Russian Alleged Hacker Talks About Fighting U.S. ExtraditionBy , , and
Muscovites Vladimir Drinkman and Dmitriy Smilianets met online in 2003, playing Counter-Strike, a PC shooting game. Pitting terrorists against security agents, Counter-Strike, released in 1999, has long been notorious for the “hacks” that players could use to gain advantages by altering the game’s code. Tweak the program one way, and you can fire weapons through walls; another way, and your cross hairs automatically track enemies. U.S. authorities are concerned about a different kind of hack: They’ve charged Drinkman and Smilianets in the biggest data-breach prosecution in U.S. history.
The federal indictment accuses the men of stealing 160 million credit card numbers by hacking into the systems of at least 17 companies, including foreign operations of Visa and Discover Financial Services as well as 7-Eleven, the Hannaford Bros. grocery chain, French grocer Carrefour, and Heartland Payment Systems, which processes payments for hundreds of thousands of businesses. Prosecutors allege that Drinkman penetrated corporate networks while Smilianets sold stolen card numbers online, and that their hacks at just three of the companies caused losses of more than $300 million. Three other alleged co-conspirators, two from Russia and one from Ukraine, remain at large.
In the indictment, the prosecution alleges that, beginning in 2005, Drinkman and Smilianets were part of a group of hackers who collaborated through simple methods to attack companies’ websites and infiltrate their databases. The hackers disabled security programs designed to log traffic to and from the networks, rented the servers they used for attacks under false names, and communicated through a series of online aliases. On black market websites, they charged $10 per stolen U.S. card, $15 for Canadian cards, and $50 for European ones, according to the indictment. Credit card thief Albert Gonzalez, now serving two concurrent 20-year prison terms, was convicted of, among other things, participating in several of the attacks.
Smilianets, 29, has pleaded not guilty and is awaiting trial in jail in Morristown, N.J., having agreed to be extradited shortly after his arrest in Amsterdam. Drinkman, 34, is sitting in a Dutch prison awaiting a Jan. 27 final ruling on his extradition to the U.S., which he’s been fighting for two and a half years. In an interview with Bloomberg Businessweek, his first with American media, he says he’s innocent of the charges and that he’s not the hacker the U.S. Department of Justice claims. “ ‘Hacker’ is an elastic notion,” he says. “Now every third person is called a hacker because he has technical skills, and not because he is actually using them.”
Smilianets’s father, Viktor, says his son is considering a plea deal but wonders about the strength of the evidence against him, as the authorities don’t possess his computer. Through a spokesman, U.S. Attorney Paul Fishman says prosecutors are “confident that we have sufficient evidence to obtain a conviction at trial,” declining to comment further.
Drinkman grew up in Syktyvkar, a small city in northern Russia, where his father managed technology supplies for a state university. The younger Drinkman studied computers and worked as a system administrator at the school but dropped out in 1998 to serve three years in the military. A couple of years later, he was playing Counter-Strike online when he met Moscow teen Smilianets, a competitor in international gaming tournaments. Smilianets graduated from college in 2006 with a specialty in information security but couldn’t find employment in his field, says his father, a lawyer.
Drinkman says he and Smilianets became drinking and fishing buddies. He says he was working as a financial consultant and wondering where his friend was getting the funds to run his gaming team but never got a direct answer. Like Smilianets, he denies that their camaraderie led to a hacking partnership. Drinkman has, however, admitted to at least some hacking. Two years ago he wrote a confession to the Russian Ministry of the Interior, saying that beginning in 2010 he helped plan and conduct intrusions at Russian banks, according to documents reviewed by Bloomberg Businessweek.
In June 2012, Smilianets and Drinkman traveled to Amsterdam with their wives on vacation. On their fourth morning there, the Drinkmans were told Smilianets had been arrested. They jumped in a cab, only to find their path barricaded by police, who took Vladimir Drinkman away in handcuffs. How did American authorities find out the duo were in the Netherlands, which has an extradition treaty with the U.S.? According to Drinkman and his Dutch lawyer, Bart Stapert, the source was vacation photos that Smilianets had posted to Facebook.
In jail, Smilianets is mastering Spanish and studying Chinese, his father says, while Drinkman passes time in the Dutch prison reading books in the series that gave rise to HBO’s Game of Thrones. At Drinkman’s final hearing on Jan. 13, his attorney, Stapert, said there was “no proof” his client took part in the massive hacking conspiracy the U.S. has alleged. Noting that most of the charges against Drinkman and Smilianets were added to the indictment after their arrests, he said prosecutors may be trying to pin unsolved cases on the defendants. “There are many Russian hackers, but it doesn’t mean they all cooperate,” Stapert said. Smilianets’s lawyer, Andrey Tikhomirov, declined to comment.
Russia filed its own extradition request for Drinkman in August 2013. Although Drinkman wouldn’t discuss his confession to the Russian interior ministry or the charges being pressed by his homeland, he says he’s been told they could bring a maximum of 10 years in Russian prison, vs. 25 in the U.S. The major U.S. charges he faces, for conspiracy and wire fraud, carry maximum sentences of 30 years, usually served concurrently. The Americans “show me as a leader of a group that was damaging U.S. strategic financial infrastructure for 10 years,” says Drinkman. “That will be the end—the end of my family life and maybe the end of my life in general. Of course I’m afraid.”
The Russian Foreign Ministry’s human-rights representative, Konstantin Dolgov, says Russians extradited to the U.S. “are very likely to experience a politicized approach by judicial authorities” and that his country will keep trying to protect Drinkman’s rights. André ten Broeke, a lawyer representing the Dutch government, said at the hearing that politics shouldn’t factor into the decision.
For U.S. authorities, the case is a relatively rare chance to show there are consequences for hackers who target American companies. That problem is only getting worse, says Jason Weinstein, a former Justice Department lawyer and a partner at law firm Steptoe & Johnson. For every arrested corporate hacker, “there are 15 or 20 others who don’t get caught,” Weinstein says. “It’s like a hydra. There are many others waiting to take his place.”
The bottom line: The U.S. may have a rare chance to prosecute two Russians charged with hacking 160 million credit card numbers.