First of three articles
Vasiliy Gorshkov did not set out to be a thief.
Relatives and friends say he had wanted to build a dot-com like those he had read about on the other side of the world -- the Amazon.coms, eBays and Yahoos that were becoming household names even in this industrial expanse of dilapidated tenements and factories.
But in the spring of 2000, just three months after he sank his inheritance into a quixotic start-up to build Web sites for corporations, Gorshkov was getting squeezed. Few merchants here wanted to hear about the Internet, much less invest in it. What's worse, Gorshkov told several associates, local crime bosses had started to demand that he hand over a percentage of his earnings to avoid smashed windows, theft of merchandise and broken bones.
Gorshkov, then 24, didn't have the cash. Business associates recalled that he didn't even have enough money to keep paying his four programmers.
But one of those programmers, 19-year-old Alexey Ivanov, said he knew how to raise the protection money, according to lawyers familiar with the conversation. Goshkov could offer a protection service of his own. To online businesses. Six thousand miles away in the United States.
Soon, U.S. prosecutors said, Gorshkov and Ivanov were scouring the Internet looking for security vulnerabilities in the computer networks of American corporations. When they found a way in, they would steal credit card numbers or other valuable information. They would then contact the site's operator and offer to "fix" the breach and return the stolen data -- for a price.
Within a few months, banking, e-commerce and Internet service providers across the country, including Central National Bank of Waco, Tex.; Nara Bank NA of Los Angeles; and Internet service provider Speakeasy Inc. of Seattle, became victims. The hackers also used online payment service PayPal Inc. to turn pilfered credit card numbers into cash by setting up phony accounts. The men would eventually expose American businesses to perhaps tens of millions of dollars in losses, the prosecutors said.
Gorshkov and Ivanov are two of the hundreds, perhaps thousands, of virtually untraceable hackers who are overwhelming cyberspace. Hackers have stolen customer databases, company blueprints and credit card numbers. They have unleashed viruses, crashed computer systems, placed phony orders for merchandise, rerouted e-mail communications and committed various other mischief.
Over the past few years, the U.S. Justice Department, the FBI, the Secret Service and other government agencies have accelerated efforts to counter cybercrime. Last week, Attorney General John D. Ashcroft said one joint operation resulted in the arrest of more than 130 people suspected of using the Internet to defraud 89,000 consumers and businesses of $176 million since the beginning of the year.
Businesses are expected to spend $25 billion this year to fend off online intruders, according to market researcher IDC Corp. About 65 percent of all online attacks originate overseas.
"The Internet makes moving money across continents faster, less of a hassle -- and easier to hide," said Louise I. Shelley, director of the Transnational Crime and Corruption Center at American University.
International law is often ill-suited to deal with the problem, with conflicting views on what constitutes cybercrime, how -- or if -- perpetrators should be punished and how national borders should be applied to a medium that is essentially borderless.
"We don't think about the FBI at all," Gorshkov told a potential business partner. "Because they can't get us in Russia."
Gorshkov was wrong. The events that led to his and Ivanov's arrest open a window on the elusive and lucrative world of computer hacking -- where many perpetrators no longer fool with computers just because they are bored or want to make political statements. They're in it for the money.
The events were reconstructed from interviews with relatives, friends, co-workers, classmates and acquaintances of the hackers. Key details were corroborated by court records, prosecutors, defense lawyers and government intelligence officials. Gorshkov answered several questions in a letter; Ivanov declined to be interviewed.
Their case is unusual only because they were caught. Most online thieves, computer security investigators and prosecutors said, get away with it.
Chelyabinsk might be the most polluted place on earth, because of an explosion in a nuclear-bomb-making factory in the 1950s that dumped radiation through its Ural Mountain river valley but was kept secret for decades. Monuments to Stalin's industrial push dominate the city of 1.2 million. During the Cold War, many residents lived well, working in state-of-the-art military installations that were so secret they were known only by their numbers. But since the collapse of the Soviet Union, the region has struggled and many residents have had trouble finding work comparable to what once was available.
Gorshkov and Ivanov grew up here, though they didn't know each other until they were adults. Gorshkov is described as outgoing, with a gift for talking people into anything. He graduated from the area's top school, Southern Ural State University, with a mechanical engineering degree. Unlike most of his urbanite peers, who favored clothes in black and gray, Gorshkov -- a thin, muscular guy with a chiseled face -- would occasionally shock friends by showing up at gatherings wearing orange and purple shirts.
Ivanov's life was more troubled. He left home at 16 and lived in a small fourth-floor apartment attached to the local prison. He is described as a computer whiz, having had the opportunity when he was very young to play with machines in the office of his mother, who is a history teacher. Ivanov briefly studied computers at Southern Ural State University, but he was kicked out after twice failing freshman exams, according to school officials.
