Maybe this story was meant to begin in a row of concrete buildings by the Russian coast of the Black Sea, in a holiday resort called Anapa, and in the office of a man who calls himself Pavel. Pavel is a man in his fifties, with grey receding hair and a slight belly showing underneath his shirt. There is a clock on the wall behind his desk with portraits of Russia’s president Vladimir Putin and his predecessor Dmitry Medvedev. Pavel manages a small telecommunications company and knows what to do if you want to have an easy life as a businessman in Russia. He also knows how tricky it is to have a client such as the baldheaded man who came into his shop about three years ago. His name was Evgeniy Mikhailovich Bogachev.
Bogachev, a Russian citizen, is the creator of the computer malware “Gameover Zeus“, and the leader of a hacker network which has infected more than a million computers worldwide and robbed banks, companies and corporations of more than 1 million euros. Bogachev is at the top of America‘s list of the most wanted criminals. The FBI has put a bounty of $3 million on his head.
For years now, he was pursued by criminal investigators from over ten countries, has been followed by undercover agents, tracked by both amateur nerds and professionals from the biggest companies in the computer industry, such as Dell and Microsoft. They studied the architecture of Bogachev’s cyber weapons, managed to deactivate them and arrested his helpers. But they never captured Bogachev himself.
There are some photographs, published by the FBI, of a man in his early thirties with a bald head. On some he is seen on his yacht, on others he has a longhaired brunette in his arm or looks at the camera wearing big sunglasses and spotted pyjamas, which go well with the Bengal cat he’s holding like a trophy. But that’s pretty much all there is.
Bogachev’s hunters call him names like Phantomas or the Master of Invisibility. They talk about how rare it is to deal with someone who leaves behind virtually no traces, digitally and in real life. The longer they are involved with his case the more convinced they are that Bogachev isn’t just another Russian cyber criminal, but part of a bigger conspiracy.
It‘s the direction that Putin needs
The FBI and well-known forensic scientists who specialize in IT tell Die Welt they are convinced Bogachev used his malware to spy on governments and intelligence services of other countries on behalf of the Russian government. This is why, at the beginning of the year, his name was added to a sanctions list of the US government as one of 35 Russian diplomats, spies and IT companies. Most of them are thought to have been part of the plot to hack the Democratic Party last year during the American presidential election.
Before Pavel can answer the question of what he really thinks about Bogachev, one of his colleagues interrupts: “People like Bogachev have to be steered in the right direction. And that is the direction that Putin needs.“ She sounds like one of those people who could not be argued out of their position. Pavel nods quietly. This is exactly what has been happening for a while.
These last few months have seen a number of cases, each of which shows a pattern: Russian secret services team up with successful criminal hackers to use them as spies. In return, they guarantee that the hackers are able to continue with their business on the side, unmolested by police and prosecutors and protected from foreign investigators and intelligence agents.
One example is Alexey Belan, a Russian hacker, thirty years old but with the soft face of a teenager. The USA searched for him for years, without success. Then, in 2013, he was caught by the Greek police. The US government wanted to have him extradited, but Belan managed to escape to Russia at the last minute. The latest investigations show without much doubt that Belan made a deal with the Russian authorities. The US named him again, this time for helping the Russian intelligence agency, the FSB, between 2014 and 2016 to hack Yahoo and gain access to the email accounts of journalists, government representatives and businessmen.
Belan’s three helpers have also been accused. A report in the Russian media alleged that the FSB employed Dmitry Dokuchaev AKA “Forb“ as a result of his skills as a criminal hacker. The other two are said to be employees of the cyber unit of the FSB.
There is also the case of Yevgeny Nikulin, a Russian computer specialist, who was arrested by the Czech authorities a year ago in a restaurant in Prague. The FBI had accused him of having stolen and then sold the sensitive data of 80 million Internet users in 2012. The USA demanded his extradition. Shortly thereafter, Russia also made an application for extradition. Could this be a coincidence? The former boss of the Czech intelligence service, Karel Randak, doesn’t think so. Nikulin, he says, knows enough to blow the cover on the whole system. “If this man decides to talk, he could reveal that hacking attacks on foreign servers are actually a part of the Russian information war.“
And finally there is the case of another man, who has been kept in detention for a few months in a sandstone building in the Moscow district of Lefortovo. Ruslan Stoyanov used to be an employee of the Russian IT security company Kaspersky, where he led a department responsible for solving cyber crimes. Among other tasks, he was responsible for contacts with the Russian police and the FSB secret service. Russian authorities allege that, with the help of a female intermediary, Stovanov passed information to the American Central Intelligence Agency. But insiders say that this is pretence. It may be that Stoyanov became too dangerous – and that is what the messages he sent from his prison cell seem to suggest.
„The same script as in the cold war“
Recently, he wrote on his Facebook page that there is proof that cyber criminals and employees of Russian authorities are working closely together. The state gets access to technology and information from abroad, and the criminals can continue to go on raids online, as long as they do not affect Russia.
This corresponds with assessments of the situation from government officials and news services in Berlin, Paris or Washington DC. According to them, the hackers who suddenly become spies are part of a major Russian offensive designed to destabilise Western democracies. The Russian economy is bad, the people are longing for a return to their former greatness. “In the end,“ one of them says, “this is the same script as in the Cold War – with the difference that the digital world is offering a whole arsenal of new weapons.“
Thus Russian hackers attack the German Bundestag, try to manipulate elections in the USA and France, steal trade secrets from foreign companies, and purposefully publish fake news through social media and internet portals to defame politicians and governments.
