THE LURE
THE TRUE STORY OF HOW THE
DEPARTMENT OF JUSTICE BROUGHT
DOWN TWO OF THE WORLD’S MOST
DANGEROUS CYBER CRIMINALS

By Steve Schroeder

Course Technology PTR
A part of Cengage Learning

Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States


The Lure: The True Story of How
the Department of Justice
Brought Down Two of the
World’s Most Dangerous Cyber
Criminals
By Steve Schroeder

Publisher and General Manager,
Course Technology PTR:
Stacy L. Hiquet
Associate Director of
Marketing:
Sarah Panella
Manager of Editorial Services:
Heather Talbot
Marketing Manager:

Mark Hughes
Acquisitions Editor:
Heather Hurley

© 2012 Course Technology, a part of Cengage Learning.
ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any
form or by any means graphic, electronic, or mechanical, including but
not limited to photocopying, recording, scanning, digitizing, taping,
Web distribution, information networks, or information storage and
retrieval systems, except as permitted under Section 107 or 108 of the
1976 United States Copyright Act, without the prior written permission of the publisher.

For product information and technology assistance,
contact us at Cengage Learning Customer &
Sales Support, 1-800-354-9706.
For permission to use material from this text or product,
submit all requests online at cengage.com/permissions.
Further permissions questions can be e-mailed to


All images © Course Technology unless otherwise noted.

Project/Copy Editor:
Kezia Endsley

All trademarks are the property of their respective owners.

Interior Layout Tech:
William Hartman


Library of Congress Control Number: 2010926272

Cover Designer:
Luke Fletcher
Indexer:
Sharon Shock
Proofreader:
Megan Belanger

ISBN-13: 978-1-4354-5712-6
ISBN-10: 1-4354-5712-9
eISBN-10: 1-4354-5713-7
Course Technology, a part of Cengage Learning
20 Channel Center Street
Boston, MA 02210
USA

Cengage Learning is a leading provider of customized learning
solutions with office locations around the globe, including Singapore,
the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your
local office at: international.cengage.com/region.

Cengage Learning products are represented in Canada by Nelson
Education, Ltd.

For your lifelong learning solutions, visit courseptr.com.
Visit our corporate Web site at cengage.com.

Printed in the United States of America
1 2 3 4 5 6 7 13 12 11



To my wonderful wife, Cheryl,
and our five great children,
Jessica, Andrea, Molly, Chris, and Reid,
whose unflagging support for
this project made it possible.


About the Author
Steve Schroeder grew up in the Bitterroot Valley in western Montana and
attended the University of Washington, where he graduated in 1968.
Following three years of duty as a Marine Officer, he attended the University
of San Diego School of Law, earning a J.D. in 1974. He was a trial attorney
and an Assistant United States Attorney for the United States Department
of Justice from 1974 until his retirement in July 2002. He specialized in whitecollar crime and corruption prosecutions until 1992, when he prosecuted his
first computer crime case, an intrusion into the Federal Court House network. From that point on, he became immersed in the growing field of computer crime cases. He became a charter member of the Department of
Justice Computer and Telecommunications Coordinator program at its
inception in 1995. He was a member of the national working group that
advises the Attorney General on computer crime issues, and is a frequent lecturer on computer crime and electronic evidence. He is currently an Adjunct
Professor at Seattle University School of Law, where he teaches Computer
Crime. He has also taught computer forensics in the Department of
Computer Science and Software Engineering at Seattle University, and is a
Senior Lecturer at the University of Washington, where he teaches a class
on Computer Forensics and the Law.
He currently lives in the Seattle, Washington, area with his wife, Cheryl, with
frequent visits from their five grown children.

Acknowledgments
The many people who have given me a leg up during the course of my career

are too numerous to list. (It is tempting to attempt to do so, however, as each
person named is more likely to buy a copy of this book.) The contribution of
Phil Attfield to both the success of this case and to the advancement of my
own knowledge should be evident to anyone who reads this book. Curtis Rose
and Kevin Mandia, whose consummate professionalism was inspirational,
helped me get my foot in the door at the publishing world.
I owe much of my enthusiasm for computer crime problems to Scott
Charney and Marty Stansell-Gamm, the first two Chiefs of the Computer
Crime and Intellectual Property Section. Both were instrumental in creating
a national computer crime program that became a model for the world. It
was noteworthy for its emphasis on practical solutions to nascent problems
in cyberspace that had real-world analogies.
The FBI hierarchy has a perhaps well-deserved reputation for being stuffy.
The working agents—the men and women of the FBI who investigate
iv


cases—are the best of the best. The public should feel privileged to have them
watching their backs. In this case, Special Agents Dana Macdonald, Marty
Prewett, Mike Schuler, Melissa Mallon, Milan Patel, and Marty Leeth reflect
great credit on law enforcement. Leslie Sanders, who created and managed
the digital images used in the trial, was an asset beyond belief. My Legal
Assistant, Sal Nouth, was truly a partner on the case, handling the difficult
document preparation, as well as keeping happy the numerous out-of-town
witnesses who were subpoenaed for the trial. Her tireless efforts and unfailing good humor were assets of incalculable value.
Among my numerous friends and colleagues at the United States Attorney’s
Office in Seattle, several enthusiastically supported my involvement in the
national computer crime program. United States Attorney Kate Pflaumer
was among the first in the nation to recognize the importance of developing
a national computer crime program, and welcomed my interest. Mark

