When Russia Helped the U.S. Nab Cybercriminals

The U.S. has repeatedly protested Russia's failure to crack down on ransomware attacks emanating from within its borders. But there was a time when Russia helped the U.S. nab cybercriminals.

When Russia Helped the U.S. Nab Cybercriminals
Dmitry Ivanovich Golubov — one of the godfathers of East European carding rings, who was arrested by Ukrainian authorities in 2005, only to be released after two Ukrainian politicians intervened on his behalf. (Photo: courtesy of U.S. government)

It was July 1994 when the FBI learned about the world’s first digital bank robbery.

Vladimir Levin, a 30-year-old system administrator for a St. Petersburg software company, obtained access to Citibank’s cash-management system — used by corporate customers to wire money around the world. Over many months Levin and  cohorts initiated some 40 wire transfers of nearly $11 million out of Citibank customer accounts and into bank accounts controlled by accomplices in Finland, Germany, Israel, The Netherlands and the U.S.

Authorities froze the receiving accounts after the first $400,000 disappeared and arrested some of Levin’s accomplices as they tried to withdraw funds from banks in San Francisco and elsewhere. But how to get Levin when he resided in Russia?

It was three years after the Soviet Union’s collapse, and the U.S. and the Russian Federation had recently signed a historic cooperation agreement to enable coordination of criminal and terrorism investigations. But the two countries didn’t have an extradition agreement, and Russia’s constitution prevented authorities from sending Russian citizens to other countries for prosecution.

So the FBI bided its time collecting evidence, and in March 1995 agents caught a break. Levin passed through London on his way to a computer fair in Rotterdam, and Scotland Yard nabbed him at the airport on behalf of the U.S. Levin was extradited to New York, where he pleaded guilty and was sentenced to three years in prison.

Media outlets and an FBI account of the case reported that the bureau had lured Levin to London to make the arrest. But Steven Garfinkel, a former FBI agent in New York who worked the case, told Zero Day that Russian police actually tipped off the FBI to Levin’s travel plans. Russian authorities in fact helped the FBI make their case against Levin with a level of cooperation that seems unthinkable today.

“The Russian police had seized a whole bunch of computers [used for the crimes], and we went over there and imaged one … and found … smoking-gun evidence,” says Garfinkel. “[I]t was kind of the key to the whole case.”

The aid from the former Soviet bloc was extraordinary, says Garfinkel, who also described an unorthodox interview he was granted with an informant in the case.

“The building … had doors that were like 12 feet high, and … one swinging 40-watt lightbulb and a couple of chairs [in the interrogation room],” Garfinkel recalls. “The doors fly open and … these two goons threw [the informant] in like an airplane, and he lands in front of us.”

This year in the wake of unprecedented ransomware attacks against critical infrastructure that have threatened public safety and national security, the U.S. has accused Russia of enabling, if not directing, the activity and using cybercrime as an instrument of statecraft. President Biden has called on Putin to curb the criminal gangs behind the operations. But ransomware operations tied to Russian groups have continued, and U.S. government officials have expressed doubt that Russia will ever take concrete steps to halt it. Russian authorities, for example, have apparently made no effort to arrest figures like Yevgeniy Polyanin, a 28-year-old Russian wanted by the FBI for allegedly conducting ransomware attacks in connection with the REvil/Sodinokibi ransomware gang. The Daily Mail recently traced Polyanin to a $380,000 house in Siberia where he apparently lives unmolested by Russian police.

With Russian-U.S. relations so low, it’s hard to remember there was once a time when the two countries worked closely to track cybercriminals, and Russian authorities even slipped the U.S. critical evidence to help convict Russian citizens.

“You go back to Moonlight Maze in the late 90s [an extensive investigation into breaches of U.S. military and government networks that was traced to Russia], you had delegations [of U.S. law enforcement] coming over to Russia during the best of times … and we were all drinking buddies. People on that side generally wanted to help out," says Dmitri Alperovitch, the Russian-born co-founder and former CTO of the American computer security firm CrowdStrike.

Over the years, however, cooperation shifted with the political winds and was frequently thwarted by corruption within Russian agencies. And as Russian hackers were increasingly recruited or coerced into conducting operations for the government, Russian police found themselves facing a dilemma.

