Monday, October 24, 2016

Yevgeniy Nikulin hacked LinkedIn and Formspring via Employee VPN

From the indictment against Yevgeniy Nikulin

On October 20, 2016, Radio Free Europe/Radio Liberty announced that they had identified the Russian hacker who was arrested in Prague.  They were the first ones to announce the identify of Yevgeniy Nikulin providing a link to his arrest video:


 Nikulin's arrest video


VPN Hacking?

Two points in the Indictment's "Background" section.  One says "LinkedIn employees were assigned individual credentials by which they could remotely access the LinkedIn Corporate network..  As individual with the initials N.B. worked for LinkedIn at its Mountain View, California headquarters.

... and a couple paragraphs later ,,,

Formspring employees were assigned individual credentials by which they could remotely access the Formspring corporate network.  An individual with the initials J.S. worked for Formspring in its San Francisco, California, headquarters.


The hack of LinkedIn, according to the Indictment, occurred on March 3-4, 2012, during which, Yevgeniy "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to LinkedIn employee N.B., during and in relation to violations of Title 18, USC, Section 1030.

Dropbox was hacked between May 14, 2012 and July 25, 2012, although no mention is made of the technique.  (Motherboard indicates that more than 68 million passwords were stolen in this breach.)

The hack of Formspring was between June 13, 2012 and June 29, 2012, during which the defendant "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to Formspring employee J.S., during and in relation to violations of Title 18, USC, Section 1030.


BitCoin Theft by ChinaBig01

After the indictment was released, as several others users have done, (such as @TalBeerySec of Microsoft Research), we found the allegations that Yevgeniy was involved in other types of crimes, including breaking in to the MySQL Database of a BitCoin "Hedge Fund".

The operator of that site sent this claim to the users:

"Hello,

I wanted to share a very bad news with you. Yesterday, in the middle of the night, someone hacked in to Bitmarket database and managed to modify his account. Then, he withdrew ~610 BTC from the site. He left about 100 BTC in the wallets.

Right now I'm investigating what happened. It seems that he managed to somehow find my administration console for the database, which wasn't under any gueassable name. This console was password protected (a very long, random password) but he still managed to overcome this somehow. I'm still investigating how this could happen. Right now I've removed this console entirely to prevent any further damage, but I'm devastated :(. I wrote a message to the email he registered with (chinabig01@gmail.com) literally begging him to return the stolen BTC. If he has any conscience, maybe he'll give it back. But at the moment we are 600 BTC short, and if this sees the light of day (ie. people want to withdraw more than 92 BTC that's currently in the wallets), we're totally screwed.

I know it's much to ask, but do you have any Bitcoins available right now to fill this gap temporarily? There is a small chance that the thief will give this back, but until then… I really don't know what to do now. I didn't have the luxury to screw up again, and when things started to go on the right track, this happens. All this makes me wanting to kill myself. My hands are shaking right now. I won't do this, because I have people to repay. I hope this turns out good… Sorry, I don't have any other idea right now, I just wanted to be 100% honest with you and inform you on this as soon as I saw what happened. 
"

The author claims that 620 BTC were stolen.  He later offers this link to the alleged purse, controlled by "ChinaBig01@gmail.com" according to him.  You can see the 620 BTC as 1, then 9, then 55.456, then 554.54 being deposit and then removed from this bitcoin address:

http://blockchain.info/en/address/1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49



No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.