At noon on June 28, 2012, Vladimir Drinkman, targeted as one of America’s most wanted cybercriminals, and his wife hustled into a cab pulling away from their Amsterdam hotel. They had just been tipped off that the police were on to them, but an unmarked police car blocked their getaway. The Russian was handcuffed and arrested on charges of helping to mastermind what has been called the largest criminal hacking scheme ever prosecuted in the United States.
This week, after a protracted extradition proceeding, a Dutch court ruled that Drinkman will be sent to the United States to stand trial.
Drinkman, 34, is accused of taking part in a string of marquee hacks: the penetration of the electronic stock exchange Nasdaq, the theft of more than 130 million credit card numbers from Heartland Payment Systems, and cyber-heists that victimized 7-Eleven, the Hannaford Brothers supermarket chain, Visa, Dow Jones and Jet Blue, among others.
If convicted, he could face up to 30 years in prison. He is alleged to be part of a ring whose actions, prosecutors say, have caused more than $300 million in losses and led to countless stolen identities.
Led by the U.S. Secret Service, the case is one of the most significant prosecutions in the annals of cybercrime. Not only are high-value hackers difficult to trace because of techniques used to mask their identities, but many of them also are in countries of the former Soviet Union, where extradition is virtually impossible.
Bart Stapert, Drinkman’s attorney in Amsterdam, said the U.S. prosecutors have offered “no specific evidence that ties” Drinkman to all the hacks. “It almost seems to me as if it’s a prosecution strategy to add at some point all the known hacks that were originating from Russia to this indictment,” he said.
U.S. officials are confident they have the right man.
“We have a 99.6 percent conviction rate in cybercrime,” said Ari Baranoff, assistant special agent in charge of the Secret Service’s criminal investigative division. “We don’t build our cases on one piece of evidence. Our cases are built on evidence that is curated over many years. We take our time to build these cases to make sure we have them right.”
The trail to an Amsterdam hotel took years to construct.
The Secret Service, at first, didn’t know Drinkman was in the Netherlands. Their target was one of his comrades, Dmitriy Smilianets, a 31-year-old alleged cyber-trafficker of stolen data who was also implicated in the high-profile hacks.
In 2004, the agency shut down the criminal forum known as DumpsMarket, an online bazaar for the trafficking of stolen credit card data. Agents in its cyber-intelligence section cached screen shots of members’ messages and began logging names and other identifying details.
In the forum, agents noted a hacker nicknamed Scorpo, whom they would soon link to Drinkman. But Scorpo stopped using the handle in 2004, and Drinkman fell off their radar screens.
In a separate case, the Secret Service won the cooperation of Albert Gonzalez, also known as soupnazi, who was arrested in 2003 in New York in an ATM scheme.
Investigators scoured files stored in his computer, including records of his online chats with other hackers. They noticed two Russians who went by the online monikers Anexx and Grigg. In further research, investigators turned up an associate nicknamed Smi.
Most of the group kept low profiles. But Anexx was, by far, the most security-conscious.
“We never thought we would ever identify, let alone catch, Anexx — not ever,” recalled one former official, who spoke on the condition of anonymity to discuss the investigation.
Smilianets, a.k.a. Smi, who lived in Moscow, led a much more public life. He ran a successful online gaming team called the Moscow 5 that traveled for international competitions. His Twitter account, ddd1ms, has more than 14,000 followers. He also has an account on VK, Russian’s version of Facebook, and one on Facebook.
Unbeknown to the Secret Service, as they continued to probe Gonzalez’s ring of acquaintances, by 2007 the American had returned to crime. He and his associates, including Grigg, Anexx and Smi, carried off major intrusions into Heartland, Hannaford and other companies, officials said.
In their ring, everyone had a role — to gain entry, steal data, sell it — like an “Ocean’s Eleven” team, the official said, referring to the movie about a highly coordinated heist of Las Vegas casinos.
Grigg would make the initial hack into a system. “Once the door was open, Anexx was able to get further into the network, package things and exfiltrate,” the official said. Smilianets would sell the data through online bazaars.
