She challenged the Putin regime’s false narratives about the Kremlin’s war against Ukraine and now lives in the US. Here she interviews Arkady Bukh, who represents Russian hackers put on trial in the US. He talks about how the FSB uses hackers and some of their methods of stealing and misusing information.
New York criminal lawyer Arkady Bukh is known far beyond the United States. Over the last decade, he has defended many Russian hackers who have been extradited to the United States to face criminal charges. Among his clients were: Vladislav Khorokhorin (AKA Badb), whom the US authorities called one of the most dangerous cybercriminals on the planet and who was sentenced to 88 months in prison for stealing more than $9 million from RBS Worldpay, a credit card processing company based in Atlanta; Mikhail Rytikov and his accomplices, who stole 160 million credit and debit card numbers; and Alexander Panin (AKA GriboDemon), currently serving more than 24 years for his role as the creator of the SpyEye malware which caused hundreds of millions in losses to financial industry businesses across the globe. Bukh is currently defending Yevgeniy Nikulin, who was detained in Prague in the autumn of 2016 and extradited to the United States in March 2018, accused of hacking into LinkedIn and Dropbox in 2012 and stealing more than 117 account passwords.
In my exclusive interview with him, Mr. Bukh talked about how hackers have changed over the past decade, how cybercriminals cooperate with Russian and American intelligence services and how the hacking of unsuspecting citizens is carried out.
According to Mr. Bukh, almost none of the Russian hackers can be described as romantics or high-spirited computer geniuses who hack other people’s websites for sport. They aren’t cyber rebels seeking to bring justice to a corrupt world, like those romanticized in popular media. Instead, they are cold-blooded profiteers
“They are primarily businessmen for whom this is a way of making money. About 10–12 years ago, banks were inexperienced in cybersecurity and became the targets of constant attacks, in which hackers stole hundreds of millions of credit card numbers. Now such hacks occur less and less often, giving way to commercial attacks. There is a growing number of cases of extortion, theft of traffic and databases, fake news releases in the commercial sphere, designed, for example, to ensure a rise in the value of shares of a company in order to then bring them down sharply. Now you can influence the fate of companies in the United States without leaving your office in Moscow — it’s enough to secure a large network of computers (a ‘botnet’) capable of sending spam with fake news,” says Mr. Bukh.
The diversity of new types of cyber crimes is attracting a widening group of criminals and dramatically increasing the size of the problem. In 2015, global cyber crimes cost an estimated $500 billion. In 2019, the global estimate is expected to reach $2 trillion. And, according to Information Age, 50% of small and medium-sized businesses experience at least one cyber attack a year. Information and data theft is getting so lucrative that criminal groups not normally associated with web crimes are starting to get involved, leading to some of the most unexpected people becoming hackers nowadays.
“Ten years ago, most of the hackers were educated young men from the post-Soviet space,” said Mr. Bukh. “Now, the cast of characters has changed dramatically. Not so long ago, let’s say, members of the Bloods gang came to me: they were real gangsters, one of them had a gun at the ready. They said that they are hackers. In fact, this is a clear indicator of a new trend. Gangs of drug dealers, like the Bloods, Crips and others, realized that selling drugs is dangerous because of the risk of life imprisonment or being killed in gang turf battles. It is much easier to, say, buy a batch of credit card numbers from Russian hackers on a forum and use them to buy $20,000 to $30,000 worth of goods,” Mr. Bukh said.
And while Mr. Bukh believes there are still some romantics and ‘Robin Hoods’ more common among European hackers, while ones from the post-Soviet space have no noble intentions.
“They can, for example, send a message to a hospital demanding it send $50,000 in bitcoin, or they will shut off the electricity, and then two hours later, the emergency generator. They are well aware that people would die in the hospital, but this does not stop them,” said Mr. Bukh.
Hackers in the service of the FSB
Russian hackers don’t only work for themselves, said Mr. Bukh, it’s not uncommon for them to work with the Russian Federal Security Service (FSB). But fans of Hollywood spy stories may be disappointed: the bulk of orders from the Russian intelligence services are purely ‘commercial’ in nature.
“The FSB simply incites hackers to act against competitors of firms that are under their protection. It works very simply. There is such a thing as ‘black forums’. They are divided into different levels, for which references from the participants are required, and for some, references and serious money. They sell viruses and botnets for attacks. Suppose a botnet of a million computers can disable the entire infrastructure of a country like the country Georgia. To do this, simply rent this botnet and organize an attack. For example, someone buys a virus, rents a botnet and, through spammers, sends these viruses from all computers on the network. The FSB operates on these forums through intermediaries, who buy the necessary viruses and rent botnets. That is why it is difficult to understand how often Russian intelligence services buy such information — they never do it themselves”, Mr. Bukh explained.
Unfortunately, Infrastructural facilities in almost all countries are quite vulnerable, and it is not that expensive to disable them, Mr. Bukh said.
