The conviction of two former, high-ranking Russian cybersecurity officials for undisclosed acts of treason last month underscores deteriorating cybercrime cooperation between Washington and Moscow, as U.S.-Russia tensions have spiked to their highest levels since the Cold War.
At the heart of this intrigue are Colonel Sergei Mikhailov, a former deputy director of the computer crimes unit of the Federal Security Service (FSB), and Ruslan Stoyanov, a senior researcher at Kaspersky Lab, a cybersecurity firm.
On February 26th, the Moscow Regional Military Court sentenced Mikhailov to 22 years in a penal colony on two counts of treason (Article 275 of the Criminal Code of the Russian Federation), and Stoyanov to 14 years of jail on one count of treason. Both men maintained their innocence throughout the trial.
The secretive legal proceedings were closed to the media until the day of the verdict, when a judge allowed journalists into the courtroom to hear him sentence the defendants, without ever explaining the nature of their crimes.
Despite the clandestinity of the military court’s charges, speculation has swirled that the case against both men is linked to the notorious hack of the 2016 U.S. election. The prevailing narrative in Russian media is that the defendants leaked information about the hacking of Democratic National Committee (DNC) servers to the Federal Bureau of Investigation (FBI), drawing the Kremlin’s ire.
Adding credibility to this claim is Ivan Pavlov, previously a lawyer for a defendant arrested in the same case as Mikhailov and Stoyanov. Pavlov told CNN that both men were involved in a two-year-long campaign of treason “on behalf of the United States.”
Moreover, an “informed source” told Russian news outlet Interfax that the “defendants transferred confidential information to U.S. intelligence services – in particular, the CIA, leading a ‘double game’ and disguising their contacts with foreigners as pseudo-recruiting activities.”
Additionally, Russian newspaper Kommersant reported unverified claims that the defendants received as much as $10 million for sharing government documents with American security services.
While their exact crimes remain unclear, what remains certain is that both men were arrested in early December 2016, one month after the U.S. general election. In a scene reminiscent of a spy novel, Mikhailov, once the top FSB liaison for Western cybercrime law-enforcement officials, was detained in the middle of an internal meeting with his fellow agents, who threw a black bag over his head and escorted him to jail.
Adding further intrigue to this spy caper is the role a Russian businessman and convicted cybercriminal played in the prosecution of both men. According to ChronoPay chief executive Pavel Vrublevsky, who was previously targeted by Mikhailov in a hacking probe that led to his conviction and imprisonment in a Russian penal colony for one-and-a-half years, the case against both cybersecurity officials stems from allegations he made in 2010.
Vrublevsky, who testified in court for three hours against the treason suspects, told CCN that in 2010, he prepared a report for Russian authorities that accused Mikhailov of using intermediaries to leak information about his credit-card processing company and other companies allegedly involved in cybercrime to the FBI.
Mikhailov allegedly loaded a CD with confidential data from his probe into Vrublevsky’s ChronoPay, then gave that CD to his FSB subordinate, Dmitry Dokuchaev, who then passed the disk to Stoyanov. Stoyanov allegedly brought the CD with him when he attended Microsoft’s Digital Crimes Consortium conference in Montreal, Canada, where he supposedly slipped the disk to Kimberly Zenz, a former threat analyst for American cybersecurity firm iDefense.
The contents of this clandestine CD allegedly served as the source material for a series of damning iDefense reports that Zenz wrote about the Russian cybercrime ecosystem, with a focus on ChronoPay and Vrublevsky in particular. Vrublevsky has accused Zenz of being an undercover operative for the Central Intelligence Agency.
When approached by CCN, Zenz said she’s “definitely not CIA” and denied ever receiving a CD from Stoyanov. She calls Vrublevsky a significant figure in the world of Russian cybercrime and acknowledges playing “some role in his conviction.”
“He’s been pedaling conspiracy theories about us ever since his arrest,” Zenz said.
In 2013, a Russian court convicted Vrublevsky of hiring a pair of hacker brothers to launch a distributed denial-of-service (DDoS) attack against the payment firm Assist, one of ChronoPay’s competitors. Mikhailov led the DDoS investigation and served as an expert witness against Vrublevsky in the case.
Notorious for allegedly operating an illicit pharmaceutical business that hired hackers to send billions of spam marketing emails, Vrublevsky is the chief antagonist of cybersecurity journalist Brian Krebs’s 2014 book, “Spam Nation.” But Vrublevsky denies this characterization of him as a cybercrime mob boss, insisting that he was scapegoated and vilified by Mikhailov after he accused the former FSB Colonel of betraying Russia a decade ago.
This version of events contradicts another prevailing narrative in Western and Russian media – that the prosecution of Mikhailov and Stoyanov was fueled by Vrublevsky’s quest for revenge. According to Vrublevsky, this is “obvious bullshit.”
While journalists like Krebs have said that the most likely explanation for Mikhailov and Stoyanov’s prosecution was “a long-running grudge held by Pavel Vrublevsky,” the ChronoPay boss told CCN:
“It’s quite clear that it was entirely the other way around,” he said. “I blamed him, he put me in prison, I got out and he finally got prosecuted for what I originally accused him of doing.”
Western media has seized on Mikhailov’s legal ordeal as an opportunity to depict Russia as a rogue state sliding further into lawlessness as it increasingly sides with domestic cybercriminals, instead of Western law enforcement partners. However, Vrublevsky disputes this.
“It’s completely ridiculous that U.S. media is defending Mikhailov when he is actually accused by the FBI, it seems, under the name of ‘FSB Officer 3’ in the Yahoo hacking indictment,” he said. “This kind of nullifies the whole idea about bad Vrublevsky.”
The case to which Vrublevsky is referring to is a series of intrusions into Yahoo in 2013 and 2014, which compromised 3 billion user email accounts. In the indictment, U.S. prosecutors refer to FSB Officer 3 as a “supervisory FSB officer,” who was “assigned to Center 18.” FSB Officer 3 allegedly helped his co-conspirators hack into several victim accounts. The FBI did not respond to CCN’s request for comment on Vrublevsky’s claims.
While lawyers for Mikhailov and Stoyanov are currently appealing their sentences to Russia’s supreme court, according to Interfax, the former FSB colonel has also been linked to the crypto underworld.
In a contentious July 2018 comment thread on Vrublevsky’s Facebook wall, Igor Ashmanov, one of Russia’s most influential tech moguls, accused Mikhailov of previously controlling rogue bitcoin exchange BTC-e, which was shut down by American law enforcement in 2017.
While the facts of the Mikhailov case may forever remain a Russian state secret, Vrublevsky is optimistic about the implications of this case for future U.S.-Russia cyber relations.
“Mikhailov and Stoyanov are directly responsible for all of this cyber hysteria,” he said.