Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette

Russian hacker Alexey Ivanov was lured to the United States and snared in a high-stakes cyber-sting.

Alexey Ivanov's job interview didn't go as well as he'd hoped.

Ivanov, then a 20-year-old computer programmer from Chelyabinsk, Russia, had flown to Seattle in November 2000 to apply for a job with a company called Invita Security. To the young Russian, Invita promised the dream job. The company was clearly entrepreneurial—entrepreneurial enough to seek out the services of this skilled hacker who worked in an abandoned factory halfway around the world. They even promised to pay his airfare and to pick him up at the Seattle airport. At Ivanov's suggestion, the company encouraged him to bring along a fellow programmer, Vasiliy Gorshkov. When the two Russians arrived, their Invita hosts explained what they were looking for: a few good hackers who could break into the networks of potential customers as part of an effort to persuade those companies to hire Invita to keep hackers out. Ivanov was familiar with the tactic.

As Ivanov, Gorshkov and two American business types sat at a table in a Seattle office, Gorshkov regaled the interviewers with tales of his hacking exploits, and Ivanov allowed himself to dream of a better life. He was exhausted: The trip from Chelyabinsk had taken nearly 48 hours, and he had not waited to arrive to start celebrating his good fortune. The interviewers asked their guests to demonstrate some of their skills, and the two Russians took turns logging in to their own network back in Chelyabinsk. Ivanov knew that he and Gorshkov were good, so when his hosts appeared to be impressed, Ivanov was not surprised.

The big surprise would come later, when the two Russians were being driven to their lodgings. The car stopped suddenly; the doors flew open, and Ivanov heard someone say: "FBI. Get out of the car with your hands behind your back."

It was then that he remembered something he had heard about America: It was the kind of place where anything could happen.

Ivanov and Gorshkov were charged with conspiracy, computer fraud, hacking and extortion.Gorshkov was jailed in Seattle, where his incriminating boasting took place. Ivanov was flown east, to Connecticut, to be tried in the home state of the Online Information Bureau—one of several companies whose servers he had breached.

The federal agents who arrested the Russians brandished a short catalog of cybercrime allegations. They claimed that the Russians had tried to extort money from scores of U.S. companies, including Central National Bank of Waco, Texas; Nara Bank N.A. of Los Angeles; and a Seattle-based ISP called Speakeasy. As it turned out, most of the allegations were right on the money. Ivanov and Gorshkov had, among other things, tapped a database of an estimated 50,000 credit cards, and they were making good use of some of them. Gorshkov would be found guilty of all four crimes, sentenced to three years in jail and ordered to pay $692,000 in restitution. He has since returned to Russia. Ivanov would eventually admit to hacking into 16 companies. He served three years and eight months in jail and owes more than $800,000 in restitution.

The drama of the Seattle sting is the stuff of suspense novels, but the courtroom machinations will more likely appear in law school lectures on international search and seizure. Today, with the smoke cleared, the most significant gain from the Ivanov case may be the legal milestones marked when courts upheld the right of federal agents to seize evidence remotely, and to charge foreign cybercriminals in U.S. courts. But despite those rulings, the case also leaves important cyberlaw questions unanswered—particularly in the area of uniform international rules for Internet search and seizure.

The United States of America v. Alexey V. Ivanov was touted as a major success story in the battle to protect American corporations from the menace of foreign hackers. For their work on the case, FBI agents Marty Prewett and Michael Schuler were awarded the Director's Annual Award for Outstanding Criminal Investigations. Still, most computer security experts understand that busting two reckless Russian hackers won't dent the many billions of dollars lost to cyberbandits operating overseas each year. Technology analyst firm IDC (a sister company of CSO's publisher) estimates that 65 percent of cyberattacks originate overseas; IDC also estimates that in 2003 U.S. corporations spent more than $25 billion to keep hackers out of their databases.

For Alexey Ivanov, the story of his hacking, his crimes, his arrest and his release from prison ends in a place that he finds perfectly satisfactory. His goal, he says, had long been to come to the United States. And now he is here, living and working in New England. Ivanov says he started his U.S. job search in April 1999. He did it the way any sensible hacker living on the other side of the world would do it. "I went to Dice.com and downloaded a database from a job-seeking server," he says. "It was easy. I wrote some scripts, and in a few hours I was sending my resume to 5,000 jobs."

Several prospective employers responded to his inquiries, he says, but none was willing to sponsor an unknown job candidate from Russia. "After that I decided to go a little bit the other way," he says. "I thought, Why don't I convince people about my skills, and in order for me to convince them, I have to demonstrate them. This is how I came up with the idea of hacking into companies."

Ivanov had good reason to think that such a tactic would pay off. Two years earlier, in December of 1997, he and a friend had hacked into the servers of a local Internet service provider and downloaded a database of user names and passwords. "When I notified the company," says Ivanov, "they offered me a job."