Bartlett, as Criminal Chief and First Assistant United States Attorney, not
only endorsed the program, but had my back, protecting me from having too
many routine ankle-biter cases assigned that might interfere with my duties
as Computer and Telecommunications Coordinator. Finally, my colleague
Floyd Short jumped into the case on rather short notice, bringing his considerable knowledge and drive to the case.
Other local colleagues provided unstinting support. My friend Ivan Orton at
the King County Prosecutor’s Office was a pioneer in the computer crime
arena, and has been my primary resource in the field over the years, beginning at a time when the two of us were the only people in the state who were
working those cases. Dr. Barbara Endicott-Popovsky, the Director of the
Center for Information Assurance and Cybersecurity University of
Washington, sponsored my entry into academia at Seattle University and the
University of Washington. Also, a tip of the hat is due to Kirk Bailey, the
charismatic founder of the Agora, the regional gathering of cyber security
professionals. His support of the Gorshkov prosecution was central, not least
his introduction of Phil Attfield to the case.
My editors at Cengage Learning, Kezia Endsley and Heather Hurley, provided support and expert feedback with unfailing good humor, even in the
face of the seemingly interminable delays in getting the manuscript cleared
by the Department of Justice. A special thanks is due to Vernon Lewis at the
Executive Office for US Attorneys for his efforts to move the review process
forward.
Finally, the importance of the support of my cherished wife, Cheryl, and our
talented children, Jessica, Andrea, Molly, Chris, and Reid, throughout the
process of writing this book cannot be overstated. Their unflagging belief in
the project carried me through the rough spots.
v


Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii


Part I: The Investigation
Chapter 1: Speakeasy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Birth and Evolution of the Internet .....................................................5
An Intruder Enters Speakeasy .....................................................................7
Speakeasy Responds...................................................................................12
An Important Customer Is Harmed..........................................................14
Chapter 2: The Investigation Begins . . . . . . . . . . . . . . . . . 19
The Landmark Privacy Act Case...............................................................21
The Secret Service Gets Involved ........................................................21
Steve Jackson Games Sues the Secret Service......................................23
Aftermath .............................................................................................24
Steve Schroeder Becomes an Assistant United States Attorney
and Moves to Seattle ............................................................................25
Steve Becomes a Computer Crime Specialist ......................................26
The Seattle FBI Office Forms a Computer Crime Squad ...................28
Amazon.com Is Defrauded from Russia ..............................................30
Chapter 3: The Lure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Multi-District Cooperation Begins.............................................................34
Online Information Bureau in Connecticut Is Hacked .......................35
The Investigation Expands...................................................................36
Defeated by the Young Hacker, Lightrealm Attempts to
Co-Opt Him.........................................................................................38
The Lure Begins.........................................................................................40
“Invita” Is Born ....................................................................................40
Vasily Gorshkov Puts in an Appearance ..............................................44
A Honeynet Is Created to Test the Hackers’ Skills ..............................47
Alexey Demonstrates His Skill .............................................................51

vi



Contents

Chapter 4: The Sting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
The Russian Hackers Arrive in Seattle ......................................................57
At the Undercover Site.........................................................................60
While Alexey Views Websites, Vasily Takes Charge ............................62
Gorshkov Connects to tech.net.ru........................................................65
Gorshkov Continues to Display His Knowledge .......................................66
The Take-Down.........................................................................................72
Chapter 5: In Custody . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
The Ivanov Interview.................................................................................76
Gorshkov’s Interview..................................................................................78
The Prosecutors Stand By..........................................................................80
The Interviews Resume .............................................................................81
A Lawyer Is Arranged for Gorshkov ....................................................83
The Russians Have Their First Appearance in Court ...............................85
Special Agent Schuler Connects to the Russian Computers................86
Special Agent Schuler Gets Expert Help .............................................88
The Department of Justice Is Informed of the Initial Download........89
The Downloads Are Vetted..................................................................91
Chapter 6: PayPal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
The National Infrastructure Protection Center Offers Its Help ................96
Floyd Short and Phil Attfield Join the Team........................................97
User Accounts Are Scrutinized ..........................................................100
The Trial Is Postponed Until Spring..................................................102
PayPal and eBay.......................................................................................103
How Hackers Got In—Or Did They? ...............................................105
Greg Stivenson Makes an Appearance ..............................................108
Steve and Marty Visit PayPal .............................................................110