The problem was “not only that we were asking [Russia] for help, which they became less and less interested in providing, but we also started asking about [hackers] that were working with Russian intelligence,” says Alperovitch, now founder of the Silverado Policy Accelerator and the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University.

When the FBI Came to Moscow

It was July 1994 when FBI Director Louis Freeh, following the collapse of the Soviet Union, made a historic visit to Moscow — the first by an FBI director — to sign a  cooperation agreement with Russian Interior Minister Victor Yerin. The agreement was aimed primarily at combating Russian organized crime, a “new transnational adversary” that Freeh said was a growing threat to U.S. national security.

The agreement formally established a channel for Russian police and the FBI to collaborate on investigations through an FBI legal attaché (LEGAT), who would be placed at the U.S. embassy in Moscow. The agreement also opened the way for Russian police to receive training at the FBI’s U.S. academy. Notably, Freeh revealed at the document signing that the idea for the collaboration had actually come from Yerin, who had proposed it two years earlier.

FBI Director Louis Freeh (left) and Russian Minister of Interior Victor Yerin at historic meeting in Moscow in1994 to sign law enforcement cooperation agreement (Screenshot of C-SPAN video)

The FBI already had about two dozen legal attachés around the world to facilitate cooperation between FBI agents and their foreign counterparts on cross-border criminal and terrorism cases; Freeh was hopeful that a legal attaché in Moscow would be the first step toward getting a U.S.-Russian extradition treaty in place. That didn’t happen. But the two countries did sign a mutual legal assistance treaty (MLAT) in 1999, which went into effect in 2002. It established a framework for the two countries to exchange evidence and information relevant to investigations and to file requests to interview witnesses, conduct searches and seizures and interrogate or arrest suspects.

Two months after Freeh signed the 1994 cooperation agreement, two FBI agents — Michael di Pretoro and William Kinane — arrived in Moscow to serve as the legal attachés. They already had about 35 requests for assistance waiting for them to tackle.

“Our New York office had done an extensive amount of work on Russian organized crime and had a lot of requests on the table for the Russians,” Kinane tells Zero Day.

They had some initial challenges. There was no office space for the attachés in the U.S. embassy yet, and Kinane had to live out of a hotel for months until an embassy apartment became available. And their main liaisons in Russia — Interior Minister Victor Yerin and the head of organized crime control Mikhail Konstantinovich Egorov — were soon pushed out of their jobs following a botched hostage standoff with Chechen rebels that killed most of the hostages.

And about three months after arriving in Moscow, Kinane got a call from the Russian Federal Security Service (FSB) asking why he hadn’t contacted them to arrange a meeting. The FSB intelligence service was successor to the KGB.

The U.S. cooperation agreement Freeh had signed was only with Russia’s Ministry of Internal Affairs (MVD), which oversees the Russian police. Freeh had avoided establishing any formal agreement with the FSB because of its spying role and the KGB’s dark history. But Kinane and his colleagues agreed to meet with the FSB at the KGB’s famed Lubyanka headquarters, where political dissidents had been interrogated and tortured in the not-too-distant past. That meeting turned into a weekly appointment with the FSB, with Kinane's team expected to fill in the spy agency on their work with the Russian police. Where the work with the Russian police was a collaboration, the FSB just wanted to milk the FBI for intelligence about its investigations, Kinane says.

Comrades in Arms

One of the first major cases that came out of the cooperation agreement with the Russian Federation was the U.S. prosecution of Vyacheslav Ivankov, alleged head of a Russian mafia cell in Brooklyn, New York in 1995.

“The Russians had wiretaps on every known hoodlum in [their] country. They [also] had info about the calls between the hoodlums and their conspirators in the U.S., which was shared with the FBI in the U.S” to help build a case against them, Kinane says. But Ivankov denied that he led a Russian mafia gang in the U.S. and claimed instead that Russian enemies used the FBI to settle a score with him.

The FBI in turn helped the Russians prosecute a massive international corruption case. The former Soviet Union was being looted by corrupt officials and co-conspirators who absconded to the U.S. with money, jewels and valuable resources, and the FBI helped Russia solve a high-profile case involving $180 million in stolen gold and gems that went to the U.S. This earned the FBI a lot of goodwill in Russia.