“Opening a river dam so that water floods a village downriver or disrupting the electrical grid in a city is not technically difficult. These objects have weak protection, and it can cost $2000 to $3000 to organize such an attack. We are saved only by the fact that disrupting the infrastructure does not bring any material benefits. Such things may be of interest only to terrorists or experimenters, but not to professional hackers,” Mr. Bukh said.
While his clients have shared a great deal with their lawyer, Mr. Bukh notes that Russian hackers are extremely reluctant to discuss specific orders from the FSB, and especially do not like to reveal whether they received orders on international matters related to intelligence or interference in elections.
“Usually, after serving their time, they are deported to Russia, so they fear punishment from the FSB. If hackers give information to the American authorities, the Americans immediately eliminate vulnerabilities, so Russian intelligence agencies know if the arrested hackers have given information to the FBI. However, people sometimes share with me information about more private orders, such as when FSB officers asked for credit card numbers and PIN codes to get cash from ATMs”, Bukh said.
Nevertheless, the lawyer admits that at least some of the information obtained by hackers, such as personal data of social network users, credit cards and other personal information, was used to interfere in the American elections, for example, to create false accounts on social networks using the real data of American citizens.
According to Mr. Bukh, ordinary people often become an easy target for hackers hunting for more than just credit card numbers, but also for any other information that might be useful for them to clone profiles or create new, fake ones.
“I cannot comment on the involvement or non-involvement of my client, Evgeny Nikulin, in attacking the LinkedIn network, but one thing is certain: LinkedIn was really hacked, and hundreds of millions of passwords and email addresses were stolen. The same happened to Yahoo’s e-mail network and several others. That is how our elections were broken into. Then these passwords and addresses are gathered on the black forums into the so-called ‘black cloud’. This is a search engine which can be used to find information about all the hacker attacks directed against an individual’s different accounts using a name or email address. Suppose I need to access a certain congressman’s email. I order his name on the black forum, and the forum prepares a dossier for me: all his email addresses and accounts hacked during various attacks, including online stores, and passwords for these accounts. Even if this congressman now uses a different email address on another site, people very often use the same passwords as before, or passwords with minor changes. By the way, the FSB often asks its hackers to purchase a file on a specific person,” revealed Mr. Bukh.
The “black cloud,” or “dark web” as it is more commonly known, is a part of the world wide web that is only accessible through the use of a browser called TOR (The Onion Router). What TOR does is seek to protect a user’s anonymity by redirecting internet traffic through a network of more than 7000 relays, concealing the user’s identity and location from anyone doing web surveillance or analyzing web traffic flow.
About the Dark Web, Keeper Security CEO Darren Guccione wrote, “You can buy credit card numbers, all manner of drugs, guns, counterfeit money, stolen subscription credentials, hacked Netflix accounts and software that helps you break into other people’s computers. Buy login credentials to a $50,000 Bank of America account for $500. Get $3,000 in counterfeit $20 bills for $600. Buy seven prepaid debit cards, each with a $2,500 balance, for $500 (express shipping included). A ‘lifetime’ Netflix premium account goes for $6. You can hire hackers to attack computers for you. You can buy usernames and passwords.”
It is in this part of the web, hidden from surveillance, that Russian hackers attacked their victims, often Americans in the United States.
Caught Hackers Working with American Agents
According to Mr. Bukh, hackers cooperating with Russian intelligence do not come to the United States voluntarily. They end up in America only if they are extradited from another country. The controllers of botnets, viruses and large platforms that allow them to launch powerful spam attacks usually try not to go abroad, outside of familiar areas where they are protected.
If a Russian hacker somehow ends up in American custody, lawyers often offer him three options. First, he can try his luck in court, which would cost hundreds of thousands of dollars and consume an enormous amount of time and effort — and the number of acquittals is usually less than one percent. The second option is a confession of guilt and remorse, which can reduce the term, say, from 50 to 15 years in prison. The third option is to cooperate with federal investigators and create web projects that could help the U.S. catch other cybercriminals.
“It could be the creation of a payment system with which you can snare crooks and terrorists, or some other idea that serves the interests of American national security,” said Mr. Bukh. “Once I have the idea, I start to run around different government agencies offering them the project. This may be not only the FBI, but also other agencies, which then negotiate with the prosecutor. After the hacker starts working for the government, the appropriate agency writes him a letter of recommendation. The prosecutor communicates it to the judge, and a letter like this can help reduce the prison term by 30%-40%. I sometimes manage to achieve almost 80% reduction. People agree to these deals very often”, noted Mr. Bukh.
Arkady Bukh has founded his own cyber security company, CyberSec, which employs his former clients — hackers and fraudsters.
“My clients often tell me that they can no longer work with yesterday’s college graduates, who have no practical experience and have never hacked anything in their lives. My employees spent thousands of hours breaking websites for years and stealing huge amounts of money. They became excellent experts in cyber security,” Mr. Bukh said.
A previous version of this article first appeared in Medium.com. The views expressed here do not necessarily represent the views of the Integrity Initiative.