How US Intelligence Is Hunting Russian Hackers

by | Dec 1, 2022 | Anonymous Living, Anonymous Travel, New Identity, U.S. Government


Since the beginning of 2010, US special services have arrested at least ten Russian hackers in different parts of the world. Some are already in American prisons; others are waiting for a verdict; one of the hackers was released and returned to Russia.

Russian hackers are regularly accused of “the biggest attacks” in history and damage worth hundreds of millions of dollars. At the same time, most of them have ties to Russian special services and authorities. The Russian Foreign Ministry refers to such arrests as “abductions”. Meduza’s special correspondent Daniil Turovsky reveals four stories about the hackers the US intelligence managed to hunt down.

Roman Seleznev

On the morning of April 28, 2011, the Jamaâ El Fna Square in the center of Marrakech (Morocco) was as crowded as ever: passers-by bustled among cars, market tents and street cafes. Among them was Roman Seleznev, a strong man who usually wears a three-day stubble. A few minutes before that, Seleznev had been told to wear a suit before being admitted to the hotel restaurant for breakfast. Since he did not have a case, he and his wife went to the nearest cafe. The waiter said that he could serve them in 30 minutes. The couple agreed to wait, and the waiter mysteriously replied: “Bad idea.” When he brought a glass of orange juice to the Seleznevs, an explosion thundered in the cafe.

After some time, Seleznev regained his senses, but for a little while. White smoke was pouring from the cafe. Most of the building was destroyed. Bodies covered in blood were all around. As it turned out later, the terrorists had left two briefcases with explosives in the cafe and blew them up with a mobile phone, killing 17 people. The Moroccan authorities blamed the attack on Al-Qaeda, but the organization refused to take responsibility for the explosion.

Life altering Injuries

Seleznev survived but fell into a coma. Doctors told his wife (who remained relatively untouched) and his father, who had come to Marrakesh, that he was doubtful to survive. If he would, he would then become a “vegetable for life.” His father, Valery Seleznev, a State Duma deputy from the LDPR, arranged his son’s transportation to Moscow. There he asked a priest to the hospital who baptized Seleznev without his knowledge. While he was in a coma, a letter came from the King of Morocco, Mohammed VI. “The people of Morocco were horrified and saddened to learn that you were injured,” it said.

About two weeks later, Seleznev recovered from the coma. It took him about a year to heal completely; a titanium plate replaced a part of his skull through numerous operations. He and his wife divorced, and she moved to the US.

This is how Seleznev recalled the terrorist act several years later. The incident is far from the most surprising twist of his biography.

nCux from Vladivostok

Seleznev was born in Vladivostok in 1984. When he was two years old, his parents divorced. The teenager went to live with his grandmother and got a job in a computer club that paid $5 for a 24h-work. Seleznev remembers that at first, he and his mother lived in a room measuring 10 square meters; then, she bought an apartment from her brother. His mother worked a cash register in a local store and was a drinker; most of the time, Roman was alone. He began to study programming independently; at 16, he entered college, where he studied mathematics and computer science. Once, upon returning home in 2000, he discovered that his mother had drowned in the bath. Her brother came the same day, took all the valuables and told Seleznev to get out.

Seleznev’s case file indicates that at 18, his interest in programming grew into his first hacker attempts. Initially, he hacked databases to steal documents (names, dates of birth, passport and social security numbers). He made them under the name nCux, where the Latin letters could be read as a Russian word for psycho. Seleznev registered on some clandestine carders forums: those who made money stealing bank cards (for example, carderplanet.com and carder.org).

Making Money

After a couple of years, he started stealing credit card numbers and selling the databases to other carders. Seleznev hacked the processing systems of small businesses in the US, through which all financial transactions went. He used vulnerabilities to infect the design and copy all operations on the cards; the information was then collected on the servers belonging to the hacker. By 2009, Seleznev had become one of the world’s most prominent sellers of stolen cards.

Small snack bars in Washington and other US cities were his favourite targets. The criminal case mentions several pizzerias, street food and burrito joints, and bakeries (about 3.700 enterprises in total). Seleznev used small businesses because of their poor security: such enterprises do not have cyber security departments and usually use bad passwords.

