Beginning in the fall of 1999, a number of Internet-related businesses in the United States suffered computer intrusions or “hacks” that originated from Russia. The hackers gained control of the victims’ computers, copied and stole private data that included credit card information, and threatened to publish or use the stolen credit cards or inflict damage on the compromised computers unless the victims paid money or gave the hackers a job.

One of these victims was an Internet Service Provider (ISP) named Speakeasy Network, located in Seattle, Washington. Speakeasy’s computer network was attacked from Russian Internet Protocol (IP) addresses at the end of November 1999. The hacker (or hackers) was able to compromise the system administrator’s account—the account known as root or the superuser—on several Speakeasy computers. This was a sinister turn of events because anyone who accesses a computer as root or system administrator has the ability to install, alter, or delete any file on the system. The hacker then issued a message to everyone who was logged into that computer that he wanted to “chat” about Speakeasy’s computer network security using a program called Internet Relay Chat (IRC), which allows real-time written communication via the Internet. The hacker identified himself with the computer “nick” or nickname, _subb_.

On November 30, 1999, a Speakeasy employee engaged in an IRC chat session with _subb_, who identified himself as Alexey Ivanov. During the chat session, Ivanov transmitted to the Speakeasy employee, via IRC, an electronic copy of his résumé and graphics files containing photographs of himself. Also during the chat session, Ivanov stated that he had found holes in Speakeasy’s network security, that he wanted a job and $1,000–$1,500 per month, and that he would not tell Speakeasy about the security holes until he got a job. Ivanov acknowledged that he lived in Chelyabinsk, Russia, and bragged that Speakeasy could never put him in jail for his activity. Ivanov stated that he had 2,000 user passwords from Speakeasy, as well as credit cards. The Speakeasy employee told Ivanov that they would not pay him, but tried not to anger him, for fear that he would cause damage to the systems.

After a brief hiatus, Ivanov again contacted Speakeasy, just before Christmas Eve of 1999. He again demanded a job and money, stating that it would be better for Speakeasy to give him a job than for Speakeasy to get hacked, have all of its files deleted, and have its customers’ credit cards used. He demonstrated that he had credit card information by posting it on a website that Speakeasy hosted. Speakeasy still refused to pay any money to Ivanov or give him a job. Ivanov and/or his co-conspirators then deleted files on one of Speakeasy’s main computers and on one of its customer’s computers.

Also in the fall of 1999, several other ISPs—including Verio, which is headquartered in Englewood, Colorado; Lightrealm (now known as Hostpro) in Kirkland, Washington; and CTS, in San Diego, California—had their computers hacked from Russia by the conspirators. Some of the ISPs, including Lightrealm and CTS, gave Ivanov accounts on their systems and even made payments to him by transferring funds to Russia.

A similar computer attack was made on an online credit card clearinghouse named Online Information Bureau, Inc. (OIB), located in Vernon, Connecticut. Ivanov, as he had done in the case of Speakeasy, identified himself to OIB as the hacker of its computers and demanded a job and money. In his correspondence with OIB personnel, Ivanov said that he was a “security engineer” at Lightrealm, a claim that was given some credence by the fact that he was using the email address [email protected]. Logs that were maintained on the OIB system further revealed that the hacker had made FTP connections to a computer at CTS located in San Diego, California.

In the year 2000, attacks from Russia on computer systems in the United States escalated, as the hackers reached their cyber-tentacles into scores of networked systems. In April, Nara Bank, a Korean-American bank located in Los Angeles, suffered an attack, including an extortion email, although bank personnel were not aware of the full extent of the attack at the time. In August, a bank in Waco, Texas, named Central National Bank (CNB)–Waco, suffered a similar attack, but did not become aware of it until much later. The conspirators also compromised the computer network of the St. Clair County Intermediate School District in Michigan, using it for several nefarious purposes. The FBI, through its field offices in Seattle and Hartford, established an undercover operation to lure Ivanov to the United States for prosecution. Having identified Ivanov through his résumé, the FBI sent him an email soliciting him for employment with Invita, a computer network security start-up company located in Seattle. On July 1, 2000, Ivanov responded that he and his business partner, Vasily Gorshkov, were interested in a consulting business or partnership. He suggested that further emails be sent to him at [email protected] (his account at CTS) or to Gorshkov at [email protected].