The Chief of the General Staff of the Russian military seems to view the hacker scene of his country as a secret weapon, as Putin’s hidden reserve. In any case, the most talented cyber criminals, like Belan, Nikulin and Bogachev, have now become something like poster boys of the cyber war, young and mysterious.
In Anapa, his hometown, Bogachev is a hero who stood up to the Americans and who for years has been brave enough to mock them. An employee at the local police station, for example, says that, were he to meet Bogachev again, he would pin a medal on the guy.
A different family now lives in the penthouse
Bogachev’s last official address is apartment 223 at 120 Lermontova street, Anapa. The building is a beige high-rise in one of the nicer parts of town. A walk of less than 20 minutes through quiet streets will take you to the sea.
If you take the lift up to the 13th floor, right at the top of the building, you reach a heavy black door, which stays closed even after persistent ringing and knocking.
According to neighbours, Bogachev bought several flats on this floor and combined them into a penthouse with a view of the coastline and the sea. However, they also say that they haven’t seen him in a while and that a different family now lives in the penthouse. Bogachev also owns another smaller flat in the same building with no bell on the door. Nobody opens the door there either.
Bogachev is said to sometimes live on his yacht, which lies just off the coast. This is what he seems to have done in the summer of 2014, just after the FBI added his name to their list of most-wanted criminals and started a manhunt for him. But he hasn’t been seen onboard there for a while now.
For the moment, it seems to his hunters that Bogachev has disappeared within the matrix, into the binary labyrinth of zeros and ones, into the command lines of his code.
Bogachev was always the big unknown says a profiler who was part of the hunt. A phantom hiding behind monikers such as “Slavik“ and “lucky12345“. He never boasted about his successes on Internet forums, quite a common practice amongst hackers of his caliber. Seven years ago, he suddenly announced the end of his criminal career. That, it is now known, was another deception. In actual fact, he was developing an even more effective cyber weapon and working to become even more inconspicuous.
They still don‘t know much about Bogachev
He established a small and exclusive circle of helpers, most of them in their twenties, called the “Business Club“ which communicated over a special server. Bogachev made sure that he was the only person controlling everything. Only one person fixed technical problems in the malware: Bogachev himself or someone who used his identification. The investigators are still amazed by how perfectly organized Bogachev’s group was. And whilst the FBI managed to find pictures and the whereabouts of some of his most important accomplices – some of them lived near Donetsk, Ukraine – they still don’t know much about Bogachev, even after all these years.
The few things they were relatively sure about were an email address, his name and the fact that he was living a middle-class life in Russia. There was a message Bogachev had once sent to his “Business Club“ which contained a hint that he might have been married. His programming style pointed towards someone who is a hard worker, rather than an artist, not someone who gives up easily.
In the summer of 2014, specialists from the FBI and IT security companies fought continuously for almost three days to release the millions of computers Bogachev had captured to use as remote-controlled cyber weapons. Bogachev engaged them in a tough fight, programmer against programmer, to protect his programme and his secrets.
In hindsight this all became clearer, says one of the investigators. Bogachev had installed a well-disguised sub-section of his malware to which only he had access. He used this sub-section to draw information from thousands of external computers about secret agents and elite police in Georgia and Turkey. He was interested in who was delivering weapons to Syria. He was looking in particular for documents from the Ukraine and the US labelled ‘strictly confidential,‘ of major political interest to Russia during the crisis in Crimea and the Syrian war.
Pavel sits in his basement office and says he might not really know that much about his customer, Mr. Bogachev. When they first met, he didn’t even know who he was – he found that out later, from the television news. But one thing he is sure of: Bogachev may have made himself invisible, but he has not vanished without trace. He still has an Internet connection in both his apartments in the beige building, which are paid in full and on time each month. But there is something else.
Trimmed full beard, expensive suit
There is, he explains, a computer control system called SORM, which all Russian service providers must connect to their servers using a special device. The FSB demands this in order to have access to every computer and all the client data at all times. “We have an agreement with the FSB. They see everything.,” he says in a matter-of-fact way, as though explaining to a child that the sun rises in the morning and sets in the evening.
Alexej Stotskij is waiting in the lobby of a small luxury hotel, built into a rock by the sea. He has a black full beard, neatly trimmed, and his suit looks expensive. Stotskij is the owner of the hotel, which opened recently. But he is also Evgeniy Bogachev’s lawyer; although Stotskij is keen to point out he has represented him in court in matters unrelated to cyber crime.
“Bogachev is a reserved, intelligent man and a good dad,“ says Stotskij, adding that he knows where Bogachev’s wife and daughter live. Where Bogachev himself is though, he says he could only guess.
The last time he saw Bogachev was two years ago. From time to time, Stotskij says he tried to call him on one of his mobile phones. But, because no one ever answers those calls, he writes messages. Bogachev reads those messages, as is evident from the little blue double ticks; but he never replies. At least that is the story according to Stotskij. And just as you start to wonder what it all means, the lawyer adds: “People like Bogachev need to be protected. They are useful for our country.“ This is why he believes his client is safe in Russia, “Just like Edward Snowden.“
And Stotskij means it. To him, Bogachev, the hacker, and Snowden, the whistleblower who revealed state secrets acquired working for the American NSA secret service, are Russian soldiers of the digital age. Very few people know where either lives. And the Russian secret services, Stotskij believes, will make sure it stays that way.