John Kothanek Refines His Loss Figures ...........................................114
Tad Brooker, an Online Seller of Computer Components, Ships
Processors to Greg Stivenson in Kazakhstan .....................................117
Chapter 7: A (Not So) Brief Primer on National Security
Investigations . . . . . . . . . . . . . . . . . . . . . . . . 119
Technology Always Evolves Faster than the Law ....................................120
The Supreme Court Limited the Applicability of the Fourth
Amendment to Searches Involving Physical Trespass........................121
Nearly 40 Years Later, the Fourth Amendment Was
Reinterpreted to Cover Telephone Conversations.............................122
Were Wiretaps Simply General Searches? .........................................123
How Could Law Enforcement Particularly Describe
Conversations that Had Not Yet Taken Place? ..................................124

vii


The Lure

As the Telephone Replaced Physical Letters as a Means of
Communication, the Government’s Ability to Lawfully Seize
Communications Eroded ...................................................................125
The Standard Quickly Evolves to Allow Limited Wiretaps ...............126
Domestic Security Wiretaps Are Covered by the Fourth
Amendment........................................................................................127
What About Foreign Intelligence Gathering? ....................................128
How the Fourth Amendment Affects Foreign Intelligence
Surveillance ..............................................................................................130

Chapter 8: The Motion to Suppress and Preliminary

Skirmishing . . . . . . . . . . . . . . . . . . . . . . . . . 133
Privacy Laws and Precedent on the Internet ...........................................135
The David Case Had Something for Everybody ...............................136
Courts in the U.S. Lacked Jurisdiction to Issue a Warrant to
Seize Information in Russia................................................................137
The Temporary Impounding of Evidence to Protect It from
Destruction Is Generally Okay...........................................................139
“Search” and “Seizure” Are Not the Same Thing ............................140
The Act of Copying the Information Did Not Amount to a
Seizure ................................................................................................141
District Judge John Coughenour Is a Quick Study ............................142
The Hearing Begins ...........................................................................144
The Sentencing Guidelines Discussed ...............................................148
U.S. Requests for Assistance Went Unacknowledged.........................151
Communications Regarding Gorshkov Are Introduced ....................154
Gorshkov’s Interview..........................................................................158
The Undercover Agent Testifies.........................................................159
Eliot Lim Takes the Stand..................................................................161
The Cross-Examination of Eliot Lim ......................................................164
Mike Schuler Takes the Stand............................................................166
Robert Apgood Testifies as a Defense Witness...................................168
Chapter 9: Preparing for Trial . . . . . . . . . . . . . . . . . . . . 177
The FBI’s Download of Data from Russia Had Not Run Afoul of
the Fourth Amendment............................................................................179
A Final Continuance................................................................................181
Paperless Trials Are Not Really Paperless ..........................................182
A Creative Solution Is Found .............................................................183
Alchemy Did Not Turn Lead into Gold, but It Worked
Pretty Well ..........................................................................................184


viii


Contents

The Case for CTS, eBay, and PayPal.......................................................184
Assessing the Damage to PayPal ........................................................185
Assessing the Damage to eBay ...........................................................185
Assessing the Damage to CTS ...........................................................189
The Successful Trip Wraps Up ..........................................................199
The Case for Credit Cards and Banks.....................................................200
The National Infrastructure Protection Center at FBI
Headquarters Issues an Advisory, Warning the IT Community of
the Activities from Russia.........................................................................203

Part II: The Trial
Chapter 10: The Trial Begins . . . . . . . . . . . . . . . . . . . . . 207
Early Skirmishing.....................................................................................208
The Jury Is Empanelled ...........................................................................211
The Government’s Opening Statement...................................................211
The Defense’s Opening Statement ..........................................................215
The Trial Proper Begins...........................................................................220
Special Agent Patel Introduces the Communications with the
Defendant...........................................................................................222
Special Agent Mallon Sets the Scene .................................................225
The Jurors Hear Gorshkov Talking About His Company .................226
The Undercover Recording Is Played ................................................226
The Parties Had Some Disputes Over the Transcript .......................227
The FBI’s Russian Language Expert Authenticates the Transcript ...228
Curtis Rose of Sytex Explains the Hacks into His System.................231