But that job, he says, paid poorly—only about $75 a month—and he eventually joined a group of hackers who shared an appreciation for more entrepreneurial challenges. There, at a company called tech.net.ru, Ivanov learned the practice of "carding"—buying goods online with stolen credit cards.

At first, he says, it was books and CDs, ordered online from Amazon.com or Barnesandnoble.com. To avoid suspicion, the group would have the goods mailed to cities in neighboring Kazakhstan, where they would hire young women to receive the packages. Ivanov and others would travel to the distant cities, pick up the goods, and take them to Chelyabinsk. There, much of the merchandise found its way to legitimate shops, where the CDs were prized. The quality of the recordings was far superior to the shops' other CDs, which had been pirated in Bulgaria.

"At first, all of the activities at tech.net.ru were illegal," he says. "Then we came up with the idea that we would look less suspicious if we established some legal business, so we started designing webpages."

They also started hacking into any sites that looked vulnerable. For the Russians, each hack presented a new challenge and, in most cases, a new victory. Some of those victories paid off in cash, and all of them offered the satisfaction of winning. They were beating a system, and they were outsmarting the smartest security guys in the country that considered itself technologically superior to all others. For a hacker, there was nothing better.

PayPal provided the Russians with one of their more satisfying conquests, if not one of the more lucrative. Ivanov claims to have masterminded the PayPal scam. The first step, he says, involved placing scripts on eBay that collected the e-mail addresses of PayPal customers. Then, using the domain name "PayPaI," with an uppercase "I" instead of a lowercase "L," Ivanov set up a mirror site that was a replica of PayPal. Ivanov and his cohorts then sent e-mails to PayPal customers, offering them a gift of $50, for which they had only to enter their passwords on the bogus site. The scammers simply sat back and collected the password harvest.

"We weren't really malicious," he says. "We could have sent it to thousands of people, but we only sent it to 150. We got about 120 passwords. We did that mainly for fun."

Despite its limited application, the PayPal scam provided proof of concept and emboldened Ivanov and his group to set their sights on a higher prize.

After shopping on eBay for more than a year, the hackers were convinced that the sellers of more expensive items would not deal with unknown buyers living on the other side of the world. And they wanted to buy more expensive items. "We were buying things for a shallow five hundred bucks," says Ivanov. "We wanted to get up to like five thousand bucks."

It so happened that eBay had a function that would help them do that. The site's "rate the buyer" feature could reassure sellers that the Russians were trustworthy. All they had to do was get inside and manipulate the numbers. (Hani Durzy, an eBay spokesman, says that while it may now be possible for hackers to manipulate such interactive features, that won't be the case for long. Durzy says the company is developing technology that will identify the kind of malicious code used in such hacks.)

For Ivanov and his fellow hackers, the summer and fall of 2000 was a time of plenty. A promising revenue stream had begun to flow from their freelance security services. The business model was simple and hardly unique. Ivanov and his cohorts would hack into supposedly secure networks in the United States, inform the network administrators of the hack, and offer to fix the networks' vulnerabilities for a price. Ivanov says he persuaded three companies that he could help them patch vulnerabilities in their networks. He did this, he says, and they paid him cash, from $80 to $4,000. One of those companies, the Seattle-based CTS, also gave Ivanov storage space on its servers. Ivanov says a fourth company promised to pay but did not. That company, he says, later suffered from the destruction of data.

Ivanov was also working on a way to transfer money from one bank to another and had recently cracked the security of an online casino. The hackers were working hard, up to 16 hours a day, he says. But it was paying off. In a six-month period, says Ivanov, they scammed $150,000. It was a very exciting time, he says. The Internet had delivered to him, in a polluted factory city in the Ural Mountains, the promise of both untold riches and untold challenges. Ivanov wasn't sure which he liked best.

At the same time, he was wrestling with a major personal decision. In June of 2000, he had received an e-mail from a company in Seattle. The company had challenged him to hack into its site. When Ivanov did that, the strangers asked if he would consider relocating to Seattle. The company said it was in the market for "security talent," a deliberately vague phrase that could easily be read to mean "hacker." Ivanov appeared to have the kind of talent they were after.

He knew that in the long run, the Seattle job could be even more rewarding than his eBay "rate the buyer" scam. So in November, with the eBay function not quite ready to go, he said good-bye to his family and boarded a plane for Seattle. Once he was in his seat, he says, he started ordering drinks. He was pleased to be bound for a new life in a new country with a new job for a company with the curious name of Invita Security.

When FBI agents, posing as Invita employees, watched Ivanov and Gorshkov demonstrate their skills, they were learning more than the two Russians knew. The agents had placed a "sniffer" on the computer keyboard, and as the Russians typed the user names and passwords needed to get into the network of tech.net.ru, the device recorded the keystrokes. With that knowledge, the FBI was able to download some 2,700MB of data to be used as evidence.