By 1998, Russian authorities had assisted with some 660 U.S. investigative leads, an FBI official told lawmakers at a congressional hearing that year, a number that increased significantly over the next decade. FBI agent Jim Treacy, who served as legal attaché in Moscow between 2007 and 2009, told the Washington Post in 2013 that during his tenure, Russia and the U.S. sent each other about 800 requests for assistance annually for investigations involving financial crimes, cyberattacks, child porn, human trafficking, and terrorism. But assistance varied, with both sides wary of exchanging information that could reveal intelligence capabilities.

It was around this time in 1998 that Vladimir Putin became head of the FSB for about a year, and began to drop in unannounced on the weekly meetings Kinane and his team had with the FSB. Putin observed the proceedings silently.

“I think he was just incredulous that there was an FBI agent sitting in Lubyanka,” Kinane recalls.

Perhaps not coincidentally, this was also the time when the FBI began investigating Moonlight Maze — the FBI code name for a series of intrusions that were eventually attributed to the Russian government in one of the first widespread nation-state hacking operations uncovered.

It wasn’t initially clear that the Russian government was behind the operations, and Kinane says for a while the Russian police were eager to assist in tracking the perpetrators, whose IP addresses had been traced to Russia.

"I was astounded that the Ministry of Interior was helping us to resolve it,” he says. “But they did a lot of work and zeroed in on some groups that were fronts of the FSB. And finally in the end they … told me 'We can't do anything more for you’.”

Kinane says his contact in the ministry was apologetic.

“He called me at 7 at night to come over and offered me a drink. He went into this long convoluted story [as if to explain himself],” Kinane recalls. “But the bottom line was that he couldn’t assist anymore.”

The Rise of Organized Cybercrime

As the early aughts arrived, so did an explosion in e-commerce and East European cybercrime. The Levin case had provided proof that computer hacking could be lucrative, and Russian hackers believed they were untouchable as long as they didn’t target victims in Russia.

Greg Crabb was an investigator with the U.S. Postal Service between 2000 and 2007 and was focused on tracking European organized cybercrime, particularly so-called “carding” rings that were behind a spate of hacks against TJX, Office Max, and Dave & Busters that involved the theft of millions of credit and debit card numbers. Crabb was interested in getting cooperation in tracking the perpetrators within Russia’s borders. But instead of going through the FBI’s legal attaché in Moscow, he approached an FSB contact at the Russian embassy in Washington, DC.

“My path was maybe not the most orthodox.… I called the Russian embassy … and asked for the FSB liaison officer … Boris Sokolov. I met with him on a couple of occasions, and he agreed that the information that I had about the crimes going on in Russia was sufficient to meet with his colleagues in Moscow,” Crabb says. He thinks it was the fact that he worked for the U.S. Postal Service and not for an agency with an intelligence division — like the FBI — that made the FSB more willing to work with him than with the bureau.

It was through the FSB that Crabb learned about CarderPlanet, an underground carding emporium that had been launched by Russian and Ukrainian cybercriminals. In the spring of 2001, more than a hundred East European criminals had convened at an Odessa restaurant for what they dubbed the “International Carders Conference,” and CarderPlanet was the product of that meeting.

CarderPlanet, an invitation-only forum, had more than 7,000 members worldwide at its height and was the model for all criminal hacking forums that came after, including the present-day sites where ransomware syndicates coalesce. There were private chatrooms for planning criminal conspiracies and marketplaces for trading in hacking tools and stolen card numbers. There were also how-to tutorials for embossing blank cards with stolen numbers, hacking-as-a-service vendors, and product and seller reviews for rating the trustworthiness of stolen goods and vendors. Initially for Russian-speakers only, CarderPlanet later added an English-language forum to match Russian kingpins with “money mules” in the U.S. and UK who could cash-out stolen debit card numbers at ATMs or receive and fence goods purchased with stolen card numbers, and then send the money to the Russians via Web Money and the digital currency service known as eGold.

In the course of his work, Crabb developed a particularly good relationship with Sergei Mikhailov, then deputy head of the FSB’s Information Security Center, who proved to be “a great investigative colleague.”