The Cross-Examination of Curtis Rose.............................................240
The Trial Day Was Over, but the Work Was Not....................................244
Issues with the Transcript, Revisited ..................................................244
The Taped Telephone Conversation with Alexey Is Played ..............246
The Undercover Videotape Is Played ................................................248
Ken Kanev Cross-Examines on the Recordings ................................250
Redirect and Day’s End .....................................................................255
Chapter 11: The Download Revisited . . . . . . . . . . . . . . . 257
The Trial Is Delayed ................................................................................258
Witnesses Had to Be Rescheduled .....................................................260
The Trial Re-Commences with Technical Evidence .........................260
Rob Apgood Cross-Examines Eliot....................................................264
On Redirect, Eliot Is Allowed to Clear Up Possible Confusion .........268

ix


The Lure

Mike Schuler Takes the Stand .................................................................269
Gorshkov’s Post-Arrest Interview .......................................................272
An Internet Protocol Directory Is Introduced to Guide the Jurors....273
The WinWhatWhere Output Log Is Introduced...............................274
Mike Successfully Logs On to the tech.net.ru Computers .................276
A Disturbing Message ........................................................................277
Mike Schuler Resumes the Witness Stand for the First Round
of Cross-Examination ........................................................................278
The Technical Cross-Examination Begins .........................................280
Eliot Lim’s Assistance Is Questioned..................................................281
St. Clair County Intermediate School District Evidence...................284

Joseph Kim Explains Intrusions into Nara Bank ...............................288
A Good Day, but Work Remained to Be Done ..................................290
Mr. Kim’s Cross-Examination Is Brief ...............................................294
The CTS Witnesses Are Called Somewhat Out of Logical
Order..................................................................................................294
An Expert on PERL Is Engaged ........................................................295
Expert Witnesses Are Covered by Special Rules that Allow
Them to Express Opinions ................................................................297
Experience and Common Sense Prevail ............................................300
The Exhibit List Itself Becomes an Exhibit .......................................302
The Evidence from CTS Is Authenticated and Admitted .................304
American Express...............................................................................306
FBI Computer Analysis and Response Team Forensic Examiner
Takes the Stand ..................................................................................309
A Workaround Is Decided Upon .......................................................311

Chapter 12: The Expert Speaks . . . . . . . . . . . . . . . . . . . 313
At the Weekend Recess, Judge Coughenour Again Admonishes the
Lawyers to Move More Rapidly ..............................................................315
Phil Resumes His Testimony....................................................................318
Gorshkov’s Home Directories Were Full of Incriminating
Evidence .............................................................................................321
Phil Explains Some of the PERL Scripts Found on the Russian
Computers..........................................................................................322
A Detailed Analysis of the PERL Script proxy.sql .............................323
Password-Cracking Program Found on Gorshkov’s Account ............326
How the Hacking Tools Worked Together.........................................329
PERL Scripts Designed to Open Email Accounts .............................331
MyOwnEmail Witness Explains How His Company Does Business.333
More PERL Scripts Explained...........................................................335

After the Noon Recess, Phil Ran a Hacking Program .......................338
With the Technical Demonstration Having Succeeded, Phil
Quickly Wrapped Up His Direct Testimony......................................341

x


Contents

The Cross-Examination of Phil...............................................................342
An Account on a Computer System Is Not a Person.........................344
The Reconstruction of the File Systems Is Probed ............................345
The Cross-Examination Continues....................................................348
An Exhausted Witness Is Led into a Mistake .....................................351
The Recovery...........................................................................................353
Things Get Off Track..............................................................................355
The Redirect Clears Up Ambiguities.................................................357

Chapter 13: The Prosecution Wraps Up . . . . . . . . . . . . . 359
The Guy from Lightrealm Was Stymied by the Young Hacker ..............361
Gorshkov’s Verio/Webcom.com Intrusion ..............................................363
Scott Wertheimer Identifies Verio Files Found on tech.net.ru ...........364
Perry Harrington Produces an Account Opened by Gorshkov
with a Stolen Credit Card ..................................................................366
Massive Inquiries at eBay Are Identified .................................................368
A Representative Seller of Computer Components Tells His Story........375
The Reality of Trying Complex Cases ....................................................376
PayPal, the Primary Victim, Presents Its Evidence..................................378
Special Agent Marty Prewett Ties It All Together ..................................381
Some Concerns Regarding the Defense Case .........................................385

Cross-Examination of the Case Agent Concludes ..................................387
The Cross-Examination Ventures into Uncharted Waters ................389
The Prosecution Rests, but Was It Enough? ............................................391
Chapter 14: The Defense Case and the Conclusion . . . . . 397
Maxim Semenov’s Honest Answers During Cross-Examination
Rendered His Testimony Harmless .........................................................400
Gorshkov’s Brother Tries to Help Him....................................................401
The Defendant Takes the Witness Stand.................................................403
Gorshkov Expands His Business ........................................................406
The Invita Invitation Appears............................................................408
Gorshkov Puts Words in Ivanov’s Mouth that Could Not Be
Tested by Cross-Examination.............................................................409
Gorshkov Attempts to Pass Off His Hack into Verio.........................411
Rob Apgood Attempts to Elicit More Technical Testimony..............412
The Defense Wraps Up......................................................................414
The Cross-Examination of the Defendant ..............................................414
Floyd Short Takes a Turn at Cross-Examination...............................418
Ken Kanev Attempts to Mitigate the Damaging Testimony of
His Client .................................................................................................420
The Defendant Is Allowed to “Explain,” Unassisted by
Questions............................................................................................420
Closing Arguments of Counsel................................................................421

xi


The Lure

Closing Argument for the Defense...........................................................429
Floyd Argues in Rebuttal .........................................................................431