Once they caught onto Gonzalez, the authorities indicted him. In 2009, they charged Gonzalez (who pleaded guilty and is in prison) and two co-conspirators identified publicly as “Hacker 1” and “Hacker 2” — known to the Secret Service as Anexx and Grigg.
Investigators hoped to unmask them through Smilianets. “We knew if we bagged him, if he cooperated, he would provide a great deal of information on individuals,” the official said.
So they watched, and they waited.
In late June 2012, they got their chance. Smilianets posted on Facebook a smiling photo of himself in front of the iconic “I amsterdam” sign near the Rijksmuseum. He also posted a number of photos that included location tags.
Secret Service agents took the information and began to plot out all the hotels in the area — several hundred. They narrowed the list to about 50. And on June 26, they began dialing.
“We got down to the number 5 or 6 on the list, and the person who answered the phone said, ‘Yes, Mr. Smilianets is here. But it’s the middle of the night. Do you want us to wake him up?’ ” the official recalled. “We said no and hung up.”
The Americans then called their counterparts in the Dutch National High Tech Crime Unit, a police agency that has Secret Service personnel embedded in it.
The next morning, on June 27, Dutch police went to the Manor Hotel. Staff confirmed that Smilianets was there with his wife. And by the way, they said, Smilianets had rented two rooms. The guest in the other room? A Mr. Vladimir Drinkman.
“It was a pivotal moment,” recalled the law enforcement official. “We recognized we had a potentially significant cybercriminal available for apprehension here.”
Agents knew Drinkman was Scorpo, and although Scorpo apparently hadn’t been active in years, they figured that anyone traveling with Smilianets was someone of interest. They fired up their database.
Tucked away in their archive was a screen shot dating to 2004 from the DumpsMarket forum. They found a line in Russian: a message from Scorpo to the forum administrator requesting a nickname change — to Anexxian.
“At that moment,” the official said, “we knew we had Anexx.”
Erez Liebermann, a prosecutor in the U.S. attorney’s office for the District of New Jersey, quickly drew up a complaint on Drinkman. It was bare-bones, just enough to make the arrest.
On June 28, at 8:30 a.m. in Amsterdam, Dutch police, accompanied by Secret Service agents, arrived at the hotel. They arrested Smilianets, who was on a tour bus about to depart for Belgium. But they had no grounds to detain his wife, who frantically began to make calls. She reached her husband’s driver in Moscow, who called Drinkman’s wife with news of the arrest, according to a report on Bloomberg.com.
Drinkman rang the front desk and called for a cab, officials said, but didn’t get farther than the back seat. “He didn’t resist,” Dutch police spokesman Wim de Bruin said. “It was calm and smooth.”
Over the Fourth of July holiday, prosecutors and Secret Service agents flew to Amsterdam. Under questioning, Drinkman gave up nothing. But they also spoke with Smilianets. By the end of the interview, they felt they had enough to charge Drinkman.
On July 19, a grand jury in New Jersey indicted Drinkman and other alleged ring members, including Grigg, now identified as Aleksandr Kalinin. They were charged with conspiracy to hack into 11 entities. A year later, a superseding indictment was issued, adding two more defendants and alleging six more victims.
A key issue is whether prosecutors can prove Drinkman used the handle Anexx.
Current and former officials say Drinkman admitted in interviews with prosecutors and agents in the fall of 2012 that he had used the nickname Anexx. He also admitted, they said, to the moniker Scorpo and that he was part of the ring that carried off a string of hacks.
Stapert said he was not aware of his client making any such statement directly — “certainly not in a statement that can be used in court.”
U.S. authorities expect Drinkman to be extradited within several weeks. Smilianets, extradited earlier, is being held in New Jersey, awaiting a trial date. Kalinin, the other high-value target, is at large and believed to be in Russia.
He, too, kept a VK page, although not under his real name. His profile was accessible through a custom Web address that included the phrase: catchmeifyoucan.
Natasha Abbakumova in Moscow contributed to this report.