In 2013, Jurijs Martisevs says, he was contacted by Russian law enforcement.
At the time, Martisevs was helping run a service based overseas that helped hackers get past anti-virus programs. His testimony in a U.S. court in Virginia helped lead to the conviction of his partner in that business, but it also shed light on the symbiotic relationship between Russian intelligence and the criminal underworld.
The partner, Ruslan Bondars, 37, was found guilty Wednesday of several hacking-related crimes; Martisevs pleaded guilty earlier this year. Martisevs is set to be sentenced in July, Bondars in September.
“Everyone cooperates — especially with the FSB,” Martisevs said over a chat app to Bondars translated from Russian and read in court. “They may even bring more clients to us,” he added, punctuating the remark with a smiley face.
“Among people who track hacking, both state-sponsored and not state-sponsored, the widespread assumption is that there is a relationship between the government law-enforcement and intelligence community in Russia and the criminal underground,” said Thomas Rid, a cyberwarfare expert at Johns Hopkins University’s School of Advanced International Studies. But, he said, “It’s not easily investigated.”
In a separate case, the Justice Department last year accused two FSB agents of working with cybercriminals to breach the email accounts of tens of millions of people and then steal information from a group that included Russian journalists and U.S. and Russian government officials. One hacker was prosecuted in California. The other three defendants are thought to be in Russia, where one of the FSB agents was arrested and accused of treason.
The Virginia case centers on a service created by Bondars and Martisevs called Scan4You. It analyzed files and told the client if their malware would be identified by anti-virus programs as malicious. Authorities said Scan4You was used by hackers to steal banking and credit card information, including a massive attack on Target customers.
Bondars lived in Latvia; Martisevs was from Moscow but visited Riga regularly and was arrested there. Both were extradited to the United States by Latvia. The case ended up in federal court in Alexandria because one hacker who used Scan4You was based in Northern Virginia.
According to testimony, when Martisevs contacted Bondars in 2013 about Russian investigators, he expressed surprise about the depth of their knowledge.
“They’ve been monitoring us for a long time now,” he told Bondars.
Martisevs said he asked the FSB agents if he should shut the program down.
“They said no need,” he told Bondars. “They’re asking us to help them. I don’t see why not. They aren’t interested in us and they don’t want to turn me over to the USA.”
He said the FSB even promised to help with counterattacks on their service.
In exchange, he later told Bondars that his new “friends” had asked for information on some of their clients. Martisevs told Bondars it was fine to cooperate because they didn’t know much about the clients in the first place. While they had promised not to share any information with anti-virus companies, Scan4You said nothing about law enforcement.
“I could not say no,” Martisevs said on the stand.
It was unclear exactly how the agents identified themselves.
“Typically, the way this happens is through proxies,” said Brian Krebs, a freelance journalist who covers cybercrime. “It’s kind of unusual for the FSB to directly approach somebody.”
Dimitry Belorossov, who used a malware package called Citadel that incorporated Scan4You to steal banking information from more than 7,000 computers, testified in the case against Bondars that he was worried about being caught by Russian authorities.
“There were stories of people who were forced to work for the FSB,” he said in court. “I was scared.”
Belorossov, 24, pleaded guilty in 2015 to conspiring to commit computer fraud. He was recently released from prison.
“I think now enough time has passed that I’m safe,” he said.
Belorossov, like Martisevs, was arrested when he left Russia for a country more cooperative with U.S. law enforcement. He was nabbed at the Barcelona airport in 2013. Mark Vartanyan, who helped develop Citadel and also testified against Bondars, was arrested in Norway in 2014.
The Russian government has protested the arrests of Martisevs and Vartanyan as kidnappings.
Attorneys for Bondars argued that Scan4You was not illegal but merely happened to be used primarily by people committing illegal acts. In closing arguments, according to a transcript, defense attorney Jessica Carmichael compared the service to a head shop: bongs can be sold legally even if the vast majority of buyers are using them to smoke illegal drugs rather than tobacco.
But prosecutors convinced jurors that the creators of Scan4You knew they were helping hackers commit crimes and were legally taken down. The service was used by the hackers behind a 2013 holiday season attack on Target that affected 70 million customers and cost the company $292 million, prosecutors said. Citadel has been used to infect more than 11 million computers and has caused $500 million in fraud-related losses.
According to a transcript, Assistant U.S. Attorney Kellen Dwyer said in his closing argument that both the law and common sense showed that Bondars “created Scan4You with the purpose and the intent of furthering and assisting computer hacking and the resulting fraud schemes.”
Martisevs agreed. “I supposed that we were doing something illegal,” he testified.