The Prosecution Team Depressurizes......................................................435
The Verdict ..............................................................................................436

Chapter 15: Sentencing and Other Aftermath . . . . . . . . . 439
Gorshkov Is Sentenced.............................................................................441
Both Parties Forgo Their Appeal Rights..................................................445
Rumblings from Russia ............................................................................447
Alexey Ivanov’s Situation in Connecticut ................................................449
Alexey Ivanov’s Background and Personality.....................................449
The Russian Perspective on Hacking and Computers .......................452
In Contrast to Legitimate Work, Crime Paid Well.............................453
Gorshkov and Ivanov’s Businesses, in a Nutshell ...............................453
A Close Approximation to Justice Had Been Achieved ...........................455

Part III: Appendixes and Supplementary Materials
Appendix A: Superseding Indictment . . . . . . . . . . . . . . . 459
Appendix B: Certification of Service . . . . . . . . . . . . . . . . 471
Appendix C: Government’s Response . . . . . . . . . . . . . . . 479
Appendix D: Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Appendix E: Exhibit List . . . . . . . . . . . . . . . . . . . . . . . . . 505
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

xii


Introduction

B

eginning in the fall of 1999, a number of Internet-related businesses in

the United States suffered computer intrusions or “hacks” that originated
from Russia. The hackers gained control of the victims’ computers, copied
and stole private data that included credit card information, and threatened
to publish or use the stolen credit cards or inflict damage on the compromised computers unless the victims paid money or gave the hackers a job.
One of these victims was an Internet Service Provider (ISP) named
Speakeasy Network, located in Seattle, Washington. Speakeasy’s computer
network was attacked from Russian Internet Protocol (IP) addresses at the
end of November 1999. The hacker (or hackers) was able to compromise the
system administrator’s account—the account known as root or the superuser—on several Speakeasy computers. This was a sinister turn of events
because anyone who accesses a computer as root or system administrator has
the ability to install, alter, or delete any file on the system. The hacker then
issued a message to everyone who was logged into that computer that he
wanted to “chat” about Speakeasy’s computer network security using a program called Internet Relay Chat (IRC), which allows real-time written communication via the Internet. The hacker identified himself with the computer
“nick” or nickname, _subb_.
On November 30, 1999, a Speakeasy employee engaged in an IRC chat session with _subb_, who identified himself as Alexey Ivanov. During the chat
session, Ivanov transmitted to the Speakeasy employee, via IRC, an electronic
copy of his résumé and graphics files containing photographs of himself. Also
during the chat session, Ivanov stated that he had found holes in Speakeasy’s
network security, that he wanted a job and $1,000–$1,500 per month, and
that he would not tell Speakeasy about the security holes until he got a job.
Ivanov acknowledged that he lived in Chelyabinsk, Russia, and bragged that
Speakeasy could never put him in jail for his activity. Ivanov stated that he
had 2,000 user passwords from Speakeasy, as well as credit cards. The
Speakeasy employee told Ivanov that they would not pay him, but tried not
to anger him, for fear that he would cause damage to the systems.

xiii


The Lure


After a brief hiatus, Ivanov again contacted Speakeasy, just before Christmas
Eve of 1999. He again demanded a job and money, stating that it would be
better for Speakeasy to give him a job than for Speakeasy to get hacked, have
all of its files deleted, and have its customers’ credit cards used. He demonstrated that he had credit card information by posting it on a website that
Speakeasy hosted. Speakeasy still refused to pay any money to Ivanov or give
him a job. Ivanov and/or his co-conspirators then deleted files on one of
Speakeasy’s main computers and on one of its customer’s computers.
Also in the fall of 1999, several other ISPs—including Verio, which is headquartered in Englewood, Colorado; Lightrealm (now known as Hostpro) in
Kirkland, Washington; and CTS, in San Diego, California—had their computers hacked from Russia by the conspirators. Some of the ISPs, including
Lightrealm and CTS, gave Ivanov accounts on their systems and even made
payments to him by transferring funds to Russia.
A similar computer attack was made on an online credit card clearinghouse
named Online Information Bureau, Inc. (OIB), located in Vernon,
Connecticut. Ivanov, as he had done in the case of Speakeasy, identified himself to OIB as the hacker of its computers and demanded a job and money.
In his correspondence with OIB personnel, Ivanov said that he was a “security engineer” at Lightrealm, a claim that was given some credence by the
fact that he was using the email address Logs that
were maintained on the OIB system further revealed that the hacker had
made FTP connections to a computer at CTS located in San Diego,
California.
In the year 2000, attacks from Russia on computer systems in the United
States escalated, as the hackers reached their cyber-tentacles into scores of
networked systems. In April, Nara Bank, a Korean-American bank located
in Los Angeles, suffered an attack, including an extortion email, although
bank personnel were not aware of the full extent of the attack at the time.
In August, a bank in Waco, Texas, named Central National Bank
(CNB)–Waco, suffered a similar attack, but did not become aware of it until
much later. The conspirators also compromised the computer network of the
St. Clair County Intermediate School District in Michigan, using it for several nefarious purposes. The FBI, through its field offices in Seattle and
Hartford, established an undercover operation to lure Ivanov to the United