The US Intelligence network in Action

The US special services began to watch Seleznev in 2005. In May 2009, FBI agents met with FSB officers in Moscow. The Russians gave the Americans some evidence proving that Roman Seleznev from Vladivostok was the identity behind the nCux. A month later, in June 2009, nCux announced to the forum that he was leaving the business, after which his forum accounts were deleted. The criminal case states that the FSB told Seleznev the American authorities were after him. The hacker’s emails confirm that he did keep in touch with the FSB. He texted one of his accomplices that he had protection in the FSB Information Security Department. He also said that the FSB knew who he was and what he did.

Meduza’s source related to cyber security claims that Russians hacking foreign systems are rarely punished: they are more often involved in working for the state. All Russian hackers know the saying: “do not work on Ru” (that is, you cannot attack Russian banks and companies while in Russia). Another Meduza interlocutor said: “there is a widespread scheme to attract illegal hackers and to encourage them.” Meduza has comprehensively reported the connections between Russian special services and hackers.

The Net is cast

The New York Times wrote that while one of the most wanted Russian hackers, Evgeny Bogachev (Zeus), was infesting millions of computers to steal money, “the Russian authorities were looking over his shoulder, searching the same computers for files and emails” with classified information about Ukraine and Syria.

Having deleted his former nickname, Seleznev soon began to use the names Track2 and Bulba. Soon he brought his business to a new level. In September 2009, he opened an online store of stolen cards. It looked almost like Amazon: one could search by category, choosing between card brands or financial organizations. US authorities believe that Seleznev re-invented the carder market since previously, stolen cards had appeared on separate forum threads, while now the process of stolen data exchange is optimized and automated. On April 2011, about a million new cards appeared in Seleznev’s store. A couple of weeks later, he flew to Morocco and almost died in an explosion. While the man was being treated, his accomplices continued to work on the project before closing it in January 2012.

Arrest in the Maldives

After leaving the hospital, Seleznev took himself the nickname 2Pac. He created another online store – other hackers could sell stolen goods there. Then he launched a website where it was possible to find basic instructions on stealing bank data and using it. At the top of the site was an ad in English: “Here I’ll explain how to make money. From $500 to $50.000 and even $500.000. Remember, this is an illegal way! The whole process from beginning to end.” In the first month, June 2014, it was visited by 3500 people.

Seleznev earned millions of dollars. It is known that only through one of the services for the transfer of money he received about 18 million. His exact earnings are unknown – the hacker received money through bitcoins, web money and other electronic wallets. He bought two houses in Bali and flew by plane from Vladivostok to the islands in the Indian Ocean. He often photographed bundles of money and expensive cars. There is a photo of him next to a sports car against the backdrop of St. Basil’s Cathedral – almost the same as that of another arrested Russian hacker Yevgeny Nikulin (he was detained in Prague in October 2016, accused of hacking LinkedIn, Dropbox and other services, Nikulin claimed that he was required to admit that he had hacked Hillary Clinton’s mailbox on the orders of Vladimir Putin).

Realizing that the FBI agents could track him, Seleznev travelled carefully. He chose countries with no extradition to the United States. He bought tickets at the last minute to prevent intelligence services from monitoring their movements.

In July 2014, he went to the Maldives, where he rented a villa for 1400 dollars daily. “I took the most expensive villa; I have my servant,” he wrote to one of the accomplices.

The FBI plans the operation

Learning that Seleznev is in the Maldives, FBI agents asked the US State Department to use their connections with local authorities. Bloomberg described in detail how Seleznev’s arrest was organized. After the talks, the head of the country’s police agreed to detain the hacker, despite the absence of an extradition treaty. According to the publication, two FBI agents flew to the Maldives from Hawaii. Together with the police, they monitored Seleznev’s movements. When he went to the airport, where he was due to fly to Moscow, he was detained. Hacker was put on a private plane, and in 12 hours, they were brought to Guam, where the American military base is located.

According to the criminal case, Seleznev had a laptop with data on 1.7 million stolen credit card numbers and passwords to access servers, mail accounts and financial transfers.

After Guam, Seleznev was transferred to Seattle. There he stated that the FBI agents were beating him. The agents responded that Seleznev was allowed to smoke and use cutlery. The court rejected Seleznev’s claim.

The Foreign Ministry called Seleznev’s arrest a kidnapping and “another unfriendly move by Washington.” The father of Seleznev proposed imposing economic sanctions against the Maldives. He said that Roman was carried on eight armoured cars, changing them on and off. “They made him some kind of internet bin Laden,” the parliamentarian said.

A month after the arrest, a message appeared on the forum 2pac: “We apologize for the lack of updates. The boss got into a car accident; he’s in the hospital.”

