By the time the Democratic National Committee had accused Russia of hacking into its emails and passing them to Wikileaks, Arkady Bukh’s cybersecurity venture was a little over a year old.
Cybersec, set up in 2015, is a controversial business that uses the services of Russian and Russian-speaking hackers to provide cybersecurity services to companies. Bukh runs the startup from his Manhattan and Brooklyn law offices. He says he has “at least half a dozen” hackers who work for him, half in the U.S. and half in Russia or the former Soviet Union. They are paid on a per-project basis, usually via Bitcoin.
Bukh said news about the DNC hack was good for business.
Bukh, originally from Baku in the former Soviet Union, is now a naturalized U.S. citizen. He made his name defending many of the Russian hackers who have been charged and found guilty in the U.S.
He has an extensive network of current and former “black hat” hackers — those who use their extensive computer skills to break into secure networks or websites, often with illegal intent. Launching Cybersec grew out of a desire, Bukh says, to put their formidable skills to use, and to help meet a growing demand among U.S. businesses to protect themselves from the threat of cyberattacks.
It’s certainly an unusual business model. Some of the hackers he has brought on as consultants have already served time. Several are wanted by the U.S. government and staying away from countries with extradition treaties. One or two, Bukh says, are still engaged in nefarious hacking activities. A lot of the consulting is done remotely — over the phone or online.
Why use Russian hackers?
The simple answer: They’re highly skilled. It’s partly the education, Bukh says, that sets Russian hackers and those from the former Soviet Union apart.
“This is the culture of the country where math and computer science is a very important part of the college, of the school, and they do invest a lot of money into this effort.”
Money also plays a big role. It’s not easy to make a good living as a computer analyst in Russia, and hacking — particularly stealing credit cards numbers — is lucrative. And Bukh notes, the Russian government rarely prosecutes hackers. In fact, there’s a wide consensus among global cybersecurity professionals that the Russian government freely allows Russian criminal hackers to operate as long as they don’t attack Russian business and government interests.
One of the part-time consultants, Sergei Pavlovich, is a 33-year-old former credit card hacker. He turned up coatless to meet me in the Moscow snow, and said in return for his expertise, Arkady Bukh advises him on his own business ventures. He wrote a book about his hacking days called “How I stole a million,” and has launched an Indiegogo campaign to raise money to have it translated into English. He says he doesn’t just advise on the technical methods of credit card hacking, but the social aspects of it too.
He described how the mother’s maiden name was often the missing link to getting access to someone’s bank account. On occasion, someone with good enough English would call the account holder to try to find it out. Pavlovich served 10 years in jail in his native Belarus and is still wanted by the U.S. government for his involvement in a credit card fraud ring back in 2008.
Another of Bukh’s hackers, Vladislav Horohorin, first came into contact with Bukh when he hired him as his defense attorney. Horohorin helps out from his Massachusetts prison cell, where he’s serving the last few months of a 3-and-a-half year sentence for stealing $9 million from an Atlanta-based credit card processor. “We just think the way actual attackers might,” he told me via email.
The fact that Cybersec shares a space with Arkady Bukh’s law offices isn’t just to save on overhead. The lawyers are on hand to help iron out any liability issues that come with using consultants who are wanted for crimes or have a criminal record. And Bukh says he is in constant contact with the FBI, who’s aware he is working with some people on their wanted list. He would not say which hackers the FBI was pursuing, but said he cooperates if they try to negotiate a surrender with one of his associates.
Cybersec’s clients have so far been small and medium-sized businesses, and some wealthy individuals. Large and publicly listed companies have shied away from the legal gray area, Bukh admits.
As for the consultants themselves, it’s been easy convincing them to come aboard. It’s just another way to make money, Bukh says. “Hackers are usually businessmen.”