States for prosecution. Having identified Ivanov through his résumé, the FBI
sent him an email soliciting him for employment with Invita, a computer
network security start-up company located in Seattle. On July 1, 2000,
Ivanov responded that he and his business partner, Vasily Gorshkov, were

xiv


Introduction

interested in a consulting business or partnership. He suggested that further
emails be sent to him at (his account at CTS) or to Gorshkov
at
In the course of email correspondence with Invita, Ivanov and Gorshkov
agreed to travel to Seattle and meet with Invita personnel. The FBI placed
two undercover phone calls to Russia, speaking to Gorshkov in the first one
and Ivanov in the second one. Also as part of the events leading up to their
travel to Seattle, the hackers offered to demonstrate their hacking skills on
Invita’s own computers. A network was set up for that purpose for the FBI
by a company called Sytex, and they successfully hacked into it. The logs generated by the Sytex network were invaluable. They not only identified the
specific exploits and techniques used by the hackers, but recorded the IP
addresses of various compromised systems that the hackers were using as
proxies to hide their true location. Because the hackers had suggested the test
hack, and confirmed that the work was theirs, the Sytex logs became akin to
an electronic fingerprint of their techniques.
On November 10, 2000, the FBI’s undercover operation culminated with the
arrival of Gorshkov and Ivanov at SeaTac Airport. They were escorted to
an Invita office site in Seattle, where a meeting of several hours’ duration
took place. In the office, both defendants sat down at computers that
belonged to Invita and the FBI recorded their computer activity using a computer program that logged their keystrokes. Ivanov also had his own Toshiba

laptop computer, which he connected to the local network at the office and
used.
During the undercover meeting, which was recorded on video- and audio
tape, Gorshkov used the Invita computer to log into his account (kvakin) on
the Russian computer named tech.net.ru and then into his account (again,
kvakin) on the networked computer named freebsd.tech.net.ru. From his
account, Gorshkov obtained a scanner program called Lomscan, transferred
it over the Internet, and then used it to scan the entire local area network of
computers located in the building where the small Invita office was located.
Indeed, he informed the agents that he had conducted the scan immediately
after he did it.
Also during the undercover meeting, Gorshkov and Ivanov made a number
of incriminating statements that demonstrated their knowledge of many of
the hacking victims, including Verio, banks, and others. When asked about
whether they had obtained credit cards, Gorshkov said that it was a topic they
could discuss in Russia, but not in the United States, because of the FBI.

xv


The Lure

After the two-hour meeting at the Invita office, Ivanov and Gorshkov were
arrested. Ivanov was arrested pursuant to a warrant issued by the United
States District Court for the District of Connecticut in relation to the OIB
case, and he was transported to Connecticut to stand trial on those charges.
Gorshkov was arrested pursuant to a material witness warrant, also issued in
the District of Connecticut, but was subsequently charged by Indictment in
the Western District of Washington. The Russian consulate was immediately
notified of the arrests.

From November 14 through November 20, 2000, Special Agents of the FBI,
with the assistance of a computer security professional from the University
of Washington, connected to the two Russian computers named tech.net.ru
and freebsd.tech.net.ru. They successfully logged on to the computers by
using the username of kvakin and the password that Gorshkov had used during the Invita undercover meeting, as that information was recorded by the
keystroking software. With Gorshkov’s username and password, the agents
were able to access a large amount of data on the computers, including the
home account of kvakin on both computers. The agents also accessed the
account of subbsta (Ivanov) on tech.net.ru by using the password that Ivanov
provided to them during his post-arrest interview, but they were not able to
access his account on freebsd.tech.net.ru.
The agents copied a portion of the enormous quantity of data that was
located on the Russian computers and downloaded the copied data to a
computer located at the Seattle FBI office, planning to seek and obtain a
search warrant before searching the contents of the download. The downloaded data was not viewed until after the search warrant was obtained on
December 1, 2000. It was then examined with the help of experts, including Phil Attfield. The downloaded information consisted of four CD-ROMs
containing a huge quantity of highly-compressed data. Mr. Attfield’s first
task was to expand the data and reconstruct the file structure of the Russian
computers, so that the files could be indexed and searched. Those four
CD-ROMs were admitted at Gorshkov’s ensuing trial as Government’s
Exhibit 100.
The quantity of data obtained by the FBI was immense. In their personal
accounts on the computers, Gorshkov and Ivanov had numerous computer
hacking tools, that is, programs or “scripts” and computer code that were
used to compromise or gain control of computers and computer networks in
a variety of ways. Among other things, the tools would scan computers and
networks for vulnerabilities, exploit those vulnerabilities to obtain users’ passwords and to gain complete control of the computers, decipher or crack

