A Russian cyber-criminal who hacked into three tech companies and stole more than 100 million user credentials will not have to pay restitution to his corporate victims.
Yevgeniy Aleksandrovich Nikulin was found guilty in July 2020 of causing data breaches at LinkedIn, Dropbox, and the now defunct social media platform Automatic in 2012.
Speaking during the closing arguments of Nikulin’s trial, Assistant United States Attorney Katherine Wawrzyniak told the jury: “The data from one intrusion facilitated the next.”
Nikulin gained access to LinkedIn’s data by hacking into the personal computer of LinkedIn engineer Nick Berry, then installing malware that gave him access to Berry’s virtual private network (VPN) and the login credentials used by Berry to work remotely.
Nikulin used Berry’s credentials to access LinkedIn’s internal database and steal user credentials, which he then sold to associates. Some of the stolen data was used by Nikulin to infiltrate the work account of Dropbox employee Tom Wiegand and gain access to a shared employee Dropbox account.
Next, Nikulin used credentials stolen from Dropbox to compromise the work account of Formspring employee John Sanders and exfiltrate millions of hashed user passwords.
Nikulin was sentenced to serve 88 months in federal prison by US District Judge William Alsup. Nikulin was further ordered to pay LinkedIn half the $2m restitution that the company had requested.
Alsup also ordered Nikulin to pay restitution of $514,000 to Dropbox, $20,000 to Formspring, and $200,000 to WordPress parent company Automatic.
On Wednesday, the Ninth Circuit overturned the restitution award. A three-judge panel found insufficient evidence to justify the compensation payment of $1.7m.
The order issued by the panel stated: “Although trial testimony and logs submitted at trial showed the extent of the victims’ responses to the computer intrusions, that evidence did not provide a basis for determining the costs incurred by the victims in mounting those responses.”
Letters submitted to the court by the victim companies were deemed by the judges not to satisfy government requirements to provide a complete accounting of the losses to each victim to the extent practicable.
However, the panel did uphold the prison sentence of more than seven years handed to Nikulin by Alsup.