Nikulin allegedly stole millions of usernames and passwords by breaching systems at LinkedIn, DropBox and Formspring in 2012. He also attempted to sell hacked information on online black markets, prosecutors say, where buyers likely hoped they could use it to break into accounts with several services, because people often recycle passwords.
Nikulin, who pleaded not guilty, goes on trial Monday in US District Court in San Francisco.
His alleged hacks contain a delicious irony: Prosecutors say they caught the 33-year-old in part because he didn't follow basic security protocols. He reused passwords, they say, the same lazy practice many of us lapse into. The repeated credentials added to evidence that Nikulin controlled accounts associated with each of the hacks.
The trial, expected to run two weeks, is more than Exhibit A for why you shouldn't reuse your passwords. Cybercrimes often don't lead to charges in the US because the crimes are underreported, take a lot of resources to investigate and often involve suspects in foreign countries. The evidence against Nikulin shows us what hackers are capable of in a world in which, more likely than not, they won't be stopped.
"It's important that there are cases like this," Mieke Eoyang, a policy expert at think tank Third Way. Nikulin's case could inspire law enforcement to devote more resources to solving cybercrimes, she said, because it shows that a result "is in fact possible."
How the hacks happened
To snare what turned out to be more than 100 million LinkedIn usernames and passwords, Nikulin allegedly hacked the personal iMac of LinkedIn engineer Nicholas Berry, who sometimes used the computer to work remotely. From there, Nikulin allegedly snagged Berry's username for the LinkedIn corporate VPN, which let the hacker access a database of usernames and passwords from the professional-networking site's servers. Berry is expected to testify at the trial.
Prosecutors say Nikulin used a similar approach with DropBox and Formspring. After noticing suspicious attempts to log in to DropBox user accounts from Eastern Europe, forensic investigators found that someone had compromised a DropBox employee's account. The hack snapped up 68 million account credentials, later reports confirmed. The account behind the attack was allegedly controlled by Nikulin.
Another investigation found that Nikulin stole 30 million Formspring account credentials by hacking the account of Formspring employee John Sanders. Sanders is also expected to testify at the trial.
Lawyers for Nikulin, who was cleared of concerns that his mental health problems made him ineligible to stand trial, after he didn't cooperate with members of his legal team, didn't provide a comment.
Getting hacking suspects to trial
Despite the trail of digital evidence left behind by cybercrime, only a small proportion of incidents lead to an arrest. Counting all types of cybercrime, including data breaches, ransomware attacks, internet scams and online identity theft, Third Way calculates that three out of every 1,000 reported crimes leads to an arrest.
Polling indicates that people in the US experience more cybercrime than they report. Eoyang says that means it's likely the rate of arrests for all cybercrime is far lower than 0.3%. Third Way advocates for more prosecutions of cybercrimes.
Even when an investigation identifies a suspect, getting an arrest can be a challenge, especially if the suspect lives in a country such as Russia, North Korea, China or Iran. Nikulin was on vacation in the Czech Republic when Interpol flagged his presence, leading to his arrest in 2016. Russia fought his extradition for almost two years, but the US won in 2018.
Other Russians have recently been extradited to the US while out of Russia, leading Russian authorities to complain that the US is "hunting" its citizens. The Russian embassy didn't respond to a request for comment on Nikulin's trial.
Why the LinkedIn hack matters
Nikulin's trial deals with crimes that still reverberate today. Troy Hunt, who founded the data breach tracking website Have I Been Pwned, said he still sees data from the LinkedIn hack in new caches of stolen data.
That's why you can never go back to reusing an old password that's been breached. Hackers will take stolen usernames and passwords and keep trying them on different services, in attacks called credential stuffing.
On Monday, UK supermarket chain Tesco said hackers had used credential stuffing to access some customers' rewards accounts and fraudulently redeem vouchers. In December, Amazon said hackers were accessing Ring cameras and harassing users by trying out passwords stolen in breaches of other platforms. And in November, hackers tried to sell credentials for accounts with the newly launched Disney Plus streaming service, some of which could've come from previous data breaches, ZDNet found.
"If you go and reuse your passwords," Hunt said, "you have a heightened risk."