xvi



Introduction

encrypted or encoded passwords, and convert the compromised systems into
relays or “proxies” that allowed the hackers to mask their identity on the
Internet. Many of these tools also were found on Ivanov’s Toshiba laptop
computer, which was seized at the time of his arrest.
A number of other computer programs or “scripts” located in kvakin’s home
accounts implemented a fraud scheme against the online auction company
eBay and the online credit card payment company PayPal. eBay has a website on which users can auction items off to other users. Payment can be
accomplished by credit card through online accounts at PayPal that are
opened with an email address and a credit card. Gorshkov’s scripts generated thousands of false email addresses, at websites offering free email
accounts, opened corresponding accounts at PayPal with stolen credit cards,
generated fraudulent or “virtual” auctions at eBay, and initiated payments
from one PayPal account to another using the stolen credit cards.
Working closely with PayPal and eBay, FBI agents were able to reconstruct
the hackers’ fraudulent transactions. Using files from PayPal and eBay, as well
as data recovered from the Russian computers, the agents determined that,
after layering credit card transactions through multiple PayPal accounts to
obscure their trail, the hackers had purchased computer components worth
hundreds of thousands of dollars, and had the unsuspecting sellers ship them
to Kazakhstan.
Because Ivanov had been charged first in Connecticut, he was transported
back to that district for prosecution. He ultimately pleaded guilty following
protracted plea negotiations. On September 20, 2001, Gorshkov went to trial
in United States District Court for the Western District of Washington in
Seattle. He had been charged in a 20-count Superseding Indictment with
conspiracy, mail fraud, and various violations of the Computer Fraud and
Abuse Act. Following a jury trial, he was convicted on all counts on Tuesday,
October 9, 2001.

Under the American system of justice, the government has the burden to
prove the crimes with which a defendant is charged beyond a reasonable
doubt. That proof must satisfy, not only a judge who has presided over many
criminal trials and is savvy about the ways of criminals, but a jury of lay persons, for whom the trial may be their only exposure to the darker side of
humanity. Consequently, in most criminal cases, prosecutors are pressed to
muster sufficient testimony and evidence to prove their cases. That was not
the problem in this case.

xvii


The Lure

In preparing the Gorshkov prosecution for trial, Floyd Short and Steve
Schroeder, the two Assistant United States Attorneys assigned to the case,
had available a vast amount of information. In addition to the data downloaded from the hackers’ computers in Russia, they had acquired data from
the networks of numerous victims, including the Seattle area ISP and web
hosting company, Lightrealm; the Seattle-based Internet café and online service provider Speakeasy; the credit card clearinghouse, OIB; the San Diego
area ISP and web hosting company, CTS; the St. Clair County, Michigan,
K–12 School District; several online banks; the Denver area ISP and web
hosting company, Verio; PayPal; and eBay. At least a score of other victims
contributed evidence, as well.
In sum, the trial team was faced with a nigh-overwhelming quantity of very
incriminating evidence that filled terabytes of storage. Nor was the evidence
of a kind that could readily be understood by a jury consisting of lay persons. Much of it was highly technical. Steve and Floyd realized that they
could not even attempt to prove the entire scope of the illegal activity
engaged in by Ivanov and Gorshkov. The problem for the trial team to solve
was how to present an accurate and highly-convincing picture of the conspiracy without overwhelming the Court and the jury.
In the end, the trial team chose to limit the number of victims that would be
included in the charges. Obviously, Speakeasy and Lightrealm, the Seattlebased victims, would be featured. Victims, whose systems had been used as

proxies to attack other networks and, thus, were central to the scheme, were
included, as well. Since the OIB hack had been charged in Connecticut,
charging it in Seattle would have been redundant. The OIB hack was not
included.
In addition, Steve and Floyd decided to present the evidence in the case electronically. Documents admitted in the case would be viewed contemporaneously by the witness, the defendant, all counsel, the judge, and the audience,
on monitors set up in strategic locations throughout the courtroom. This
technology not only introduced a very efficient way to deal with the thousands of exhibits that would be introduced, but enabled the judge and jury
to follow along with the witness as he or she explained what each exhibit
meant. This feature greatly enhanced the ability of the jurors to understand
the evidence.
Because much of the evidence was highly technical, Steve and Floyd used a
number of expert witnesses to explain it. The principal burden of “teaching” the judge and jury what the evidence meant fell to Phil Attfield. In addition to explaining how he had reconstructed the file structure of the
defendant’s computers from the downloaded data, Phil testified that he found
xviii