In the course of email correspondence with Invita, Ivanov and Gorshkov agreed to travel to Seattle and meet with Invita personnel. The FBI placed two undercover phone calls to Russia, speaking to Gorshkov in the first one and Ivanov in the second one. Also as part of the events leading up to their travel to Seattle, the hackers offered to demonstrate their hacking skills on Invita’s own computers. A network was set up for that purpose for the FBI by a company called Sytex, and they successfully hacked into it. The logs generated by the Sytex network were invaluable. They not only identified the specific exploits and techniques used by the hackers, but recorded the IP addresses of various compromised systems that the hackers were using as proxies to hide their true location. Because the hackers had suggested the test hack, and confirmed that the work was theirs, the Sytex logs became akin to an electronic fingerprint of their techniques.

On November 10, 2000, the FBI’s undercover operation culminated with the arrival of Gorshkov and Ivanov at SeaTac Airport. They were escorted to an Invita office site in Seattle, where a meeting of several hours’ duration took place. In the office, both defendants sat down at computers that belonged to Invita and the FBI recorded their computer activity using a computer program that logged their keystrokes. Ivanov also had his own Toshiba laptop computer, which he connected to the local network at the office and used.

During the undercover meeting, which was recorded on video- and audio tape, Gorshkov used the Invita computer to log into his account (kvakin) on the Russian computer named tech.net.ru and then into his account (again, kvakin) on the networked computer named freebsd.tech.net.ru. From his account, Gorshkov obtained a scanner program called Lomscan, transferred it over the Internet, and then used it to scan the entire local area network of computers located in the building where the small Invita office was located. Indeed, he informed the agents that he had conducted the scan immediately after he did it.

Also during the undercover meeting, Gorshkov and Ivanov made a number of incriminating statements that demonstrated their knowledge of many of the hacking victims, including Verio, banks, and others. When asked about whether they had obtained credit cards, Gorshkov said that it was a topic they could discuss in Russia, but not in the United States, because of the FBI.

After the two-hour meeting at the Invita office, Ivanov and Gorshkov were arrested. Ivanov was arrested pursuant to a warrant issued by the United States District Court for the District of Connecticut in relation to the OIB case, and he was transported to Connecticut to stand trial on those charges. Gorshkov was arrested pursuant to a material witness warrant, also issued in the District of Connecticut, but was subsequently charged by Indictment in the Western District of Washington. The Russian consulate was immediately notified of the arrests.

From November 14 through November 20, 2000, Special Agents of the FBI, with the assistance of a computer security professional from the University of Washington, connected to the two Russian computers named tech.net.ru and freebsd.tech.net.ru. They successfully logged on to the computers by using the username of kvakin and the password that Gorshkov had used during the Invita undercover meeting, as that information was recorded by the keystroking software. With Gorshkov’s username and password, the agents were able to access a large amount of data on the computers, including the home account of kvakin on both computers. The agents also accessed the account of subbsta (Ivanov) on tech.net.ru by using the password that Ivanov provided to them during his post-arrest interview, but they were not able to access his account on freebsd.tech.net.ru.

The agents copied a portion of the enormous quantity of data that was located on the Russian computers and downloaded the copied data to a computer located at the Seattle FBI office, planning to seek and obtain a search warrant before searching the contents of the download. The downloaded data was not viewed until after the search warrant was obtained on December 1, 2000. It was then examined with the help of experts, including Phil Attfield. The downloaded information consisted of four CD-ROMs containing a huge quantity of highly-compressed data. Mr. Attfield’s first task was to expand the data and reconstruct the file structure of the Russian computers, so that the files could be indexed and searched. Those four CD-ROMs were admitted at Gorshkov’s ensuing trial as Government’s Exhibit 100.

The quantity of data obtained by the FBI was immense. In their personal accounts on the computers, Gorshkov and Ivanov had numerous computer hacking tools, that is, programs or “scripts” and computer code that were used to compromise or gain control of computers and computer networks in a variety of ways. Among other things, the tools would scan computers and networks for vulnerabilities, exploit those vulnerabilities to obtain users’ passwords and to gain complete control of the computers, decipher or crack encrypted or encoded passwords, and convert the compromised systems into relays or “proxies” that allowed the hackers to mask their identity on the Internet. Many of these tools also were found on Ivanov’s Toshiba laptop computer, which was seized at the time of his arrest.

A number of other computer programs or “scripts” located in kvakin’s home accounts implemented a fraud scheme against the online auction company eBay and the online credit card payment company PayPal. eBay has a website on which users can auction items off to other users. Payment can be accomplished by credit card through online accounts at PayPal that are opened with an email address and a credit card. Gorshkov’s scripts generated thousands of false email addresses, at websites offering free email accounts, opened corresponding accounts at PayPal with stolen credit cards, generated fraudulent or “virtual” auctions at eBay, and initiated payments from one PayPal account to another using the stolen credit cards.

