Agents from the FBI and the U.S. Secret Service showed up in Moscow in May 2009 with a specific mission: to nab one of the world’s most notorious hackers. But to do that, the Americans needed Russia’s help.
They turned to the Federal Security Service (FSB), the country’s main intelligence agency, and shared operational information with officers from its computer-crimes unit, the Center for Information Security.
The hacker, Roman Seleznyov, shut down his operations a month later in a move prompted, the U.S. believes, by a leak from the FSB. The credit-card fraudster, it turns out, had bragged in conversations intercepted a year earlier about his protection from the computer-crimes unit.
The incident, detailed in the legal filings that resulted in a U.S. federal court recently sentencing Seleznyov to 27 years in prison, exposes an unintended consequence of Washington’s cybercrime cooperation with Russia: the United States finds itself indicting some of the top-level Russian security officials it worked with.
At least one of those officials is a former hacker who worked with the FSB — an agency accused of involvement in the hacking of U.S. political parties’ computers in the run-up to the 2016 presidential election.
Adding to the confusion is the fact that one of those very FSB officers has himself been charged in Russia with high treason.
In short, the Russians were recruiting hackers while the Americans sought to work with the FSB to thwart cybercriminals. Now the Americans are indicting — and in Seleznyov’s case, sentencing — hackers tied in some way to the FSB. The Russians, meanwhile, are charging some of those same individuals with treason.
“Russia sees those who cooperated as traitors,” explained Pavel Vrublevsky, a prominent e-payment entrepreneur who was imprisoned in Russia for ordering a cyberattack against a competitor. “Now America sees the very same people as cybercriminals themselves.”
Seleznyov is not the first Russian to have been caught up in a widening U.S. dragnet that has snagged cybercriminals from around the world. Others include Aleksandr Panin, convicted in a federal court in Atlanta in 2016 for creating a computer program that infected millions of computers and drained bank accounts in multiple countries.
WATCH: Czech Police Arrest Yevgeny Nikulin In Prague
There’s also Yevgeny Nikulin, who has sat in a Czech jail following his October arrest while Moscow and Washington both fight for his extradition. And the same day that Seleznyov was sentenced, U.S. prosecutors announced the indictment of another Russian, Pyotr Levashov, arrested in Spain, accusing him of masterminding a “bot net” of infected computers to steal money from bank accounts.
Seleznyov, the son of a Russian lawmaker, raked in $170 million selling stolen credit-card information online beginning in 2007, according to U.S. officials. By 2009, his operation was one of the largest providers of such stolen data in the world.
The determination that Seleznyov was behind the scheme was what led U.S. investigators to seek the FSB’s help in 2009, according to material submitted by prosecutors in a U.S. federal court.
In Moscow, they met with officials from the agency’s Center for Information Security, including deputy chief Sergei Mikhailov and his subordinate, Dmitry Dokuchayev, current and former U.S. officials with knowledge of the case told RFE/RL.
Unfortunately for the Americans, news of the meetings apparently leaked. Seleznyov shut down his so-called carding operations a month later.
As U.S. prosecutors noted in court documents, Seleznyov had been recorded telling a colleague in 2008 that he had “obtained protection through the law-enforcement contacts in the computer-crimes squad of the FSB.”
Seleznyov eventually resurfaced using a different alias, but was indicted by a federal grand jury in 2011 and arrested by U.S. agents while vacationing in the Maldives in 2014. A federal jury convicted him on 38 counts in 2016, and he was sentenced on April 21 to 27 years in prison.
“Never before has a criminal engaged in computer fraud of this magnitude been identified, captured, and convicted by an American jury,” prosecutors wrote in their court filings.
In from the cold
The 2009 Moscow discussion was just one of many between U.S. and Russian officials as they sought to work together in investigating international computer crimes.
The effort was largely ad hoc, and U.S. officials sought over the following years to a build a more formal arrangement, according to David Hickton, a former U.S. prosecutor involved in several high-profile criminal investigations of alleged Russian hackers.
They include the 2014 indictment of Yevgeny Bogachev, who is accused by the FBI of helping to build a network of infected computers around the world using software known as GameOver ZeuS, and using it to steal money from online bank accounts.
Competing legal systems, differences of opinion, and distrust proved to be formidable obstacles to cooperation.
“They tried to develop a dialogue that would lead to cybernorms and some understanding of [what the] rules of the road would be and how we would navigate our adversarial relationship,” Hickton said of the Russians. “And that broke down.”
Luke Dembosky, who was the resident legal adviser for the Justice Department in Moscow between 2010 and 2013, told RFE/RL that “it was never easy working these kinds of cases with Russia. There were different systems, different laws, different interests.”
To really make an international cybercase work, Dembosky explained, “you need some alignment of interests and political will, and you need some commonality of law and capabilities.”
More than anything, he said, “you need some modicum of trust.”
A troubled relationship
As U.S.-Russian cooperation stumbled, the FSB’s computer-crimes unit was growing in clout and notoriety, thanks in part to one officer’s previous work as a hacker.