Gorshkov's company and its Web site, known as tech.net.ru, were born in February 2000 when he quit his auto-parts job and struck out on his own, plunking down $40 for the first month's rent for Room No. 502 at the Chelyabinsk Textile Factory. It was a shoestring operation. Desks were built from scrap materials. The chairs were hand-me-downs from a Coca-Cola marketing campaign. But his programmers were first-class.
The first few months he was in business, Gorshkov negotiated contracts to build Web sites for two companies. But he did the work at a severely discounted price and it wasn't long before Gorshkov's money began to run out and Ivanov introduced him to a group called the Expert Group of Protection Against Hackers.
The group was made up of several dozen loosely affiliated hackers at any given time, 12 to 15 in Chelyabinsk and others in Russian cities including Moscow and St. Petersburg, though it is unclear how many people in all were involved. There were lots of good programmers scattered throughout the country, but very few good jobs for them. In Chelyabinsk, a programmer might earn $200 to $300 a month, but the jobs available were anything but the cutting-edge perches for programmers in the biotech, telecom and Internet companies in other countries. So some of them looked for other ways to put their skills to work.
The hackers typically worked in groups of twos and threes, according to U.S. law enforcement officials. Sometimes members knew each other only by their online aliases. Some did not know each other at all.
Each group or cell operated somewhat independently -- using its own methods and determining its own targets for online hacking -- but paid 30 percent of what it collected to a krisha, or "protector" whom no one was willing to identify. "I don't know and I don't want to know," said one person involved with the group.
Gorshkov suddenly found himself in a profitable business.
He, Ivanov and another programmer, Michael -- a 19-year-old Siberian and college classmate of Ivanov's -- were one cell. Each had a distinct role, Michael said. Gorshkov was the coordinator, Ivanov the hacker. Michael poked around the exposed computer systems, hunting for data that might be useful.
The tech.net.ru computers were meticulously organized to make the crimes as efficient as possible, investigators said. Each victim's information was kept in its own file; the hacking programs were placed in a folder labeled "badstuff."
At first, the target companies were chosen pretty much at random, said Michael, who is known online as Hermit and spoke on the condition that his real name not be used.. They could be any e-commerce or banking companies that sounded like they had money.
Ivanov created a program that would search on Google for keywords such as "bank" or "casino" or "electronics" to find targets. They would then run potential victims through a program that scanned the companies' networks for known vulnerabilities.
The group had only one rule about choosing victims: Stay away from Russian businesses.
"You may go to jail and that's the best case," Michael said. "More likely, you'll be killed."
The main way they broke into corporate Web sites was through a well-known vulnerability in the widely used Microsoft NT server software. Often, they only had to type in the default username and default password created by the manufacturer and then, just like that, they were inside the network, said security consultant Kevin Mandia, a cybercrime consultant who helped U.S. law enforcement agencies investigate Gorshkov and Ivanov.
Their attacks were brazen. The hackers rarely bothered to cover their tracks. Mandia described their technique as akin to "storming a bank with a machine gun."
"You could take five months to plan a super-secret operation, but if your chances of getting caught were minimal why bother?" Mandia said.
The first contact between the hackers and their victims would typically be an e-mail sent to the company's chief executive or systems administrator. It was a form letter that Ivanov had shown to a lawyer to make sure it was legal under Russian law.
It was in rough but polite English. "Hello Mr.," it began. "We are a security consulting group specialized in banking and credit card services, big online shops, insurance companies. Due to our job we have to work on the territory that can't be controlled by U.S. authorities. Our government and laws are loyal to that kind of computer activities." It then listed the number and a description of insecure computers on the company network and offered their security services. The group typically signed off with an ominous warning: "YOUR SITE IS TOTALLY INSECURE!!!. It's not just bluff. Any user on the net can get ALL the personal information concerning any account."
As later detailed in court documents, Ivanov would follow up with another e-mail, an online chat request or a phone call, and say he used stolen calling card numbers or had commandeered satellite voice systems, talking leisurely with the cell's victims.
Ivanov was so bold he sometimes sent his resume -- and even photos -- to prove that he was a serious security consultant. The documents listed his home phone number and detailed his previous experience, noting that he was an expert in a half-dozen computer languages and that he had a passport but needed "visa support."
The hackers asked for as little as a few hundred dollars from some start-ups and several hundred thousand dollars from corporations that sounded rich.
In an interview, Michael claimed that his group made as much as $500,000 during one nine-month period, much of it wired to accounts in the Russian Federation, Romania and Cyprus. U.S. authorities have only been able to account for about $10,000 of the extortion fees paid to the hackers.
It's unclear how many of the tens of thousands of stolen credit card numbers Gorshkov and Ivanov used. The "Expert Group" traded files of credit card numbers with each other and with other associates and sold the information, prosecutors say, making it a difficult if not impossible task to assess who used them. A U.S. spot-check found that nearly 1,300 of the credit card numbers on tech.net.ru were used for fraudulent purchases in Canada, France, Guatemala, Israel and many other countries.
