Home » Data Protection » Malware/Cybercrime

In Depth

Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette

Russian hacker Alexey Ivanov was lured to the United States and snared in a high-stakes cyber-sting.

By Art Jahnke

Page 6

Once it entered the federal court system, the case against Vasiliy Gorshkov moved quickly to conclusion. Gorshkov was tried in Washington state, where U.S. District Judge John C. Coughenour was unreceptive to arguments that the FBI overstepped its search and seizure authority. In Coughenour's opinion, the data on computer drives in Chelyabinsk was not protected by the Fourth Amendment. The decision meant that federal agents had the right to break into computers in other national jurisdictions, as long as it was for purposes of law enforcement. It also meant that Gorshkov had little hope of beating the rap. And he didn't.

Ivanov's legal journey would follow a different path. Because one of the companies he offered to "help" was based in Connecticut, his case was moved to Hartford. A veteran defense attorney named C. Thomas Furniss was appointed to represent Ivanov. Furniss brought on board a young lawyer and former technology worker named Morgan Rueckert. Rueckert was intrigued by the case, which he suspected would test some of the nascent limits of cyberlaw.

"This was the first case in which the government used methods like these," explains Rueckert. "They set up a fake company and then solicited a job application. They used that method to bypass what you could call a deficiency in extradition agreements."

Rueckert believes that the warrantless search of Ivanov's computer in Russia was also a first. In defending that search, prosecutors claimed that if they had not acted swiftlymore swiftly than the time it would take to get a warrantthe incriminating data would have been destroyed. While that may be true, says Rueckert, the government also failed to get a warrant when it asked CTS to hand over the data that Ivanov had stored on its servers.

"In that instance," says Rueckert, "the government may have violated the Electronic Communications Privacy Act."

While Rueckert examined the privacy issues, defense lawyer Furniss fixed on a larger target. His first motion was to dismiss on the grounds that the government lacked jurisdiction. The question is, says Furniss, "Does Congress intend the criminal statute...to be applied extraterritorially? It's an interesting question and some of the law in this area goes back to the 1700s, when pirates were attacking U.S. ships. In fact, as I read them, the Computer Crime statutes before 1996 really could not be said to reflect that intent, but there have been some amendments."

Curtis Karnow, a partner at the law firm of Sonnenschein Nath & Rosenthal and an expert on extraterritorial jurisdiction, says Furniss's motion was a good one, a sensible tactic that is often tried but never works. As it turned out, it didn't work with U.S. District Judge Alvin Thompson either. And it didn't much matter, once the prosecution pointed out that Ivanov had, for some of his exploits, used at least one proxy server located in the United States. It was all Judge Thompson needed to hear. For this case at least, the defendant had effectively perpetrated criminal acts within the United States. That ruling, along with several other issues (such as the prospect of four more trials in other jurisdictions), persuaded Ivanov and his legal team that a guilty plea would be the best way out.