Biggest U.S. Hack Case Is Tale of Gamers’ Interrupted VacationStepan Kravchenko, Carol Matlack and Dune Lawrence
Vladimir Drinkman says he met Dmitriy Smilianets online playing Counter-Strike, a shooter game in which cyber-combatants assume the roles of either terrorists or counter-terrorists: bad guys or good guys.
More than a decade later, the two young Russians are both behind bars -- Drinkman in the Netherlands, Smilianets in New Jersey -- charged with being among the most prolific of online bad guys in the biggest data-breach prosecution in U.S. history.
Arrested in 2012 while vacationing together in Amsterdam, they’re accused of a conspiracy that pillaged 160 million credit card numbers, targeting Heartland Payment Systems Inc., 7-Eleven Inc., the Hannaford Bros. Co. grocery chain and at least 14 other companies from 2005 to 2012.
The federal indictment paints Drinkman as a master at evading online security and penetrating corporate networks, assisted by Smilianets as the cash-out specialist who priced and sold the card numbers. Three other alleged co-conspirators -- two Russians and one Ukrainian -- remain at large.
U.S. investigators traced online nicknames, stealthy computer code and hidden servers amid a vast professionalized underground before making the arrests. The story of that probe, pieced together from interviews and previously undisclosed legal documents, reveals the ecosystem of Russian hacking, a cyber-realm of easy rewards peopled by educated young men with frustrated job prospects.
Drinkman, who has been fighting extradition to the U.S. for 2 ½ years from a Dutch prison, passes his time reading the book series that gave rise to HBO’s “Game of Thrones.” In his first interview with U.S.-based media, he says he’s innocent of the U.S. allegations.
“They show me as a leader of a group that was damaging U.S. strategic financial infrastructure for 10 years,” Drinkman says from a prison psychiatric ward, where his lawyer says he was transferred as a preventive measure after an unfavorable November ruling in his extradition case. Another hearing is scheduled in The Hague tomorrow.
“I don’t believe the process in the U.S. will be a fair one,” Drinkman says.
Smilianets, who pleaded not guilty to all charges against him in August 2013, sits in jail in Morristown, New Jersey, mastering Spanish, studying Chinese and considering whether to accept a plea deal, according to his father.
The case gives U.S. authorities a relatively rare chance to show there are consequences for people overseas who carry out online depredations against American companies, a deterrent that’s only becoming more difficult to achieve.
“For every Drinkman, there are 15 or 20 others who don’t get caught,” says Jason Weinstein, a former Department of Justice lawyer and a partner at Steptoe & Johnson LLP. “You take a big one off, and it’s like a hydra -- there are many others waiting to take his place.”
In an undated photograph accompanying a July 2012 warrant for his arrest, Vladimir Drinkman, now 34, looks out from under a deep side part in his hair with a slightly sad expression. His wife, Irina Drinkman, describes him as “a gentle soul, a sincere and perhaps even a naïve person.” He avoided social media, she says, one reason there are few images of him online.
Drinkman grew up in Syktyvkar, a small city in Northern Russia. His father ran the technology-supplies department for the state university there, he says in a telephone interview. Drinkman taught himself enough about computers, including programming languages like C++, to work as a system administrator at the university as a student. He left before graduating to serve three years in the military, he wrote in a document reviewed by Bloomberg News.
He began using the Internet in 1995 for gaming, he says, and that’s how he met Smilianets in 2003. They played Counter-Strike, which has become notorious for the amount of cheating, or “hacking,” that takes place during play.
Smilianets, a Moscow resident, had a higher public profile. He founded a gaming team called Moscow Five, or M5, that traveled internationally for competitions. A Twitter account under his name, with a handle that plays off one of his gaming nicknames, dd1ms, has more than 14,500 followers. Images of Smilianets abound online, including some in which he poses with a Russian flag in an M5 uniform shirt. In another, he wears a camouflage bandana, smiling in a close-up that shows hazel eyes, razor stubble and a tendency toward baby fat.
