A Russian cybercriminal who has hacked three tech companies and stolen more than 100 million user credentials will not have to pay damages to its victims. Evgeny Aleksandrovich Nikulin was found guilty in July 2020 of violating the data integrity of the platforms LinkedIn, Dropbox, and the now-defunct social network Automatic in 2012.
Nikulin gained access to LinkedIn data by hacking into the personal computer of LinkedIn engineer Nick Berry and then installing malware that gave him access to Berry's VPN and credentials.
Nikulin used Berry's credentials to access LinkedIn's internal database and steal user credentials, which he then sold to his partners. Some of the stolen data were used by Nikulin to infiltrate the work account of Dropbox employee Tom Wiegand and gain access to the shared Dropbox account.
Nikulin then used credentials stolen from Dropbox to hack the work account of Formspring employee John Sanders and steal millions of hashed user passwords.
Nikulin was sentenced to 88 months in federal prison by US District Judge William Alsup. Nikulin was also ordered to pay LinkedIn in damages half of the amount requested by the company. Alsup also ordered Nikulin to pay compensation in the amount of $ 514 thousand to Dropbox, $ 20 thousand to Formspring, and $ 200 thousand to the parent company WordPress Automatic.
The court has now overturned the restitution order. A panel of three judges found the evidence to be insufficient to justify the payment of compensation in the amount of $ 1.7 million.
“Although the court testimony and protocols presented in court showed the degree of reaction of the victims to computer intrusions, this evidence did not serve as a basis for determining the costs incurred by the victims,” the court said.
The information provided to the court was deemed by the judges not to satisfy the government's requirement to provide a full loss account for each victim.