Dokuchayev, with whom the Americans met with during their 2009 meetings in Moscow, was once well-known in cybercircles under the nickname Forb.
He worked with other FSB officers, including one named Igor Sushchin, to recruit hackers to cooperate with the Russian agency on cyberactivities. Among the recruits was Aleksei Belan, who has been wanted by the FBI since 2012 for alleged hacking and computer fraud.
Officials from the FSB’s Center for Information Security were also involved in the investigation of IT entrepreneur Vrublevsky, the founder of a successful online payment system called ChronoPay.
He was convicted in 2013 of orchestrating an attack on a ticketing system used by the airline Aeroflot. Mikhailov, Dokuchayev’s superior in the computer-crimes unit, testified against Vrublevsky during the trial.
U.S. intelligence officials have concluded that the hackers who broke into email accounts and computer servers belonging to the Democratic and Republican parties during last year’s election campaign did so with authorization from top-level Russian officials.
The declassified summary of a report released on behalf of the intelligence community in January pointed the finger at the FSB’s security rival, the military intelligence agency known as GRU. There was no mention of the FSB, or its computer-crimes unit.
But the previous month, then-President Barack Obama announced new economic sanctions and other punitive measures in response to alleged Russian hacking during the U.S. election campaign.
The list of those targeted included both the GRU and the FSB, as well as Belan and Bogachev.
Just prior to Obama’s announcement, Russian security officials moved to arrest FSB computer-crimes unit officers Mikhailov and Dokuchayev. That news became public when the Russian newspapers Kommersant and Novaya Gazeta reported in January that the two had been charged with high treason for giving classified information to Western intelligence, including possibly the CIA.
In a dramatic twist, according to Kommersant, Mikhailov was detained during an FSB meeting and taken from the room with a bag over his head.
There has been no comment on Mikhailov’s or Dokuchayev’s arrests from the FSB or Russian prosecutors; the only confirmation of their incarceration came from the lawyer for another computer expert also caught up in the arrests.
The U.S. Justice Department did not respond to a phone message or e-mail seeking comment.
In March, Dokuchayev’s name surfaced again when the U.S. Justice Department announced his indictment, and that of FSB officer Sushchin, in connection with the massive data breach at the Internet company Yahoo. Mikhailov’s name does not appear in the indictments, although cyberexperts believe someone identified only as “FSB Officer 3” is, in fact, Mikhailov.
Sushchin, according to the indictment, worked as an undercover officer at the investment bank Renaissance Capital.
That indictment also named Belan, who U.S. officials said could have been arrested by the FSB at the behest of the FBI any time after being named a top wanted cybercriminal in 2012.
Instead, “the FSB officers used him,” according to the indictment. “They also provided him with sensitive FSB law-enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.”
First and foremost, the arrests and criminal charges in both Russia and the United States highlight what experts say is the blurry line between Russian law-enforcement and security agencies and criminal networks, in cybercrime or otherwise.
“Moscow still depends, to a considerable extent, on recruiting cybercriminals, or simply calling on them from time to time, in return for their continued freedom,” Mark Galeotti, a Prague-based expert on Russian intelligence agencies, wrote in a report published on April 18.
It’s a gray zone that poses substantial danger for Russia itself, according to one of the other Russians charged with treason stemming from the December arrests: Ruslan Stoyanov, a former Interior Ministry investigator.
In a letter published by the Dozhd TV channel, Stoyanov, who worked for the Moscow-based computer security company Kaspersky Lab, warned that cooperating with cybercriminals would only embolden them.
“The worst scenario would be to give cybercriminals immunity from punishment for stealing money in other countries in exchange for intelligence. If this happens, an entire layer of ‘patriotic thieves’ will appear, violating the principles of the rule of law and the inevitability of punishment,” he wrote. “We will see a new wave of crime in Russia.”
Former U.S. prosecutor Hickton, who now heads the University of Pittsburgh Institute for Cyber Law, Policy and Security, said Russia could have easily arrested Bogachev after he was indicted in 2014 but there is no extradition treaty between the two countries.
Moreover, according to the research firm Fox-IT, the infected computers believed to have been used by Bogachev were also allegedly used to search for information about top-secret government files in places such as Ukraine, Georgia, and Turkey. That suggests the involvement of someone who was more than a mere criminal hacker — perhaps an operative working on behalf of an intelligence agency.
But the arrests also represent another facet of the collapsed relationship between Moscow and Washington.
Hickton said the Bogachev indictment may have been one factor in why U.S.-Russian cooperation in cybercrimes deteriorated. Or it may have merely been a casualty of other points of conflict between Washington and Moscow, such as Russia’s seizure of Ukraine’s Crimean Peninsula and support for separatists in Ukraine’s east.
“This all — this all is a mess,” Vrublevsky told RFE/RL. “And it’s a mess to be dealt with in both countries. The sooner the better.”