The US gets their target

The prosecutor said that Seleznev is the most severe cybercriminal ever brought to justice. He was described as someone with extraordinary computer skills who repeatedly returned to cybercrime, “increasing the scale of attacks.” The damage from his actions was estimated at $170 million. The prosecutor even compared the Russian with Tony Soprano – the main character of the series The Sopranos.

“His arrest is a rare victory in the fight against Eastern European cybercriminals, the prosecution maintained. – Many hackers live in Russia, which does not extradite criminals to the United States. If Seleznev is released, given his links with Russian law enforcement agencies, he will act at home with impunity.”

Before the verdict, Seleznev admitted his guilt. Before that, he refused to cooperate with the investigation and delayed the process. In the criminal case, there is a transcript of his telephone prison conversations with his father. They discuss the “Uncle Andrey variant” – delaying the consideration of the case, at which Seleznev first becomes ill and then ceases to communicate with lawyers. It worked: before the hearing, the defence filed a notice of withdrawal from the case because of disagreements with the client; the meeting was postponed to November from May 2015. The transfer of the issue led to additional costs because witnesses in the case had already flown to court in Seattle from Sri Lanka, Honolulu and Chicago.

The Verdict

Before the verdict, he wrote a letter to the court by hand, in which he briefly retold his biography, saying that he had contacted the criminal world because of his difficult childhood. “I tried to find a job on the Internet, and everything went downhill,” Seleznev said. “I chose the wrong path – I hacked into computers for thievery.”

The verdict to Seleznev was taken in April 2017 – when the story of Russian hackers’ alleged interference in the US presidential elections had been one of the main topics in the American media for several months. He was sentenced to 27 years – the most extended period that has ever been given in the US for cybercrime. “I am a political prisoner. I am a tool for the US government,” Seleznev said after the verdict. “They want to send a signal to the whole world, using me as a pawn. Today’s sentence can be fatal in light of my head injury.” His father called the decision “a sentence of cannibals.” In September 2017, Seleznev admitted the charges upon two more counts – they caused a loss of about $52 million.

Bold for Mother Russia

On March 22, 2012, the head of the most successful Russian cybersport organization of those years, Moscow hacker Five Dmitriy Smilianets (Brave – Bold), announced that the team has a curator – businessman and dollar billionaire Sergey Matvienko (son of Valentina Matvienko, the Federation Council speaker). He said that the negotiations with Matvienko were parallel with the victories of the Moscow Five team in the League of Legends in the World Cup final (Meduza spoke in detail about the Russian teams in LOL). On the Moscow, Five websites, a joint photo of Smilianets and Matvienko appeared: Smilianets dressed in his blue Adidas sweatshirt. Matvienko’s son is sitting next to a stuffed buffalo animal.

Judging by the social networks, Smilianets was fond of politics and communicated with Russian public figures. In March 2012, when presidential elections were held, he posted a photo of the ballot paper with a tick for Vladimir Putin. He signed the photo: “I’m sure! For a strong leader!” After a while, he laid out an image from the round table with representatives of the Presidential Administration, where “issues of e-sports in Russia” were discussed. In another photo, there was a Russian flag, on top of which was a quote from a hymn: “Our loyalty to the Fatherland gives us strength.”

Before each competition, Smilianets publicly appealed to God. “Lord, help us win the Intel Extreme Masters in Hanover. We fight for the honour of Moscow, for Mother Russia!” he wrote in March 2012. Then he posted the picture Blessed Morning in Moscow, which, he said, was given the Moscow Five by artist Nikas Safronov, who usually writes about Russian politicians and celebrities.

Russians Hunted everywhere

In 2003, according to Bloomberg, Smilianets met Vladimir Drinkman when they played Counter-Strike on the Internet. Smilianets in these games often cheat, using cheat codes. Soon they met. Drinkman said that they became friends – Smilianets was one of the people with whom you could drink vodka or go fishing.

Smilianets was born in Moscow, where he graduated from the Department of Information Security at Bauman University. Drinkman grew up in Syktyvkar; the school was fond of computers, independently learned the C++ programming language, and worked as a system administrator at the university. In the self-description on his Twitter, he reported that he was interested in geopolitics, e-sports and information security.

