Ukrainian Hacker Wanted in W.Pa., Spotlights Difficulty of Cybercrime Fight

The inability of federal prosecutors to nab the accused hacker shows how hard it can be for law enforcement to reach foreign hackers.

by Andrew Conte, McClatchy News Service / September 11, 2014

Federal prosecutors can't even agree on the spelling of his name.

But across three jurisdictions, they believe a Ukrainian hacker has been responsible for a slew of computer attacks that make recent disclosures about Home Depot and Target data breaches seem small.

Here in Pittsburgh, the U.S. attorney recently charged Mykhailo Sergiyovych Rytikov with providing the servers for malicious computer software used by criminals to steal online banking credentials. They hit at least two dozen victims across Western Pennsylvania — in Pittsburgh, Erie, Monroeville, Bethel Park, Canonsburg, Irwin, Warrendale, Homestead, Carnegie, Oil City and Ebensburg. The indictment does not identify individual victims.

In New Jersey, he is wanted by a slightly different first name in a 2009 case that says he lived in Odessa, Ukraine, and provided anonymous web-hosting services for a criminal ring that bagged more than 160 million stolen credit card numbers and caused more than $300 million in damages.

The cyber criminals grabbed the numbers from high-profile retailers such as 7-Eleven and JCPenney, as well as Heartland Payment Systems, a credit card processor in Princeton, N.J., and Plano, Texas, according to federal court documents.

By comparison, the unrelated Home Depot data breach announced this week might involve as many as 60 million stolen numbers.

Rytikov appears in one other federal indictment, from the Eastern District of Virginia. There, prosecutors say he helped run a useful service for online criminals: They could check batches of stolen credit, charge and debit cards to see which ones remained valid and active.

He and another defendant checked and stored about 1.8 million unique card numbers along with the victims' personal identification, court records say. The service allowed criminals to avoid buying stolen cards that no longer work, and prosecutors say it helped them steal more than $12 million.

U.S. Attorney David Hickton in Pittsburgh declined to talk about Rytikov. A spokesman for prosecutors in New Jersey also declined to comment, and the lead attorney in Virginia did not respond to requests for comment.

Rytikov remains at large in eastern Europe and does not plan on coming to the United States to face arrest, said his defense attorney, Arkady Bukh, a Russian-born lawyer in Brooklyn, N.Y.

He said Rytikov provided hosting services, which have legitimate and legal uses, but is not a hacker. To make its case, the U.S. government would have to prove that Rytikov knew the people using his services were criminals, he added.

“We're not arguing that he is a hosting guy,” Bukh told the Trib. “What we're arguing is whether he knew or not that those people are hackers, carders, virus spreaders. That's the argument.”

The inability of federal prosecutors to nab Rytikov shows how hard it can be for law enforcement to reach foreign hackers even when they think they know who they are and what they've been doing.

“I definitely don't think it's impossible, because we have seen more cases being brought,” said Scott Shackelford, a law professor and senior fellow at the Center for Applied Cybersecurity Research at Indiana University in Bloomington, Ind. “But clearly, there's a long way to go, and we don't know whether it's actually stemming the problem or not because the data is far from reliable.”

In the indictments, information about Rytikov and his co-defendants has been redacted from the public record to hide online names and other personally identifying information. An arrest warrant filed in New Jersey says only that he is male, leaving blank areas that could include last known residence, hair and eye color, or his height and weight.

Oftentimes in cyber cases, prosecutors have a major challenge linking a defendant's online persona or nickname with a real-world person, Bukh said. They might know a hacker by his handle and see what he has done, but it might be harder to prove who he is.

In the case filed in Pittsburgh, prosecutors say Rytikov and two others — identified only as John Doe 1 and 2 in the redacted filing — provided a “bulletproof” service that allowed other criminals to open the so-called Zeus software. With it, criminals could steal confidential personal and financial information from unsuspecting victims.

In June 2009, for example, criminals stole a Pittsburgh victim's user name and password for a National City Bank online account. National City is now part of PNC Bank. A spokeswoman there declined to comment.

In another case that month, hackers took a Canonsburg victim's Google email account name and password, along with the person's American Express account name, password and number.

©2014 The Pittsburgh Tribune-Review (Greensburg, Pa.)