The agents had a very good idea of what they were looking for. The FBI had been contacted by several companies that believed they had been targeted by something called the Expert Group of Protection Against Hackers. The organization, made up of dozens of hackers in several Russian cities, operated the same way Ivanov did, exploiting a vulnerability in Microsoft NT server software to break into the networks of U.S. corporations. At first, the feds believed that Ivanov and Gorshkov were part of the group, and that they might be working with the Russian mob; the government has since backed off those allegations.

The FBI's download, the cornerstone of the government's case against the hackers, did not go unchallenged into the federal courts, or, for that matter, into the annals of U.S.-Russian relations. When the FBI broke into the Russian computers, they did so without two important sanctions: One was the permission or cooperation of Russian authorities; the other was a search warrant, which was not acquired until three weeks after the download. Whether the Justice Department attempted to coordinate the investigation with Russian authorities remains a subject of dispute. Federal agents have testified that they attempted to work with Russian authorities, but that their communications went unanswered. The Russians say there was no such effort and claim the download violated a 1997 agreement among G-8 nations that mandates "investigation and prosecution of international high-tech crimes must be coordinated among all concerned states, regardless of where harm has occurred." Russian authorities have reportedly issued arrest warrants for the agents involved.

Once it entered the federal court system, the case against Vasiliy Gorshkov moved quickly to conclusion. Gorshkov was tried in Washington state, where U.S. District Judge John C. Coughenour was unreceptive to arguments that the FBI overstepped its search and seizure authority. In Coughenour's opinion, the data on computer drives in Chelyabinsk was not protected by the Fourth Amendment. The decision meant that federal agents had the right to break into computers in other national jurisdictions, as long as it was for purposes of law enforcement. It also meant that Gorshkov had little hope of beating the rap. And he didn't.

Ivanov's legal journey would follow a different path. Because one of the companies he offered to "help" was based in Connecticut, his case was moved to Hartford. A veteran defense attorney named C. Thomas Furniss was appointed to represent Ivanov. Furniss brought on board a young lawyer and former technology worker named Morgan Rueckert. Rueckert was intrigued by the case, which he suspected would test some of the nascent limits of cyberlaw.

"This was the first case in which the government used methods like these," explains Rueckert. "They set up a fake company and then solicited a job application. They used that method to bypass what you could call a deficiency in extradition agreements."

Rueckert believes that the warrantless search of Ivanov's computer in Russia was also a first. In defending that search, prosecutors claimed that if they had not acted swiftlymore swiftly than the time it would take to get a warrantthe incriminating data would have been destroyed. While that may be true, says Rueckert, the government also failed to get a warrant when it asked CTS to hand over the data that Ivanov had stored on its servers.

"In that instance," says Rueckert, "the government may have violated the Electronic Communications Privacy Act."

While Rueckert examined the privacy issues, defense lawyer Furniss fixed on a larger target. His first motion was to dismiss on the grounds that the government lacked jurisdiction. The question is, says Furniss, "Does Congress intend the criminal statute...to be applied extraterritorially? It's an interesting question and some of the law in this area goes back to the 1700s, when pirates were attacking U.S. ships. In fact, as I read them, the Computer Crime statutes before 1996 really could not be said to reflect that intent, but there have been some amendments."

Curtis Karnow, a partner at the law firm of Sonnenschein Nath & Rosenthal and an expert on extraterritorial jurisdiction, says Furniss's motion was a good one, a sensible tactic that is often tried but never works. As it turned out, it didn't work with U.S. District Judge Alvin Thompson either. And it didn't much matter, once the prosecution pointed out that Ivanov had, for some of his exploits, used at least one proxy server located in the United States. It was all Judge Thompson needed to hear. For this case at least, the defendant had effectively perpetrated criminal acts within the United States. That ruling, along with several other issues (such as the prospect of four more trials in other jurisdictions), persuaded Ivanov and his legal team that a guilty plea would be the best way out.

Rueckert agrees that a plea was a good choice for his client, even if it did leave unresolved some important issues of privacy, cyberlaw and the modus operandi of law enforcement. "Number one," he says, "is about the way the government got data from CTS. The issue there is the individual's expectation of privacy concerning data that is stored remotely. What process should the government have to obtain access to this kind of data? Secondly, should the government be required to obtain a search warrant, and should the defendant be given legal protections? What kind of notice should the government give? There is also the issue of the method the government used to [ensnare Ivanov]. I think that the method they used offended a lot of people outside the United States. All of these issues are important."

As significant as those legal issues are, Rueckert admits that for him, the most captivating aspects of cybercrime are psychological. "The thing that fascinated me here," he says, "was that in Internet crimes you can have a kid, basically, sitting in his basement halfway around the world, and with the click of a mouse, he can cause incredible concern, fear and economic damage all across the country. And the person who is doing it doesn't really see the results. It can be very easy for someone like that to view what they're doing as a game."

Alexey Ivanov doesn't disagree. Hacking was a challenge, and challenges are always fun. It was also, in a strange and roundabout way, a means to what Ivanov says is a happy ending.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies