When the co-founder of the up-and-coming Russian cybersecurity group Group-IB unleashed an unusual public broadside about cybercrime in June 2020, it was seen as a bold and risky move in an industry where the line between Russian criminals and Russia security agencies has always been porous.
Speaking alongside Russia’s prime minister, Ilya Sachkov called out one person in particular, a man behind a notorious bit of ransomware code used to lock victims’ computers in order to extort money from them: Maksim Yakubets.
Not only did Sachkov at the time know that the FBI had charged Yakubets with major cybercrimes six months earlier -- he also probably knew that Yakubets’ father-in-law was a former special forces officer with the Federal Security Service, the FSB.
That, many experts say, is likely why Sachkov was arrested by the FSB in September 2021 and charged with treason.
Now sitting in a Moscow jail awaiting trial, Sachkov has made another bold and risky ploy: He and his allies have released a video recorded a few months prior to his arrest. In the video, which circulated on Telegram earlier this month, Sachkov rips into the FSB and calls out two prominent people by name: the head of its main cyberunit and the unit’s previous director, who is serving a 22-year prison sentence on a treason conviction.
“I find it to be strategic. I find it to be very interesting that it was released,” said Alexander Leslie, an analyst at the U.S.-based cybersecurity company Recorded Future, referring to the new video.
Prior to his arrest, Sachkov “went out of his way to name names, to name the names of cybercriminals that were openly collaborating, he alleged, with the FSB and the security services as a whole,” he said.
“I think a lot of people, especially people who are involved in studying Russian politics and studying the Russian cybercriminal underground revere Sachkov for those statements,” Leslie told RFE/RL, “because it's very rare, it's exceedingly rare for someone to say something like that, and then deal with the backlash that he's likely dealing with as a result of these statements.”
'You Will Definitely Be Surprised'
In September 2021, FSB agents raided Group-IB’s Moscow offices, hauling away servers and documents. They also hauled away Sachkov, who had been out of the country but had returned for unclear reasons.
Even in an industry accustomed to subterfuge, scandal, and betrayals, Sachkov’s arrest stunned many. It even drew criticism from top Russian business leaders, including the country’s official business ombudsman.
For years, if not decades, Russia had been trying to cultivate its own tech industry, struggling to harness the vast intellectual potential of its vaunted education system and its world-class programmers, coders, and engineers -- not to mention hackers and security agents.
Kaspersky Lab was one example of a homegrown tech company that had gone global – until 2017, when the U.S. government alleged it had collaborated with the FSB and banned its software from all U.S. government computers. The German government and Italy followed suit in 2022.
Group-IB, meanwhile, was embraced as a good-news success story for Russia’s tech industry. In February 2019, President Vladimir Putin awarded Sachkov with a prize for young entrepreneurs.
"We started out with investigations of high-tech crimes, collaborating with…the Investigative Committee, the FSB, the Interior Ministry. And then we began to make products that use machine learning and artificial intelligence to prevent attacks at an early stage," Sachkov said, inviting Putin to visit his offices. “You will definitely be surprised.”
That same year, Group-IB moved its headquarters to Singapore, in an effort to expand its business to a global audience beyond the Russian market.
In June 2020, Sachkov attended the event hosted by Prime Minister Mikhail Mishustin in the central city of Kazan, along with other major figures in Russia’s high-tech industry, including the founder of Yandex, Yevgeny Kaspersky of Kaspersky Lab, and the then-head of Mail.ru. Boris Titov, the Kremlin’s official business ombudsman, introduced Sachkov to Putin. After Sachkov was arrested, Titov was among the first officials to speak out in his defense.
At the meeting with Mishustin, Sachkov lamented what he saw as obstacles to “guaranteeing the sovereignty” of Russian technology and accused law enforcement of failing to stop cybercrimes, which he said hurts Russia’s image.
“When the whole world says that Mr. Maksim Yakubets, a hacker who drives around in Moscow in a Lamborghini with [government-issued] license plates, is a computer criminal, the creator of the Dridex virus, every engineer in the world knows about it,” he said. “Not a single Russian state body -- neither the police, nor the Federal Security Service, nor the Ministry of Foreign Affairs -- responds to this in any way.