He loved technology, says his father, Viktor Smilianets, a lawyer who once worked for a police investigative unit in Moscow. Dmitriy graduated from Bauman Moscow State Technical University in 2006 with a specialty in information security, but couldn’t find employment in his field, Viktor says.
“The state should look after these boys, help them to find a job because they are really talented, capable,” he says during an interview at his Moscow offices. “They should have received help and none of this would have happened. These are Russian brains. They could do a lot for the country.”
Smilianets’s lawyer, Andrey Tikhomirov, declined to comment.
When the global financial crisis hit, Dmitriy focused more on his gaming, and Moscow Five won enough prize money, Viktor Smilianets recalled, that Dmitriy could build a large house for his wife, Yulia, and two sons outside Moscow.
Drinkman, who moved to Moscow in 2004, says he got interested in the stock market and worked as a financial consultant. He dabbled in real estate as well, building and selling two houses outside the capital, says his wife, Irina.
Drinkman says he had questions about where Smilianets was getting the money to run M5, but never got a direct answer. Besides -- as Drinkman would ultimately confess years later -- money pressures eventually spurred him into questionable activities online himself.
“Due to the need to maintain my family and difficult financial problems in 2010 I registered myself with a number of closed hacker and carder forums … devoted to the discussion of methods of stealing of money from clients of different financial institutions,” he wrote to the Russian Interior Ministry in a document reviewed by Bloomberg News.
As time passed, the two men grew close. Smilianets was someone to drink vodka with and join on the occasional fishing trip, Drinkman says.
The U.S. Secret Service and Department of Justice formed a darker view of the two men’s relationship -- aided by their investigation into a double-crossing American hacker by the name of Albert Gonzalez.
By 2004, the two agencies were deep into an investigation of a hacking organization known as Shadowcrew, which was devoted to electronic theft and payment card fraud. They had an informant in Gonzalez, who gave federal agents entrée to the criminal market to avoid jail time for his own hacking arrest in July 2003. The operation eventually led to more than 20 arrests in October 2004.
Unbeknownst to his handlers, Gonzalez returned to digital thieving, working with an international crew to lift credit-card numbers from retailers including TJX Cos.’s T.J. Maxx, OfficeMax Inc., 7-Eleven and Sports Authority Inc.
When prosecutors got wise, they indicted Gonzalez in 2008 in Massachusetts and New York and the next year in New Jersey. They’d connected him with two Russians, identified in the New Jersey indictment only as “Hacker 1” and “Hacker 2.” Prosecutors later said that Drinkman was Hacker 2. Gonzalez pleaded guilty to all the charges in 2009. He’s serving two concurrent 20-year prison terms.
Shadowcrew investigators identified Smilianets as “a large scale vendor of stolen credit card track data,” according to a document prepared by the Justice Department’s Office of International Affairs. By 2012, U.S. officials believed him to be among the world’s top sellers of stolen card data, that document says.
Ultimately, prosecutors described a conspiracy in which Drinkman, Gonzalez and others found vulnerabilities in companies’ information systems, then used malware to exploit the weaknesses and steal passwords and credit-card numbers. Smilianets marketed the numbers they found, prosecutors allege, and set prices: $10 for each American number and its associated data, $50 for European numbers and $15 for Canadian. Bulk customers and repeat customers got discounts, according to a July 2013 indictment.
U.S. allegations against the two men morphed over time, so it’s hard to say how many details investigators had in place before June 2012, when Smilianets and Drinkman traveled to Amsterdam with their wives on vacation. For Vladimir and Irina Drinkman, parents of a then-1-year-old daughter, it was their first trip to Western Europe. They stayed at the recently renovated Manor Hotel, a 19th Century brick former hospital with a sleek, ultramodern interior. Three days in Amsterdam wasn’t nearly enough, so instead of going to Belgium as planned, they decided to stay, Irina recalls.
On the fourth morning, Irina’s mobile phone rang. It was Smilianets’ driver, calling from Moscow, she says, with distressing news: Dmitriy had been arrested in Amsterdam.
