Home » Data Protection » Malware/Cybercrime

In Depth

Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette

Russian hacker Alexey Ivanov was lured to the United States and snared in a high-stakes cyber-sting.

By Art Jahnke

Page 4

After shopping on eBay for more than a year, the hackers were convinced that the sellers of more expensive items would not deal with unknown buyers living on the other side of the world. And they wanted to buy more expensive items. "We were buying things for a shallow five hundred bucks," says Ivanov. "We wanted to get up to like five thousand bucks."

It so happened that eBay had a function that would help them do that. The site's "rate the buyer" feature could reassure sellers that the Russians were trustworthy. All they had to do was get inside and manipulate the numbers. (Hani Durzy, an eBay spokesman, says that while it may now be possible for hackers to manipulate such interactive features, that won't be the case for long. Durzy says the company is developing technology that will identify the kind of malicious code used in such hacks.)

For Ivanov and his fellow hackers, the summer and fall of 2000 was a time of plenty. A promising revenue stream had begun to flow from their freelance security services. The business model was simple and hardly unique. Ivanov and his cohorts would hack into supposedly secure networks in the United States, inform the network administrators of the hack, and offer to fix the networks' vulnerabilities for a price. Ivanov says he persuaded three companies that he could help them patch vulnerabilities in their networks. He did this, he says, and they paid him cash, from $80 to $4,000. One of those companies, the Seattle-based CTS, also gave Ivanov storage space on its servers. Ivanov says a fourth company promised to pay but did not. That company, he says, later suffered from the destruction of data.

Ivanov was also working on a way to transfer money from one bank to another and had recently cracked the security of an online casino. The hackers were working hard, up to 16 hours a day, he says. But it was paying off. In a six-month period, says Ivanov, they scammed $150,000. It was a very exciting time, he says. The Internet had delivered to him, in a polluted factory city in the Ural Mountains, the promise of both untold riches and untold challenges. Ivanov wasn't sure which he liked best.

At the same time, he was wrestling with a major personal decision. In June of 2000, he had received an e-mail from a company in Seattle. The company had challenged him to hack into its site. When Ivanov did that, the strangers asked if he would consider relocating to Seattle. The company said it was in the market for "security talent," a deliberately vague phrase that could easily be read to mean "hacker." Ivanov appeared to have the kind of talent they were after.