The arrests caught the Russian hackers totally by surprise. One was at a Finnish border crossing. Another was arriving at an airport in Spain. A third was dining at a restaurant in Prague. Still others were at luxury resorts in the Maldives and Thailand.
Many have now turned up in U.S. courts. The long arm of U.S. law enforcement is spanning the globe like never before to bring criminal hackers to justice.
And it may not be just about crime. The Justice Department cites fuzzy and overlapping boundaries between criminal hackers and Russian intelligence agencies, the same ones the U.S. accuses of coordinating the hacking and subsequent disclosure of emails from the Democratic National Committee and the Hillary Clinton presidential campaign.
President Donald Trump dismisses allegations that Russia meddled in the election as “fake news,” but the FBI and congressional committees have launched probes and the Obama administration ordered the expulsion of 35 Russian diplomats in late December.
The U.S. campaign leaves Russian hackers with a dilemma: If they leave the safe confines of Russia, which has no extradition treaty with the United States, or Russia’s most ardent allies, they may get picked up and sent to the U.S.
“They no longer travel, the high-profile hackers. They understand the danger,” said Arkady Bukh, a criminal defense lawyer in New York City who has defended numerous accused Russian cybercriminals.
Still, some Russian and Eastern European hackers do enjoy holidays abroad — and live to regret it. Just this week, Maxim Senakh, a 41-year-old Russian, pleaded guilty in a Minneapolis courtroom to operating a massive robotic network that generated tens of millions of spam emails a day in a zombie criminal enterprise that purportedly brought in millions in profits.
Senakh didn’t come voluntarily. He’d been visiting a sister in Finland before that country put him on a U.S.-bound plane in January, answering a U.S. extradition request.
“He fought it, the Russian government fought it, and the Russian government put political pressure on its neighbor, Finland,” federal prosecutor Kevin S. Ueland said at a Feb. 19 hearing.
Another Russian, Mark Vartanyan, 29, pleaded guilty March 20 to computer fraud in an Atlanta courtroom after reaching a deal with prosecutors to offer far-reaching cooperation that would limit a prison term to five years or less.
Norway extradited Vartanyan to the U.S. in December.
David Hickton, a former U.S. attorney in Pittsburgh who made the city a hub for prosecutions of foreign hackers, said such actions are a sign of the new dimensions of crime.
“This is 21st-century burglary. It’s no different than if someone pulled a truck up to your house and stole valuable material,” said Hickton, who now directs the Institute for Cyber Law, Policy and Security at the University of Pittsburgh.
But Hickton acknowledged that carrying off successful prosecutions is a challenge.
“These cyber investigations are very, very hard. You’re talking about evaporating evidence, borderless crimes and defendants who can hide behind the borders of countries that don’t have extradition treaties with us,” he said.
It is not easy to pigeonhole the accused and convicted hackers. Some are brainy but merely cogs in larger crime groups. Others flash their wealth and opulent lifestyles.
“Not all of them are rich,” Bukh said. “A lot of them are involved in computer intrusion and that does not bring much money.”
Bukh recalled one client, Aleksandr Panin, who, in 2013, was placed by authorities on an Atlanta-bound plane in the Dominican Republic, put on trial and convicted.
“The guy couldn’t afford a car even with (having caused) a billion dollars in losses. He’s like a mad scientist geek,” Bukh said.
Then there are those on the opposite extreme, who pose for photos with piles of cash or at luxury beach resorts. One of them, Roman Seleznev, was convicted last year in Seattle on 38 counts related to cybercrime. His father is a deputy in the Russian parliament, or Duma. Prosecutors retrieved a photo from his cellphone of him standing next to a yellow Dodge Challenger muscle car in Red Square near the Kremlin.
The magnitude of damages that prosecutors have alleged can be mind-boggling.
Vartanyan, the young Russian hacker brought to Atlanta from Norway, was part of the development team that created Citadel, a “universal spyware system” sold on underground Russian criminal hacker forums that ended up lodged on 11 million infected computers around the world.
In their complaint against him, prosecutors cited industry estimates that Citadel caused “over $500 million in losses” in a three-year period.
When extradition isn’t an option, U.S. authorities lure alleged hackers to jurisdictions where they can be arrested. Such tactics have been decried by Moscow as “kidnapping.”
Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States.
U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam, a U.S. territory in the western Pacific, then flown to Seattle to face federal charges.
Upon his conviction last August, prosecutors said Seleznev had stolen millions of credit card numbers, causing 3,700 banks $169 million in losses. He faces a 40-year jail term.
No matter where the hackers travel, prosecutors say they will follow.
The U.S. Attorney in Atlanta, John Horn, who has also made a name for himself in prosecuting Russian hackers, said last year, “Cybercrime is borderless, but increasingly, so too are our law-enforcement capabilities.”