Stunned, the Drinkmans called for a cab and took off. They sped through the streets in a kind of shock. Suddenly, as if in an action film, another car barricaded the road in front of them. A man in civilian clothes walked over and spoke in English. Irina understood only that they were taking Vladimir away in handcuffs, she says.
U.S. authorities were tipped off that Drinkman and Smilianets were in the Netherlands -- and thus subject to arrest under an extradition treaty. The tip came from a reliable source: Smilianets himself had posted photos to his Facebook page, according to Drinkman and Bart Stapert, Drinkman’s Dutch lawyer.
An initial arrest request, sent to Dutch authorities by the U.S. Justice Department on June 27, 2012, focused almost entirely on Smilianets and his alleged role in processing stolen credit-card numbers. The same e-mailed request identified Drinkman as an associate of Smilianets who went by the nickname “Scorpo” and had sold credit card numbers on a cybercrime forum called DumpsMarket. “Russian authorities” had confirmed that Drinkman was Scorpo, according to an affidavit by the U.S. Secret Service filed under seal.
Drinkman denies having any connection to that nickname. The Russian consulate couldn’t confirm that Russian authorities shared any information with the U.S., says Stapert, who submitted a formal request. Sofia Sarenkova, a spokeswoman for the Russian embassy in the Netherlands, declined to comment on Drinkman’s case.
A month later, U.S. authorities scrapped those allegations and sent a new indictment to the Netherlands. This one accused Drinkman of a different list of hacks linked to Gonzalez. It didn’t mention Smilianets at all.
In all, the document listed 11 “corporate victims” of the conspiracy, including 7-Eleven; J.C. Penney Co.; Hannaford Bros.; Heartland Payment; and the Belgian bank Dexia SA.
That indictment also said Drinkman lived in St. Petersburg, not Moscow. Such errors, and the shifting charges against him, strengthened his resolve to fight extradition, he says.
Smilianets, on the other hand, agreed to extradition and was in the U.S. by September 2012. His father, Viktor, says he urged that course after learning that Russia’s Foreign Ministry would offer no help in the case. Dmitriy would have had to be charged with a crime in Russia for Russian officials to request his return, Viktor learned.
In July 2013, U.S. prosecutors released a superseding indictment that publicly identified Drinkman and Smilianets for the first time. This version charged three additional conspirators and brought the list of victims to 17, adding Commidea, a European payment processor; the French grocer Carrefour SA; a Middle Eastern bank identified only as Bank A; Visa Inc.’s Jordanian card services arm; Discover Financial Services’ operations in Singapore; and a cash card company called Ingenicard US Inc.
The indictment characterized Drinkman as a “sophisticated hacker” who specialized in penetrating corporate networks and harvesting data. Together, the conspirators caused losses of more than $300 million at just three of the companies, according to the indictment.
Drinkman says he has never met the three other men named: Roman Kotov of Moscow, Aleksandr Kalinin of St. Petersburg and Mikhail Rytikov of Odessa, Ukraine -- all of whom remain free. Of them, the least is known about Kotov. His specialty, according to the indictment, was harvesting data from networks that Drinkman and others broke into. Attempts to find him in Moscow for comment were unsuccessful.
The indictment contained more information about Kalinin, whom prosecutors in New Jersey identified as “Hacker 1” from the 2009 Gonzalez indictment. The 2013 indictment says Kalinin and Gonzalez sent each other several instant messages. In one from January 2008 -- around the time prosecutors say Kalinin was gaining access to Nasdaq’s computer network -- he allegedly told Gonzalez: “Nasdaq is owned.”
Kalinin was active in online hacking forums in the mid 2000s, according to Don Jackson of PhishLabs, a cybersecurity firm in Charleston, South Carolina. Jackson says he met Kalinin online while posing as a hacker to monitor such forums. Kalinin, who Jackson says has been less active recently, couldn’t be reached for comment.
Rytikov, the Ukrainian, is charged with supporting the team’s hacking by providing “bulletproof hosting” -- a web of servers scattered across the world from New Jersey to Panama to Ukraine. Team members used the servers to launch attacks, store data and hide their locations, according to the indictment. Rytikov’s services included frequently changing the locations of hacking platforms and erasing the contents of platforms on short notice, the indictment says.
