Skip to content
Naked Security Naked Security

Russian indicted over LinkedIn and Dropbox mega-breaches

He's charged with foisting malware on LinkedIn and stealing millions of user credentials. A third intended target was allegedly Formspring.

A Russian citizen has been arrested in the Czech Republic and indicted in connection with massive breaches: the 2012 attack on LinkedIn and the subsequent attack on Dropbox.

The man, 29-year-old Yevgeniy Nikulin, from Moscow, also allegedly targeted Formspring, a social networking service now known as Spring.me that’s a portal for the dating service Twoo.

According to the indictment, unsealed on Friday, Nikulin allegedly targeted a LinkedIn employee with malware so as to steal his access credentials.

The 2012 LinkedIn leak meant that millions of passwords for the professional networking site were dumped online.

That’s bad enough, but then came the news that 60% of the enormous trove of credentials had been cracked within hours.

It got worse from there. At the time of the breach, “only” 6.5 million encrypted (but not salted!) passwords had been posted online. However, we learned in May that in fact  117 million LinkedIn account emails and passwords up for sale.

After Nikulin and unnamed co-conspirators had allegedly turned LinkedIn upside down, it was Dropbox’s turn.

Two months ago, Dropbox forced password resets after stumbling across some 68 million sets of user credentials posted online that it believed were stolen in a 2012 breach.

Besides allegedly stealing data and accessing computers without authorization, Nikulin is being accused of damaging the computers of both the LinkedIn employee and to Formspring by “transmitting a program, information, code, or command”. In other words, infecting the systems with malware.

He and his co-conspirators were allegedly plotting to do the same to Formspring/spring.me.

According to the US Department of Justice, Nikulin has been being charged with three counts of computer intrusion; two counts of intentional transmission of information, code, or command causing damage to a protected computer; two counts of aggravated identity theft; one count of trafficking in unauthorized access devices; and one count of conspiracy.

Going by the indictment’s informational sheet about maximum penalties for those crimes, if found guilty, he could be looking at over 30 years in prison. Maximum sentences are rarely handed out, though.

After Interpol put out a warrant, Nikulin was arrested on 5 October by officials in the Czech Republic. He’s now in custody in Prague, facing an extradition hearing.

Want details about the suspect and how police tracked him down?

RadioFreeEurope reports that Nikulin left a trail on his Instagram account, which was replete with evidence of a taste in luxury cars and gold Rolexes.

He was arrested in a restaurant, scanning the menu, as you can see in the video published by Czech police.

2 Comments

Good to see an overconfident jerk get taken (har) by surprise. We need more deterrents like this to entry into the Digital Burgling Arts.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?