Reaction to the hackers varied widely among their victims. Some cursed them and others befriended them.
Speakeasy, a company that started as an Internet cafe and then expanded to offer network services to homes and businesses, was among the most troublesome. The company refused to pay up even after Ivanov threatened, deleted files and posted customer information on a Web site. In online chat, Max Chandler, a systems administrator for Speakeasy, was tough, telling Ivanov that hacking is illegal, according to court documents.
Ivanov was unmoved and typed in this response: "If you want put me to jail you never can do it because laws in my country is not work and my country don't have strong computer crime laws."
Later on in the conversation, however, Ivanov sounded almost child-like as he asked Chandler for career advice.
Ivanov: I need job only because I need money. Okay? . . .
Ivanov: What name of companies where you have friends?
Chandler: Well, Microsoft of course . . . Amazon. . . .
Ivanov: Hey hey. Cool company. I'm steal a lot of CD/DVD/books from Amazon. . . . Max, is it possible to get job in Microsoft or Amazon?
Chandler: Sure. They're hiring all the time.
Ivanov: I mean for me?
Chandler: Well, you need to send them a resume but I can put a word for you in certain departments.
Ivanov: Okay. Please do it.
Some companies treated the extortion demands as regular business transactions. When Brian Miller, chief executive of Cambridge, Mass.-based Internet service provider Channel 1 Communications, heard from Ivanov about a breach in its computer systems, he concluded that it would be better to have Ivanov on his team than to fight with him. He wired $250 to an account that Ivanov provided and thanked him for his help.
"I had a lot of sympathy for him," Miller said. "He seemed like a bright kid who just wanted to make some money and get out of his country. I thought maybe he would move on to better things."
Gorshkov, meanwhile, still believed he could get his legitimate business off the ground. He paid his programmers $150 a month to pursue projects that he hoped would change the way Russians use the Internet in the same way the Silicon Valley dot-coms were transforming American culture. One employee was working on a more robust e-mail filtering system. Another person was trying to set up an Internet dating service. Yet another person was programming an online auction site.
Two of Gorshkov's programmers, Maxim Semenov and Denis Bukarov, who U.S. authorities say were not involved in the extortion scheme, said they loved working for the company because of its ambition. Their boss encouraged them to spend part of their time tinkering with new technologies.
"It's a problem to find an interesting job like the one I had" at tech.net.ru, Bukarov said.
Michael said the hackers felt invincible, and in some ways they were. He described nights when none of the other programmers were around and the three of them would sit drinking vodka and singing songs. Ivanov loved tunes from old Russian movies and would begin to belt them out, off key. Gorshkov and Michael would join in.
The more happy and playful their mood, he said, the more generous they would be to their would-be victims.
Take the U.S.-based network administrator for a Singapore Internet service provider. Michael said he threatened to crash her system unless she paid up but she sounded so nice online that they felt bad about the whole thing. He told her that if she called up on the phone and sang "Happy Birthday" they would leave her alone. She did and he kept his promise to drop the extortion demand.
No one would say what the group did with all its money. To friends and relatives, the changes in the men's lifestyles were subtle. They apparently didn't splurge on lavish dinners or buy expensive clothes. Ivanov wore secondhand jeans and old scruffy boots, said his grandmother, Raisa Gorshkova, 73. "He even smoked very cheap brand of cigarettes. Nobody smokes these anymore."
Ivanov, though, bought a used car and a $1,000 cell phone. Gorshkov got an apartment for himself and his fiancee, Masha Milegova, who he met on a trolley on the way home one night and who was pregnant with their first child.
The hackers also used the credit card numbers they had purloined from companies that refused to pay their fee. Once, they ordered 15 DVD players and had them delivered to a mailbox across the border in Kazakhstan, less than an hour from their homes. They also ordered music CDs, movies, laptops, cell and satellite phones and other electronics. They also abused the PayPal system to turn the stolen credit card numbers into cash by setting themselves up as seller and buyer in online auctions. (PayPal officials said they have since taken steps to reduce the chances that perpetrators of that type of scam will succeed.)
Later, in November 2000, Gorshkov threw a housewarming party for himself. One of the half-dozen or so close friends in attendance, a medical student named Yvgenia Peleskova, recalled that they drank beer and watched "Gone in 60 Seconds," a movie about ingenious car thieves who could break any lock, get past any alarm and never get caught.
Peleskova remembered that it was a "big hit" with the people in the room.
But while Gorshkov and Ivanov were laughing about their good fortune, they had become the target of a manhunt originating in America. Some of the companies the hackers thought were cooperating with them were actually working for the FBI.