SAN FRANCISCO (CN) — A federal judge on Tuesday sentenced convicted Russian hacker Yevgeniy Nikulin to 88 months in prison for stealing more than 100 million user credentials from LinkedIn, Dropbox and Formspring databases in 2012.
“I think you’re a brilliant guy. Very smart. I urge you to apply that brilliance to a lawful profession and do something good with your life other than hacking into computers,” U.S. District Judge William Alsup said after imposing the sentence he believes takes into account the nearly four years Nikulin has spent behind bars awaiting trial, the Covid-19 pandemic and the fact that he will likely never see his mother again.
The 88 months amounts to a little more than seven years behind bars for Nikulin, who will turn 33 next month.
In 2016, he was snatched off the streets of Prague, where he spent two years awaiting extradition to the U.S. to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy.
A jury convicted him of all counts in July, but found the government did not present enough evidence to prove that he committed the Dropbox and Formspring hacks for financial gain.
Alsup said Tuesday that he had his doubts about the strength of the government’s case throughout the trial.
“I feel I said things on the record in frustration along the way that may have led the casual observer to think the case was a weak case,” he said. “It’s true that while the evidence was coming in at trial that me, the judge, felt the case was disjointed and possibly too weak to go to the jury. I did have that feeling from time to time.”
But any misgivings he had early on were put to rest during Assistant U.S. Attorney Katherine Wawrzyniak’s closing argument, which Alsup said was one of the best he had heard in 21 years on the federal bench.
“All of the loose pieces and data points fell into place and it was quite clear the government had a strong case, not a weak case,” he said.
He also said the defense did an admirable job, but that Nikulin’s case was hurt, not helped, by going to trial.
Nikulin’s sentence breaks down to 64 months on counts two, six and eight related to trafficking in unauthorized access devices and causing damage to a protected computer, and 60 months for counts one, four, five and seven related to computer intrusion and conspiracy. These will all be served concurrently. He will also serve 24 months for aggravated identity theft.
“I want to impose a sentence that would take into account that the time imposed is harder on him than anyone in his position,” Alsup said, adding that the Covid-19 pandemic has made being in prison harder, along with the experience of awaiting trial in a country where he does not speak English and a judicial system with which he is unfamiliar.
“It’s not quite Kafkaesque because he did the crime, but it is harder on him than it is on the ordinary defendant,” Alsup said.
The judge also seemed particularly affected by the fact that Nikulin has a 10 year-old daughter in Russia and that his mother may not live long enough for him to see her again. His attorney Valery Nechay said she has had four spinal surgeries and three strokes in recent years.
“It is very possible she is at the edge of her life and that Mr. Nikulin may never get to see her again. The weight of the guilt and the pain of being separated from these people who love and need him is far more punitive than any term of imprisonment that this court or any other can issue to Mr. Nikulin,” she said, arguing for time served.
Nechay added that the psychological distress Nikulin suffered while being held in two foreign jails is enough to deter him from committing another cybercrime. He longs for walks in the fresh air, raising his daughter, and “having a peaceful life away from computers.”
Alsup was skeptical. “Let’s say Mr. Nikulin were released today and went back to Russia. The only thing he knows how to do is hack into computers. How can we be assured that when he got back there, out of the reach of U.S. authorities, that he wouldn’t go back to doing it all over again?”
Nechay said Nikulin is skilled at vehicle and watch repair and “can have a bright future” in Russia.
Assistant U.S. Attorney Michelle Kane said it is exceedingly difficult to capture Russian hackers, as Russia does not have an extradition treaty with the United States.
“It is so unusual for the United States to be able to get an individual like the defendant into court here. There are many countries from which we cannot extradite defendants. This was a case in which the defendant happened to leave Russia and we were able to have him arrested and extradited,” she said.
“It is incredibly important for the hackers of the world to know that they cannot act with impunity. That the United States economy is not their playground. That we may not catch all of them, but we will catch some of them and when they come here, the punishment is real.”
“I believe here is a substantial risk that he will repeat the crime when he goes back to Russia,” Alsup said. “I think I know enough about him to know that he will be very tempted to get back into the hacking business when he gets over there then he’ll be beyond the reach of the U.S.”
Alsup also took the severity of Nikulin’s crime into account, noting that millions of people likely lost sleep over their compromised accounts.
“The worry never goes away,” he said. “You never know when someone is going to use the information that got stolen.”
Nechay’s co-counsel Adam Gasner said the companies, particularly LinkedIn, substantially overestimated their financial losses in remediating the attacks. Alsup agreed, saying LinkedIn’s loss calculation was “possibly exaggerated” but that he had no doubt that all three companies suffered significant losses.
He reduced LinkedIn’s restitution from the $2 million requested to $1 million. Dropbox was awarded $514,000 and Formspring $20,000. He also awarded WordPress parent company Automattic $250,000, though Nikulin was not charged for that intrusion.
“The defense stands by its assertion that these loss amounts were not based in fact. LinkedIn is a multi-billion dollar corporate victim who could not provide any documentation to support their claim,” Gasner said in an email to Courthouse News Service. “The court agreed with the defense that LinkedIn’s claim was overstated and lowered the sentencing guidelines as a result. He also then varied below the suggested sentencing guidelines because of the hardships Mr. Nikulin has endured and will continue to face in custody as a Russian National who does not speak English and who has no ties to the United States.”
Gasner said Nikulin will not serve the full 88 months because he will get credit for time served.
“The sentence imposed was 88 months, of which he will serve 85% of that time – meaning he needs to serve 74.8 months of actual custody,” Gasner said. “After deducting the 48 months he has already served, he has 26.8 additional months remaining. So, a little over 2 years before he is returned home. We wish him well.”