Russian Gets 7-Year Sentence for Hacking LinkedIn, DropboxProsecutors Say He Stole Millions of Credentials
Yevgeniy Aleksandrovich Nikulin, a 33-year-old Russian national who was found guilty of hacking LinkedIn and Dropbox and stealing millions of user credentials, has been sentenced to more than seven years in federal prison, according to the U.S. Justice Department .
In July, a federal jury found Nikulin guilty of nine criminal counts, including computer intrusion, causing damage to a protected computer, aggravated identity theft, conspiracy and trafficking in stolen access devices, according to the U.S. Attorney's Office for the Northern District of California, which oversaw the case (see: Russian Found Guilty of Hacking LinkedIn, Dropbox).
The Justice Department filed papers with the court before Tuesday's sentencing hearing, asking for a sentence of more than 12 years.
In their arguments before Judge William Alsup, Nikulin's attorneys asked for a sentence of time served, which would allow him to immediately return to Russia, according to court documents.
Instead, Alsup sentenced Nikulin to 88 months in federal prison. He'll have to serve at least 85% of that sentence, says Adam Gasner, a defense attorney in the case. Because Nukulin has already been in custody for four years, he will likely serve about 27 more months in federal prison before he's released, Gasner says.
The judge also ordered that Nikulin pay LinkedIn $1 million in restitution and ordered that he pay Dropbox $514,000 and Formspring $20,000, according to Courthouse News Service.
The trial, which began in March, was delayed as the COVID-19 pandemic surged. It resumed on July 7, when new precautions were taken, including having participants wear masks and witnesses testify from behind a glass panel. After six hours of deliberation, Nikulin was found guilty by the jury, according to court papers.
Nikulin, who went by multiple online names including "Chinabig01," "dex.007," "valeri.krutov3" and "itBlackHat," was accused by the Justice Department of hacking LinkedIn and Dropbox in 2012 and the now-defunct Formspring site in 2013.
In 2016, LinkedIn acknowledged that 117 million user credentials may have been stolen during the 2012 breach (see: LinkedIn Breach: Worse Than Advertised).
Prosecutors and law enforcement agencies accused Nikulin of stealing credentials belonging to LinkedIn and Formspring employees and then, along with several unnamed co-conspirators, offering them for sale on underground sites (see: Russian Indicted for Breach of Three Silicon Valley Companies).
During the trial, witnesses described how Nikulin infected the device of a LinkedIn employee with malware to gain greater access to the company's network. Once he had gained access to LinkedIn's internal network, Nikulin used data stolen to target other companies, such as Dropbox, with phishing emails, according to the Justice Department.
In 2016, police in Prague arrested Nikulin. He remained in Czech custody for two years, where he was the focus of competing extradition requests from Washington and Moscow (see: LinkedIn Breach: Russian Suspect Extradited to US).
In 2018, a Czech court ruled that Nikulin could be extradited to the U.S. to face federal charges. Since that time, he has remained in federal custody, according to court documents.
Sizing Up Damages
Before Tuesday's sentencing, federal prosecutors and defense attorneys argued about how much damage Nikulin's hacking caused to the victim companies.
The Justice Department estimated that hacking caused about $2 million in damage to LinkedIn's internal network and systems. The company took six weeks to fully recover from the incident, which included over 100 employees working to make fixes, prosecutors say.
Prosecutors also argued that Nikulin's hacking endangered millions of LinkedIn users and others by exposing their personal information, according to the court documents.
"His conduct left millions of users vulnerable to further crimes by the people with whom defendant shared their personal information," prosecutors argued. "Special Agent [Jeffrey] Miller testified about the uses for stolen data, including accessing bank accounts, hacking email accounts, and spam advertising."
Nikulin's attorneys countered that LinkedIn and other companies that were hacked never proved that their infrastructures sustained the amount of damage that prosecutors claimed they did.