Rytikov is also charged with wire fraud, aggravated identity theft and accessing protected computers in a separate indictment in Virginia, and with conspiracy, computer damage and aggravated identity theft in yet another indictment in Pittsburgh in 2014. Those charges are pending. He studied law at Odessa Maritime University though he never practiced, according to an interview his mother gave to a Ukrainian newspaper in 2013.
“The hosting company is like storage boxes, where hosting clients keep their belongings,” said Arkady Bukh, who represents Rytikov in the New Jersey case. “The issue is whether a company has knowledge, supports and shields criminals -- and that’s what we are denying.”
While Drinkman fights extradition to the U.S., Smilianets is being held in New Jersey with no trial date, as yet. His father, who speaks to him once a week, says he spent $50,000 on his son’s defense last year. When he applied for a visa to visit Dmitriy in the U.S., it was denied, he says.
Prosecutors have offered plea deals, Viktor says, but his son hasn’t decided whether to take one. The elder Smilianets says he hopes Dmitriy will -- though he wonders about the strength of the evidence. He says he has his son’s computer, so U.S. investigators didn’t get it.
“I think they have troubles with evidence -- when the guilt is proved there is no need for plea bargains,” Viktor says. “Americans love to exaggerate; they just want to say, ‘Look, we caught a big fish.’”
Paul Fishman, the U.S. attorney in New Jersey, said his office is “confident that we have sufficient evidence to obtain a conviction at trial.” Fishman’s office declined further comment, citing an ongoing investigation, said spokesman Matthew Reilly.
In addition to the “Game of Thrones” books, Drinkman spends his time reading “Metro 2034,” a Russian science-fiction novel about people trying to survive in Moscow’s subway after a nuclear war. He’s adamant that he’s not the hacker U.S. authorities say he is.
“Hacker is an elastic notion,” Drinkman says. “Now every third person is called a hacker because he has technical skills and not because he is actually using them.”
Stapert, his attorney in the Netherlands, says he’s seen no specific evidence linking Drinkman to the hacks alleged in the indictment. Prosecutors seem to be trying to clear up unsolved cases by attributing them to his client and the other men, Stapert says.
“I’m not claiming his innocence, but that doesn’t mean he’s guilty of all the different hacks,” Stapert says.
Drinkman has confessed to at least some hacking. In March 2013, he wrote a detailed confession from prison for Russian authorities, saying he helped conduct intrusions at Russian banks using a type of malware known as “Carberp,” according to documents reviewed by Bloomberg News.
Russia filed its own extradition request for Drinkman in August 2013, and a Moscow judge issued what amounted to an arrest warrant on accusations of cyber-crime fraud.
From Russia’s point of view, the U.S. is “hunting” Russian nationals, according to a Nov. 5 statement on the website of the Foreign Ministry’s human-rights representative, Konstantin Dolgov.
“Practice shows that Russians extradited to the U.S. from third countries are very likely to experience a politicized approach by judicial authorities” in the U.S., Dolgov said. Russia will continue to try to protect Drinkman’s rights and legal interests, he said.
Drinkman declined to comment on the Russian charges, but said he could expect to get up to 10 years in prison in Russia. He said he fears he’ll get up to 25 years in prison in the U.S., even if he cooperates. The conspiracy and wire fraud charges carry maximum prison time of 30 years. Sentences for various counts are usually served concurrently.
In November, the Dutch justice minister approved Drinkman’s extradition to the U.S. He continues to fight it. At a hearing tomorrow, Stapert intends to argue that it would be a human-rights violation to force Drinkman to serve a hacking sentence in the U.S.
“That will be the end -- the end of my family life and maybe the end of my life in general, because there is no hope I’ll ever leave the prison,” Drinkman says. “Of course I’m afraid.”
The case is U.S. v. Drinkman, 09-cr-00626, U.S. District Court, District of New Jersey (Newark).