ShareThis Page
News

Case of Ukrainian wanted in Western Pennsylvania spotlights difficulty of hacker fight

| Wednesday, Sept. 10, 2014, 11:15 p.m.
Federal prosecutors in Western Pennsylvania recently brought charges against Ukrainian hacker Mykhailo Sergiyovych Rytikov, charging him with providing servers to criminals who stole bank account information from computer users. U.S. Attorneys in New Jersey and Virginia also have charged Rytikov with computer crimes, including the theft of 160 million credit card numbers. He remains at large in Eastern Europe.
Federal prosecutors in Western Pennsylvania recently brought charges against Ukrainian hacker Mykhailo Sergiyovych Rytikov, charging him with providing servers to criminals who stole bank account information from computer users. U.S. Attorneys in New Jersey and Virginia also have charged Rytikov with computer crimes, including the theft of 160 million credit card numbers. He remains at large in Eastern Europe.

Federal prosecutors can't even agree on the spelling of his name.

But across three jurisdictions, they believe a Ukrainian hacker has been responsible for a slew of computer attacks that make recent disclosures about Home Depot and Target data breaches seem small.

Here in Pittsburgh, the U.S. attorney recently charged Mykhailo Sergiyovych Rytikov with providing the servers for malicious computer software used by criminals to steal online banking credentials. They hit at least two dozen victims across Western Pennsylvania — in Pittsburgh, Erie, Monroeville, Bethel Park, Canonsburg, Irwin, Warrendale, Homestead, Carnegie, Oil City and Ebensburg. The indictment does not identify individual victims.

In New Jersey, he is wanted by a slightly different first name in a 2009 case that says he lived in Odessa, Ukraine, and provided anonymous web-hosting services for a criminal ring that bagged more than 160 million stolen credit card numbers and caused more than $300 million in damages.

The cyber criminals grabbed the numbers from high-profile retailers such as 7-Eleven and JCPenney, as well as Heartland Payment Systems, a credit card processor in Princeton, N.J., and Plano, Texas, according to federal court documents.

By comparison, the unrelated Home Depot data breach announced this week might involve as many as 60 million stolen numbers.

Rytikov appears in one other federal indictment, from the Eastern District of Virginia. There, prosecutors say he helped run a useful service for online criminals: They could check batches of stolen credit, charge and debit cards to see which ones remained valid and active.

He and another defendant checked and stored about 1.8 million unique card numbers along with the victims' personal identification, court records say. The service allowed criminals to avoid buying stolen cards that no longer work, and prosecutors say it helped them steal more than $12 million.

U.S. Attorney David Hickton in Pittsburgh declined to talk about Rytikov. A spokesman for prosecutors in New Jersey also declined to comment, and the lead attorney in Virginia did not respond to requests for comment.

Rytikov remains at large in eastern Europe and does not plan on coming to the United States to face arrest, said his defense attorney, Arkady Bukh, a Russian-born lawyer in Brooklyn, N.Y.

He said Rytikov provided hosting services, which have legitimate and legal uses, but is not a hacker. To make its case, the U.S. government would have to prove that Rytikov knew the people using his services were criminals, he added.

“We're not arguing that he is a hosting guy,” Bukh told the Trib. “What we're arguing is whether he knew or not that those people are hackers, carders, virus spreaders. That's the argument.”

The inability of federal prosecutors to nab Rytikov shows how hard it can be for law enforcement to reach foreign hackers even when they think they know who they are and what they've been doing.

“I definitely don't think it's impossible, because we have seen more cases being brought,” said Scott Shackelford, a law professor and senior fellow at the Center for Applied Cybersecurity Research at Indiana University in Bloomington, Ind. “But clearly, there's a long way to go, and we don't know whether it's actually stemming the problem or not because the data is far from reliable.”

In the indictments, information about Rytikov and his co-defendants has been redacted from the public record to hide online names and other personally identifying information. An arrest warrant filed in New Jersey says only that he is male, leaving blank areas that could include last known residence, hair and eye color, or his height and weight.

Oftentimes in cyber cases, prosecutors have a major challenge linking a defendant's online persona or nickname with a real-world person, Bukh said. They might know a hacker by his handle and see what he has done, but it might be harder to prove who he is.

In the case filed in Pittsburgh, prosecutors say Rytikov and two others — identified only as John Doe 1 and 2 in the redacted filing — provided a “bulletproof” service that allowed other criminals to open the so-called Zeus software. With it, criminals could steal confidential personal and financial information from unsuspecting victims.

In June 2009, for example, criminals stole a Pittsburgh victim's user name and password for a National City Bank online account. National City is now part of PNC Bank. A spokeswoman there declined to comment.

In another case that month, hackers took a Canonsburg victim's Google email account name and password, along with the person's American Express account name, password and number.

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or andrewconte@tribweb.com.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me