Home » Data Protection » Malware/Cybercrime

In Depth

Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette

Russian hacker Alexey Ivanov was lured to the United States and snared in a high-stakes cyber-sting.

By Art Jahnke

Page 2

The drama of the Seattle sting is the stuff of suspense novels, but the courtroom machinations will more likely appear in law school lectures on international search and seizure. Today, with the smoke cleared, the most significant gain from the Ivanov case may be the legal milestones marked when courts upheld the right of federal agents to seize evidence remotely, and to charge foreign cybercriminals in U.S. courts. But despite those rulings, the case also leaves important cyberlaw questions unanswered—particularly in the area of uniform international rules for Internet search and seizure.

The United States of America v. Alexey V. Ivanov was touted as a major success story in the battle to protect American corporations from the menace of foreign hackers. For their work on the case, FBI agents Marty Prewett and Michael Schuler were awarded the Director's Annual Award for Outstanding Criminal Investigations. Still, most computer security experts understand that busting two reckless Russian hackers won't dent the many billions of dollars lost to cyberbandits operating overseas each year. Technology analyst firm IDC (a sister company of CSO's publisher) estimates that 65 percent of cyberattacks originate overseas; IDC also estimates that in 2003 U.S. corporations spent more than $25 billion to keep hackers out of their databases.

For Alexey Ivanov, the story of his hacking, his crimes, his arrest and his release from prison ends in a place that he finds perfectly satisfactory. His goal, he says, had long been to come to the United States. And now he is here, living and working in New England. Ivanov says he started his U.S. job search in April 1999. He did it the way any sensible hacker living on the other side of the world would do it. "I went to Dice.com and downloaded a database from a job-seeking server," he says. "It was easy. I wrote some scripts, and in a few hours I was sending my resume to 5,000 jobs."

Several prospective employers responded to his inquiries, he says, but none was willing to sponsor an unknown job candidate from Russia. "After that I decided to go a little bit the other way," he says. "I thought, Why don't I convince people about my skills, and in order for me to convince them, I have to demonstrate them. This is how I came up with the idea of hacking into companies."

Ivanov had good reason to think that such a tactic would pay off. Two years earlier, in December of 1997, he and a friend had hacked into the servers of a local Internet service provider and downloaded a database of user names and passwords. "When I notified the company," says Ivanov, "they offered me a job."