Mikhailov gave Crabb selfies that participants at the Odessa meeting had taken at their inaugural gathering, as well as a copy of the CarderPlanet database. The latter provided critical intelligence about crimes and criminals that Crabb was tracking,  long after CarderPlanet was shuttered in 2004. However, in a strange twist that underscores the dangerous line Russian law enforcement agents walk in assisting the U.S., Mikhailov himself was arrested in December 2016 for allegedly passing classified information to the FBI involving a different case.

Mikhailov and Ruslan Stoyanov, an employee of the Russian cybersecurity firm Kaspersky Lab, were accused in 2016 of providing the FBI with information about Pavel Vrublevsky, founder of the Russian digital payment system ChronoPay. Mikhailov had previously helped convict Vrublevsky in a Russian criminal case, and Vrublevsky had reportedly vowed revenge. Mikhailov and Stoyanov were now charged with treason for allegedly offering to sell the FBI a ChronoPay database for $10 million, and Mikhailov was sentenced to 22 years in prison while Stoyanov was sentenced to 16 years.

If Crabb had great success in working with the FSB on CarderPlanet, a case involving a Ukrainian carder highlighted the challenges U.S. law enforcement would face in ever getting convictions in Eastern Europe, even when authorities there were willing to arrest suspects.

Among the founders of the CarderPlanet emporium was a 22-year-old Ukrainian named Dmitry Ivanovich Golubov — considered one of the godfathers of East European carding who had begun his career as a spammer before switching to the more lucrative industry of bank card theft.

Golubov was a high-profile target sought for years by the Secret Service, the FBI and the USPS. Crabb traveled to Ukraine three times beginning in November 2003, but Ukrainian authorities were indifferent to arresting Golubov — until the 2004 Orange Revolution.

After the government changed, the organized-crime control department of Ukraine’s Ministry of Interior sent a message through the U.S. embassy to Crabb inviting him back to Kiev to present his evidence against Golubov. Two weeks later, Ukrainian police arrested Golubov. But six months later he was released on bond, and the case fell apart when two Ukrainian politicians interceded on his behalf and prevented critical evidence against him from being used in court. Golubov subsequently became a politician himself, earning an appointed seat in Ukraine’s parliament as a member of the Internet Party — a position that conferred immunity from prosecution upon him.

Come to Paradise — Get Arrested

If the Golubov case taught Crabb and other U.S. law enforcement agents anything, it was that the only reliable path to justice was to prosecute East European cybercriminals in U.S. courts. But to make that happen, they would have to nab the criminals outside of their countries. Luckily for agents like Crabb, Russian cybercriminals have long been partial to sunny climates — especially during Russia’s long winters — and their preferred climates have often been in countries that have extradition agreements with the U.S. This was how Crabb was able to grab 28-year-old Maxim Kovalchuk when he traveled with his wife to Thailand in May 2003. Authorities arrested him at a Bangkok ice cream shop just hours before he was to board a flight home.

“With Kovalchuk we examined the legal remedies we would have if we approached the Ukrainians … to have Kovalchuk arrested within Ukraine.… We didn’t think that would meet the outcomes that we were hoping to achieve,” says Crabb.

Kovalchuk, who sold pirated software through eBay and committed credit card fraud, had hacked a server belonging to Hurricane Electric, an internet service provider in Fremont, CA and used it as a proxy to send email to fraud victims and criminal cohorts. A kingpin on CarderPlanet had drilled into him the importance of operational security to hide his identity and location, so Kovalchuk had decided the best way to shield himself was to use a proxy server in the U.S. to send his correspondence. At the time, the carding community believed that U.S. law enforcement didn’t have the skills or savvy to track them.

“I think he had no idea that a log file was being generated for every communication that he sent,” Crabb told Zero Day. “Probably 40,000 email messages over the term of a few years” were on the Hurricane Electric server.

Crabb got access to the stored communication and logs, which showed Kovalchuk’s IP address in Ukraine and also revealed his plans for a vacation with his wife in Thailand — Kovalchuk had booked the hotel room via email. He and his wife ended up cancelling their trip at the last minute due to a SARS scare. But a year later when the vacation was back on, Crabb reached out to Thai authorities.

Thai police were cooperative, but it took weeks of red tape to process the request through the U.S. embassy and the Thai Ministry of Foreign Affairs.