Introduction

in the tech.net.ru and freebsd.tech.net.ru data, scripts written in PERL
(Practical Extraction Report Language) that were designed to automatically
open email accounts and create PayPal accounts with those email addresses
and stolen credit card information.
Curtis Rose testified concerning the honeynet that his company, Sytex, had
created. During the course of his presentation, Curtis identified the common
vulnerabilities that the hackers had targeted, and the scripts and exploits that
they used. In addition, personnel from several of the systems that were identified with the transactions at PayPal—including Lightrealm and the St. Clair
County Intermediate School District—testified that their computers were
hacked from IP address 195.128.157.66, registered to tech.net.ru. The
intruders took over their systems and used them as proxies to make other connections to the Internet.
Working closely with Phil, Floyd and Steve figured out that, based upon his

analysis of evidence found on the tech.net.ru computers, Phil could identify
other systems that the hackers had compromised. This allowed them to
shorten the trial by foregoing testimony from several victim companies.

Why Read This Book?
From this greatly simplified summary, it should be apparent to the reader that
the Gorshkov investigation and prosecution resulted in a cornucopia of evidence, including scan logs, hacker tools, and scripts used to automate intrusions and do mischief on networked systems. Because the matter went to trial,
this evidence was introduced into the public record. Consequently, it is available for teaching and training purposes.
The prosecution received massive, and largely positive, publicity. It was particularly well-received by the IT community, where there is a high level of
frustration at being victimized by foreigners who are beyond the reach of the
law. In part because of their work on this case, the author and Phil Attfield
have been invited to conduct training at a number of academic conferences,
as well as international computer security conferences. At the conclusion of
those presentations, they have invariably been asked by attendees to make
the case materials available. This book is my effort to do so.
This book is a case study of a large, complex, and highly technical prosecution of two Russian hackers. I believe that the materials presented offer a
wealth of information that can be used by IT professionals, business managers, and academics who wish to learn how to protect systems from abuse,
and who wish to respond appropriately to network incidents.

xix


The Lure

In addition to its value as a training tool, however, I believe that this is a great
story. Two Russian hackers, who bragged that the laws in their country
offered them no threat, and who mocked the inability of the FBI to catch
them, were caught by a FBI lure designed to appeal to their egos and their
greed. It is also the story of a real trial in a real courtroom. In an attempt to
maintain the narrative line of this story, while, at the same time presenting a

case study that can be used for teaching and training, I have integrated the
technical materials into the narrative.
I hope that you enjoy the book.

xx


PART

I

The Investigation


This page intentionally left blank


Chapter 1

Speakeasy


The Lure

I

n 1994, Mike Apgar and his wife conceived of the idea of opening a café
where people could gather to browse the Internet together. In June of
1995, they opened Speakeasy, Inc., as one of the world’s first Internet cafés,
at 2304 2nd Avenue in Belltown in downtown Seattle, Washington.1 Figure

1.1 depicts Speakeasy as it looked in the late ’90s. The original concept was
to provide Internet access to the public, particularly to members of the public who did not have access to the Internet from either home or work.2 This
enterprising idea, coming at the beginning of the dot-com boom, soon
expanded to include a wide range of Internet and World Wide Web services.3
Figure 1.1

Speakeasy in
1998.
(Photo courtesy of
Linux Journal,
January 1998
issue.)

Growing up in Western Montana, Mike Apgar spent summers working in his
stepfather’s sawmill in Kalispell. There he acquired a sense of frugality and
a work ethic that he never lost. Consequently, when he and his wife started
Speakeasy they viewed themselves as entrepreneurs and not, as was so often
the case in dot-com businesses, as venture capitalists. Speakeasy acquired
some of its servers on eBay. The members of the early management team
were treated more like partners than employees, but everybody was expected
to do what was necessary to make the business work. During a remodel, all
of the executives worked sanding floors.4 Nobody was getting rich, at first.
Everybody, including Mike, was paid at roughly the same salary, about $200
to $250 per day.5

1

/>Reporter’s Transcript of Proceedings, United States v. Gorshkov, CR 00-550C (W.D.
Wash. 2001), page 159 [hereinafter RT, pp].
3

See the interview of Mike Apgar at />4
Interview of Mike Apgar by John Cook on January 21, 2003.
/>5
RT, 176.
2

4