According to the criminal record, since 2005, buddies have begun to hack computer networks of financial companies, payment systems and stores, gaining access to credit card data. Smilianets was responsible for their resale – the cards went for 10-50 dollars apiece, depending on the country of origin. They intruded on the Nasdaq exchange, 7-Eleven supermarkets, the French Carrefour network and other large companies. Over the next ten years, according to the prosecution, they stole about 160 million credit cards and caused damage of 300 million dollars. Hacker Albert Gonzales pointed the finger at Drinkman to the American intelligence services; already through Drinkman, they went to Smilianets. Gonzales is already serving a 20-year prison term – for stealing 130 million credit cards.

Arrest in Amsterdam

In July 2013, the special services found a photo in the Smilianets’ Instagram account. He was posing in a hoodie with a Russian coat of arms against the background of the inscription I Amsterdam in the center of the Dutch capital. After that, the Americans phoned all the hotels nearby; in one of them, they were told that Smilianets lived in a hotel, but now he was asleep. The next was Vladimir Drinkman, a Russian hacker, the location of whom the special services did not even guess. The following day the detectives arrived at the hotel. It turned out that Smilianets took two numbers.

By the last post on VKontakte before the detention, Smilianets published a photo of the cyber sportsmen with a signature: “The property of the electronic sport of Russia. Only agents of the CIA and MI6 could run down him.” After the arrest, Smilianets was called ‘the godfather of eSports,’ and a column on Sports.ru appeared stating that “now everyone understands how Bravy has earned money for the maintenance of the teams.”

The Net closes

Smilianets’ father, Moscow lawyer Viktor Smilianets, believes that any evidence does not support his son’s guilt. According to him, when detained, Smilianets had no computer – the primary potential evidence. “The amount of Smilianets inflicted on banks and other financial institutions is more perplexing; figures are incredible,” Smilianets Sr. wrote. “Americans like to draw astronomical figures and thereby write off billions of dollars of debts.”

Later the investigators reported that there were three more hackers in the grouping – two Russians and one Ukrainian; they could not be caught.

Smilianets almost immediately agreed to extradition to the United States. He was jailed in New Jersey, where he began to spend his term learning Spanish and Chinese. Drinkman fought against extradition for two and a half years. He told Bloomberg that he had read George RR Martin’s Song of Ice and Flame in the Dutch prison. According to the lawyer, he was interviewed in a psychiatric hospital, where the hacker was taken after the Netherlands agreed to his transfer to America.

In September 2015, Smilianets and Drinkman pleaded guilty. They face 25 and 35 years of prison, respectively. The verdict was postponed several times. Now the announcement is scheduled for September 22, 2017.

Nikita Kuzmin, YouDo founder with cabriolet

By 2009, 25-year-old Nikita Kuzmin had succeeded in public business and underground hacking. He became a co-founder of the YouDo company and wrote about its launch on Roem.ru. At that time, the service did not specialize in consumer services as it is now. Still, it was a platform for the order of advertising campaigns. Kuzmin found out that cyber security specialists paid attention to the hacks he had committed; they began investigating the trojan virus, which Kuzmin had been developing for several years and earned hundreds of thousands of dollars.

Musician Vladimir Kuzmin adopted Kuzmin. “Nikita has his father; I just brought him up,” the singer said in 2010. “He became a businessman. Perhaps he followed his father’s footsteps, whom he had never seen in his life.” In 2016, the singer denied his family ties with the hacker: “He is not my son; it’s a mistake.”

“I had my son from my lover!”- told the mother of the hacker Tatyana Artemyeva. “Now he lives in America, a real computer genius; he regularly sends me money. I remember how Volodya came to meet Nikita’s father. I will not tell you the name of this man. Kuzmin shook his hand, wished him luck, and I gave him the keys to a rented apartment.”

Materials of the criminal case Kuzmin say that he studied at two technical universities, where he received “advanced computer skills.” The source of “Meduza said that Kuzmin graduated from the Information Security Department of Moscow University, named after Bauman.

Nikita Kuzmin had access to the Internet in prison

He posted this photo on his Facebook page a year before the verdict, April 8, 2015.

In the mid-’00s, Nikita Kuzmin began hacking ICQ: he stole an account from an owner and demanded money for its return. He got access to the password and login database of one of the financial organizations. This way, the hacker earned about 20 thousand dollars. For several years he had been withdrawing money from banks throughout the world. He made only about 50 thousand dollars. Kuzmin periodically bought different hacker software for stealing money from bank accounts in the US and Australia. Still, the programs often needed to be improved, so he decided to make his own.

He hired a programmer who made up the bank Trojan – Gozi for ten months on the project of Kuzmin. Kuzmin paid about $ 20.000 for this work.

