SAN FRANCISCO – Yevgeniy Alexandrovich Nikulin was sentenced to 88 months in prison for hacking into LinkedIn, Dropbox, and the now-defunct social networking company formerly known as Formspring, announced United States Attorney David L. Anderson and FBI Special Agent in Charge John L. Bennett. The sentence was handed down by the Honorable William H. Alsup, U.S. District Judge.
The sentence follows a guilty verdict after a 6-day jury trial. A jury found that Nikulin, 32, of Russia, hacked into computers belonging to LinkedIn, Dropbox, and Formspring, damaged computers belonging to LinkedIn and Formspring by installing malware on them, stole and used the login credentials for employees at LinkedIn and Formspring, and sold and conspired with others to sell customer data he stole as a result of his hacks. Evidence at trial showed that Nikulin was located in Moscow when he hacked into a computer belonging to a Bay Area-based LinkedIn employee and installed malicious software on it, allowing him to control the computer remotely and to use the employee’s credentials to access LinkedIn’s corporate VPN. Once he had access to corporate systems, Nikulin stole a database containing LinkedIn users’ login information, including encrypted passwords. In addition, the evidence demonstrated that Nikulin was behind similar intrusions and thefts of data at Dropbox and at Formspring. The Court also found that Automattic, parent company of WordPress.com, was the victim of an intrusion by defendant, although there was no evidence that defendant stole any customer credentials. Nikulin was arrested while traveling in the Czech Republic on October 5, 2016, and extradited to the United States to face trial on March 30, 2018.
When discussing the reasons for imposing the 88-month prison term, Judge Alsup made clear that he hoped the sentence would send a message to deter anyone, including persons living overseas, from engaging in similar conduct.
Nikulin’s trial began in March, but proceedings were suspended after just two days in light of the COVID-19 pandemic and ensuing closure of the federal courthouse. The trial resumed on July 7, 2020, with the defendant, the attorneys, and Judge Alsup wearing masks, and the courtroom configured to allow social distancing by all participants. Witnesses testified from behind a glass panel to allow testimony to be given while maintaining social distancing. The trial was broadcast via Zoom to allow the public to view the proceedings without entering the courthouse. Nikulin was convicted of selling stolen usernames and passwords, in violation of 18 U.S.C. § 1029(a)(2); installing malware on protected computers, in violation of 18 U.S.C. § 1030(a)(5); conspiracy, in violation of 18 U.S.C. § 371; computer intrusion, in violation of 18 U.S.C. § 1030(a)(2)(C); and aggravated identity theft, in violation of 18 U.S.C. § 1028A(1).
Nikulin has been in U.S. custody since his extradition from the Czech Republic and will begin serving his sentence immediately.
Assistant U.S. Attorneys Michelle J. Kane and Katherine Wawrzyniak are prosecuting the case with the assistance of Helen Yee, Jessica Rodriguez Gonzalez, and Kim Richardson. The prosecution is the result of an investigation by the Federal Bureau of Investigation, with the assistance of authorities in the Czech Republic, the U.S. Secret Service and the U.S. Department of Justice’s Criminal Division, Office of International Affairs.