Working closely with PayPal and eBay, FBI agents were able to reconstruct the hackers’ fraudulent transactions. Using files from PayPal and eBay, as well as data recovered from the Russian computers, the agents determined that, after layering credit card transactions through multiple PayPal accounts to obscure their trail, the hackers had purchased computer components worth hundreds of thousands of dollars, and had the unsuspecting sellers ship them to Kazakhstan.

Because Ivanov had been charged first in Connecticut, he was transported back to that district for prosecution. He ultimately pleaded guilty following protracted plea negotiations. On September 20, 2001, Gorshkov went to trial in United States District Court for the Western District of Washington in Seattle. He had been charged in a 20-count Superseding Indictment with conspiracy, mail fraud, and various violations of the Computer Fraud and Abuse Act. Following a jury trial, he was convicted on all counts on Tuesday, October 9, 2001.

Under the American system of justice, the government has the burden to prove the crimes with which a defendant is charged beyond a reasonable doubt. That proof must satisfy, not only a judge who has presided over many criminal trials and is savvy about the ways of criminals, but a jury of lay persons, for whom the trial may be their only exposure to the darker side of humanity. Consequently, in most criminal cases, prosecutors are pressed to muster sufficient testimony and evidence to prove their cases. That was not the problem in this case.

In preparing the Gorshkov prosecution for trial, Floyd Short and Steve Schroeder, the two Assistant United States Attorneys assigned to the case, had available a vast amount of information. In addition to the data downloaded from the hackers’ computers in Russia, they had acquired data from the networks of numerous victims, including the Seattle area ISP and web hosting company, Lightrealm; the Seattle-based Internet café and online service provider Speakeasy; the credit card clearinghouse, OIB; the San Diego area ISP and web hosting company, CTS; the St. Clair County, Michigan, K–12 School District; several online banks; the Denver area ISP and web hosting company, Verio; PayPal; and eBay. At least a score of other victims contributed evidence, as well.

In sum, the trial team was faced with a nigh-overwhelming quantity of very incriminating evidence that filled terabytes of storage. Nor was the evidence of a kind that could readily be understood by a jury consisting of lay persons. Much of it was highly technical. Steve and Floyd realized that they could not even attempt to prove the entire scope of the illegal activity engaged in by Ivanov and Gorshkov. The problem for the trial team to solve was how to present an accurate and highly-convincing picture of the conspiracy without overwhelming the Court and the jury.

In the end, the trial team chose to limit the number of victims that would be included in the charges. Obviously, Speakeasy and Lightrealm, the Seattle-based victims, would be featured. Victims, whose systems had been used as proxies to attack other networks and, thus, were central to the scheme, were included, as well. Since the OIB hack had been charged in Connecticut, charging it in Seattle would have been redundant. The OIB hack was not included.

In addition, Steve and Floyd decided to present the evidence in the case electronically. Documents admitted in the case would be viewed contemporaneously by the witness, the defendant, all counsel, the judge, and the audience, on monitors set up in strategic locations throughout the courtroom. This technology not only introduced a very efficient way to deal with the thousands of exhibits that would be introduced, but enabled the judge and jury to follow along with the witness as he or she explained what each exhibit meant. This feature greatly enhanced the ability of the jurors to understand the evidence.

Because much of the evidence was highly technical, Steve and Floyd used a number of expert witnesses to explain it. The principal burden of “teaching” the judge and jury what the evidence meant fell to Phil Attfield. In addition to explaining how he had reconstructed the file structure of the defendant’s computers from the downloaded data, Phil testified that he found in the tech.net.ru and freebsd.tech.net.ru data, scripts written in PERL (Practical Extraction Report Language) that were designed to automatically open email accounts and create PayPal accounts with those email addresses and stolen credit card information.

Curtis Rose testified concerning the honeynet that his company, Sytex, had created. During the course of his presentation, Curtis identified the common vulnerabilities that the hackers had targeted, and the scripts and exploits that they used. In addition, personnel from several of the systems that were identified with the transactions at PayPal—including Lightrealm and the St. Clair County Intermediate School District—testified that their computers were hacked from IP address 195.128.157.66, registered to tech.net.ru. The intruders took over their systems and used them as proxies to make other connections to the Internet.

Working closely with Phil, Floyd and Steve figured out that, based upon his analysis of evidence found on the tech.net.ru computers, Phil could identify other systems that the hackers had compromised. This allowed them to shorten the trial by foregoing testimony from several victim companies.