He started promoting his work under the nickname ’76 service’. The program was not just a virus but a B2B software for criminals without hacking skills. He rented the program to other hackers – Gozi could be used for $ 2000 for two weeks and be set up for necessary purposes.

The program sent infected pdf documents to victims. After the infection, Gozi downloaded a virus to a computer that collected all the secret banking information, including passwords and logins. Gozi’s customers could access this information through a user-friendly interface. This information was passed to the owners of Gozi (later, investigators will find a server that stored about 10.000 passwords to bank accounts, they belonged to about 300 companies, including NASA. In total, hackers attacked 40.000 computers in the United States). The US authorities estimate еру damage caused by hackers at about 50 million dollars.

The FBI makes its case

In 2010, FBI agents started the search for Gozi’s creators. By then, they had already studied the trojan and found the IP addresses that hackers used for their attacks. Some of them are in the materials of the criminal case. Special services received permission to intercept correspondence of an unknown Russian hacker.

“Why do you need Zeus? Use my trojan. Mine is much cooler,”- wrote the hacker.

“How much will it cost me?” – answered the unknown.

“2k per month, all-inclusive. And I have a botnet and a convenient admin.”

Other reports show he paid for publishing his girlfriend’s photo in the Russian Playboy as a gift and drives around Europe on a BMW 6-Series.

From the intercepted correspondence, it is clear that he offered a client to pay for the program by transferring money to his account in Alfa-Bank to the name of Nikita Kuzmin. The special services also identified the hacker’s mail address nikita@youdo.ru. The Americans also studied Kuzmin’s account in Odnoklassniki. They found photos showing the hacker standing next to the BMW 6 Series, the same that he rode in Europe.

Arrest in San Francisco

November 19, 2010, Kuzmin, the Russian hacker, wrote in a chat: “I’ll go from Thailand and get lost somewhere there.” November 27, 2010, he was in San Francisco on business, not thinking about a possible arrest. At the airport, he was immediately detained, then arrested and transported to a New York prison.

When this became known to other hackers, they panicked. One of the program’s users, developed by Kuzmin, wrote: “Everyone who dealt with the ’76 team’, take measures, change contacts, behave carefully in forums, don’t leave the country without particular need, or ******.” Another user wrote: “Nikita talked a lot about himself, testified against his partners …”

At first, Kuzmin faced 97 years of imprisonment. The Prosecutor of the Southern District of New York, Prith Bharara represented the prosecution in Kuzmin’s case; New Yorker called him “The Man Who Terrifies Wall Street” (in March 2017, the White House fired Bharara). He pointed out that the virus “Kuzmin made up for those who do not have advanced computer skills.” “Unlike most [cyber] crimes, Kuzmin’s crime – spread and use of the virus – can not be solved only with the capture of the creator. He sold the Gozi code to others, and it can be used further,” the prosecutor explained.

In May 2011, Kuzmin signed an agreement with the investigation on cooperation and began to testify against his accomplices. After that, Denis Chalovskis was arrested in Riga, and Jonut Paunesku was arrested in Bucharest.

US Trial

Kuzmin was defended by lawyer Alan Futherfas, who also was a lawyer of the son of the President of the United States, Trump Jr. (before that, he defended clients associated with the mafia, and with Trump Jr., he began to cooperate after it became known about Trump’s meeting with Russian lawyer Natalia Veselnitskaya, who allegedly offered him compromise on Hillary Clinton). The case of Kuzmin was being considered for a long time; meetings were regularly postponed.

In prison, Kuzmin had access to the Internet. In 2011, he was able to sell his stake in YouDo; in 2015, he updated a photo on Facebook; two months before the verdict, he left comments on the Roem website. For example, on March 7, 2016, he discussed the presidential administration’s initiative to provide the tax service with information about all purchases of Russians abroad. “It’s a sensation!” – said Kuzmin.

Kuzmin returned to Russia. The verdict was read out to the hacker on May 2, 2016. He was sentenced to 3 years in prison and a fine of 7 million dollars; by that time, he had already spent five years in prison. The prosecution requested a period of two times more, but the court took into account Kuzmin’s cooperation with the investigation.

Their Facebook page of Kuzmin shows now he is engaged in the Binomo trading platform and travels a lot. He was in Vienna, Amsterdam, Kyiv, Abu Dhabi, Sochi, and the Pluthoran Plateau.

Meduza met with Nikita Kuzmin in St. Petersburg, where he lives now. He refused to talk about himself, saying, “it’s not the time.”