SAN FRANCISCO (CBS SF) – Yevgeniy Nikulin has been convicted by a San Francisco federal jury of charges he hacked into LinkedIn, DropBox, and the social networking company formerly known as Formspring databases and stole employee ID information, federal prosecutors announced Friday.
An international manhunt for Nikulin ended when he was arrested while traveling in the Czech Republic on October 5, 2016, and extradited to the United States to face trial.
U.S Attorney David L. Anderson said the jury found that Nikulin hacked into computers belonging to LinkedIn, DropBox and Formspring by using malware. He then stole usernames and passwords for employees at LinkedIn and Formspring, and sold and conspired with others to sell the data.
Evidence at trial showed that Nikulin was located in Moscow when he hacked into a computer belonging to a Bay Area-based LinkedIn employee and installed malicious software on it, allowing Nikulin to control the computer remotely.
Nikulin then used that remote computer as a base to steal LinkedIn users’ login information. Evidence at trial showed that Nikulin was behind similar intrusions at DropBox and at Formspring.
According to trial testimony, one of the ways that investigators were able to tie Nikulin to all three incidents was by tracing an IP address from one of the hacks back to his location in Moscow.
The guilty verdict followed 6 days of trial testimony before U.S. District Court Judge William H. Alsup. The trial initially began in March, but proceedings were suspended after just two days in light of the COVID-19 pandemic and ensuing closure of the federal courthouse.
When trial resumed on July 7, the defendant, the attorneys and judge wore masks and witnesses testified from behind a glass panel to allow for social distancing requirements.
“Today’s guilty verdicts are the result of our first federal jury trial in San Francisco since the beginning of shelter in place,” Anderson said. “Nikulin’s conviction is a warning to would-be hackers, wherever they may be. Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
Nikulin, 32, was indicted by a federal grand jury on October 20, 2016. He was charged with multiple counts of computer hacking, fraud, and identity theft.
His sentencing hearing is scheduled for September 29. The maximum statutory penalty for each count of selling stolen usernames and passwords and for each count of installing malware is 10 years.