“We thought we’ll just go over, and they’ll arrest him as soon as he hits the ground,” Crabb says. Kovalchuk was in Thailand two weeks and it “literally came down to the last several hours before he was going to go wheels-up back to Ukraine.” Crabb was allowed to accompany Thai police on the arrest and sat next to Kovalchuk on the ride to the police station. He didn’t appear to comprehend the gravity of the situation, Crabb says, but was impressed that U.S. law enforcement had traveled around the globe to capture him. “He thought he was…Frank Abagnale,” Crabb says, referencing the international fugitive who had been the subject of a years-long manhunt.

Since then, and in the absence of cooperation with Russia, many other Russian cybercriminals have been nabbed in or on their way to Thailand, Cyprus, the Dominican Republic, and other sunny locales where the U.S. has extradition agreements — and sometimes even where they don’t. In 2014, the U.S. nabbed the son of a Russian member of parliament in the Maldives, despite the lack of an extradition agreement. Maldivian authorities arrested Roman Seleznev at the Maldives airport as he and his girlfriend were getting ready to fly back to Russia and agreed to hand him over to the U.S. Russia called Seleznev’s arrest and extradition a kidnapping.

Roman Seleznev (Photo: courtesy of U.S. government)

It’s hard to pinpoint over the years when exactly cooperation with Russia in fighting hackers and other cybercriminals began to go south. It’s not something that was ever particularly strong or reliable, experts say. But the cooperation probably suffered its greatest setbacks after Putin became president in 2012 and a number of events occurred.

Toward the end of 2012, Congress passed the Magnitsky Act in response to the 2009 prison death of Russian tax lawyer Sergei Magnitsky, who was incarcerated after investigating Russian tax officials for fraud. The bill was aimed at punishing Russians deemed responsible for Magnitsky’s death, though more broadly it lets the U.S. freeze the assets of any foreign human rights abusers, levy sanctions against them and bar them from obtaining visas to visit the U.S. In retaliation for the Magnitsky Act, Russia put 18 Americans on its own asset-freezing and visa-ban list.

The relationship with Russia became even more complicated months later when Russia gave asylum to NSA leaker Edward Snowden in the spring of 2013, prompting President Barack Obama to cancel a one-on-one security summit with Putin in Moscow. Then in 2014, Russia annexed the Crimean Peninsula — a move widely condemned by the U.S. And in 2016, the Panama Papers were published — Putin accused the U.S. government of being behind the leak of documents that exposed the financial dealings of his inner circle. Shortly after this, Russian intelligence agencies who hacked the Democratic National Committee began leaking emails and documents seized in that breach and subsequently engaged in multiple efforts to hack U.S. election infrastructure and interfere in the 2016 presidential election, thereby plummeting U.S.-Russian relations to a new low.

Luke Dembosky, former deputy assistant attorney general for national security at the Justice Department who has led the department’s response on many high-profile cyber incident investigations, notes that any decline in cooperation that may have occurred over the years hasn’t been linear or easily tracked to a specific event. There have been times, he says, when cooperation during politically tense times has actually increased — he cites collaboration around the 2014 Sochi Olympics as one example of U.S. and Russian cooperation on cyber and national security threats that occurred despite political difficulties.

"There was a need to work together on certain types of threats in the interest of each country, so common ground was easier to find and there would be a spurt of progress and some accomplishments, even modest ones,” Dembosky says.

And in 2013, in the midst of the Magnitsky tension, Dembosky helped negotiate a landmark cyber accord between Russia and the U.S. to exchange information about cyber threats and create a direct and secure communication line between the White House and the Kremlin to “reduce the possibility that a misunderstood cyber incident could create instability or a crisis in our bilateral relationship.”

It’s not clear, however, if the accord ever facilitated cybercrime investigations.

"It was right before [the annexation of the Crimean peninsula], and that obviously soured the relationship significantly,” Dembosky says, underscoring the challenges of establishing cooperation in constantly shifting and politically charged circumstances.

Related Stories:

Anatomy of a $2 Million Darkside Ransomware Breach

Ransomware Infection on Colonial Pipeline Shows Potential for Worse Gas Disruption

US Gov Issues Emergency Order While Colonial Pipeline Is Down

Darkside Retreats to the Dark

If you like this story, feel free to share with others.

If you’d like to receive future articles directly to your email in-box, you can also subscribe: