ShareThis Page
Editors Picks

Identifying cyber-criminals is No. 1 challenge, high-profile lawyer says

| Saturday, July 19, 2014, 9:00 p.m.

A hacker known as “Track2” helped steal more than 200,000 credit card numbers from small retailers across the United States and sold them online to other criminals for more than $2 million, according to a federal indictment.

“This is a very, very famous hacker,” said Arkady Bukh , a Brooklyn-based defense attorney. “... That person deserves to be sentenced to a very, very long jail time. It's not a question.”

The real question, Bukh said, is whether federal prosecutors can prove that Track2 is Roman Seleznev, the son of a Russian parliament member who was captured in the Maldives this month and taken to the U.S. territory of Guam, where he was charged with 29 computer-related crimes.

Bukh, 41, would know the distinction. He has represented more than a dozen major hacking defendants, as well as arms dealers, human smugglers and child porn purveyors. He represents one of Seleznev's co-defendants.

Thanks to taking on high-profile cases, Bukh is becoming better known. Last week, he was in Boston defending Azamat Tazhayakov, a college student from Kazakhstan charged with obstructing the investigation of Boston Marathon bombing suspect Dzhokar Tsarnaev. The government accused Tazhayakov of tossing out a backpack and fireworks that Tsarnaev left behind in his dorm room.

Bukh has an office on Manhattan's Wall Street and hangs his shingle on a two-story house with pink trim in Brooklyn's Sheepshead Bay neighborhood, a working-class area popular among Russian immigrants. A store awning down the street advertises headstones with Cyrillic letters.

He was born near Moscow, but his family moved to Israel. He moved to New York in 1992. He lives on Staten Island with his wife, who is a doctor, and their two children.

Bukh, who speaks with a heavy Russian accent, completed the foreign lawyer program at New York Law School. He talks with hackers and advertises his legal services in chat rooms on the hidden Internet. Many of his federal cases end in plea agreements, and Bukh boasts online about winning reduced sentences for hacker clients.

“Even in those cases where (hackers) are known to the government, to know and to prove it may be a huge difference,” Bukh told the Trib. “Specifically, when we're talking about Russia, we're talking about someone sitting behind his computer, and it's hard to prove this is exactly the person and not his brother, not his niece and not his father playing on that computer.”

Federal investigators in Pittsburgh indicted Russian Evgeniy Bogachev on hacking charges last month, but used only nicknames for four other hackers in a related civil suit.

The FBI continues to work at putting names to those nicknames, said FBI special agent J. Keith Mularski, the cyber crimes supervisor who led the investigation from Pittsburgh.

“It can be very hard because when you think about it, the good hackers are going to use many different layers of anonymity,” Mularski told the Trib. “It is very difficult, especially if they really keep their criminal persona free from their real-person person.”

Though Bukh is not representing Bogachev, federal records show that his client list includes major hackers:

• Oleg Nikolaenko, 27, of Moscow, who was arrested at the Bellagio hotel in Las Vegas in 2010 and charged with running “Mega-D,” a botnet capable of sending 10 billion spam emails a day. Prosecutors said it accounted for 32 percent of all spam at one point.

Less than three years later, Nikolaenko pleaded guilty to running Mega-D and walked out of federal prison with time served plus three years of probation.

• Mikhail Rytikov, 27, of Odessa, Ukraine, who is charged with providing the computer servers for a crime ring that stole 160 million credit card numbers from retailers such as 7-Eleven, JCPenney and JetBlue Airways and that caused more than $300 million in losses. Rytikov remains at large.

• Vladimir Tsastsin, 34, of Estonia, charged with infecting 4 million computers in more than 100 countries, redirecting users' mouse clicks from legitimate websites such as iTunes, Netflix and the IRS to sham sites. In other cases, the hackers replaced banner advertising on websites for the Wall Street Journal, ESPN and with other ads.

In all, Tsastsin's crew made at least $14 million, prosecutors say. Tsastsin was arrested in Estonia, and the United States is seeking his extradition.

Online hacking cases are tough for investigators because criminals can easily cover their tracks, legal experts agree. Even when the trail leads to a single computer, it can be hard to prove who was at the keyboard.

“We really haven't settled on what the burden of proof should be on how we attribute these cyber attacks back to a given individual or a given entity,” said Scott Shackelford, a law professor and senior fellow at the Center for Applied Cybersecurity Research at Indiana University. “It's really unsettled in international law, and to a certain extent, it's unsettled in domestic law, too.”

To make a case, the FBI looks for similarities in the habits of a hacker's online persona and a real-world suspect, Mularski said. That means tracking where the person accesses the Web, the operating system he uses and what he does online. If a hacker slips up, investigators might be able to identify his computer's unique Internet Protocol address.

“It may all be circumstantial, but then you get a preponderance of circumstantial evidence, that then may be able to lead to probable cause for a search warrant,” Mularski said.

Often, investigators are forced to wait until the hacker makes a mistake, said Daniel Garrie, executive managing partner of Law & Forensics, an Internet security firm in New York. That means researching online histories for an instance when the suspect used his real name, or chatting with criminals online until the suspect says something revealing.

“They're using social engineering,” Garrie said. “Nobody's perfect, right? So you sit and you have a conversation. You talk to somebody. It's just one little slip-up or exposure.”

Mularski agreed that even the most-sophisticated criminals leave a trail.

“You can be as anonymous as you want, but you're always still leaving things,” Mularski said. “As a hacker doing criminal activity, you've got to be perfect every time.”

Based on his experience, Bukh said Russian hackers seem to be getting angrier as the United States steps up enforcement. Criminals break into computers to steal money, he said, but many do it for pride, too.

Cartoon videos online feature one of Bukh's clients, Vladislav Horohorin, 31, a Russian known as “BadB” who pleaded guilty to selling stolen credit card numbers. One video shows former President George W. Bush finding out his bank account has been emptied, and another has Russian President Vladimir Putin handing out medals to hackers.

Horohorin was arrested in Nice, France, in 2010 and taken to Washington for trial. He pleaded guilty to two counts and is serving 88 months in a Connecticut federal prison.

“The government is doing what they can,” Bukh said, “but surely now the hackers are trying to steal as much as they can.”

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me