“Maksim stays in Moscow, continues to drive his luxury car, and believe me, this affects the image of Russian companies that export information security,” he said.
'If You See This Video, Then Something Happened Or Is Happening To Me'
In the eyes of many experts, Sachkov erred in publicly taking on an alleged cybercriminal who had a powerful protector, and likely taking on others on the inside of Russia’s security apparatus.
“Such statements are not convenient for people who provide cybercriminals with comfortable conditions in Russia,” Viktor Kalinin, a former data analyst with Group-IB, told the Novaya gazeta newspaper earlier this year.
There may be other reasons.
In the video that circulated on June 16, Sachkov said it was recorded in June 2021, three months before his arrest. It was impossible to verify the time or place of its recording, though it appeared to be a location in Moscow.
He said he recorded it because he was concerned that he could be the target of a “serious provocation.”
“If you see this video, then something happened or is happening to me. Hospital, prison, disappearance -- something that is extraordinary, but to which we are probably already accustomed,” he said.
He then named the current head of the FSB’s Center for Information Security, Oleg Kashentsov, as being responsible for his possible criminal prosecution. And he also named Kashentsov’s predecessor, Sergei Mikhailov.
Known also as Center 18, the Center for Information Security was roiled by a scandal in 2016 when it was directed by Mikhailov and his deputy, a former hacker named Dmitry Dokuchayev. Russian investigators accused the two, and two others, including a respected private sector analyst, Ruslan Stoyanov, of involvement in a scheme to pass classified cybersecurity information to U.S. authorities.
Sachkov gave expert testimony in the trial at which Mikhailov was ultimately convicted.
Mikhailov and Dokuchayev -- who had previously worked with and met with U.S. Justice Department officials to cooperate on some cybercrime investigations -- were sentenced to 22 years in prison, though Dokuchayev later had his sentence cut short.
Dokuchayev, meanwhile, was indicted by the U.S. Justice Department in March 2017 for his role in hacking Yahoo and stealing 3 billion e-mail records -- the largest such hack in history.
Some Russian media outlets, as well as Bloomberg News, speculated that Sachkov had also provided U.S. officials with information that led to the Justice Department indictment of 12 officers from the Russian military intelligence agency known as the GRU.
The video and its whistle-blowing content were consistent with the “white-hat image” that Sachkov had sought to build, said Julien Nocetti, a fellow and researcher at the French Institute of International Relations.
“I do think Ilya is still trying to maintain a sort of ‘moral influence’ within the domestic cyberindustry, which has undergone profound changes since February 2022,” Nocetti told RFE/RL. “Those who didn’t take sides have been forced to do so – and that’s not the best of luck when you are a Russian entrepreneur in this sensitive and sovereignty-related industry.
“In a sense, he knows he is likely to remain in jail for years, and thus has nothing to lose except his reputation as a crusader against cybercrime,” he said, "especially the [kind] which intersects between financial motives and political gains.”
'Why Is The Russian Government Not Doing Anything About It?'
Among many investigations into Russian cybercrime that U.S. authorities pursued was the case of Yevgeny Nikulin, who was arrested in the Czech Republic in October 2016 and extradited to the United States on charges that he hacked the U.S. tech companies LinkedIn, DropBox, and others.
In 2020, Nikulin was convicted by a jury and sentenced to just over seven years in prison.
In April 2014, FBI agents traveled to Moscow to meet with cybersecurity officials, a meeting that was supported by Russian law enforcement. Among the people who were interviewed was Nikita Kislitsin, who had been indicted by a U.S. grand jury on cybertheft charges the previous month.
At the time of the FBI meeting, Kislitsin was employed by Group-IB, hired in January 2013 and later becoming the company’s director of network security.
Prior to that, however, Kislitsin had been well-known in Russia’s cyberunderground and was acquainted with Nikulin, whom he had described as the “Putin” of the hacking world.
Nikulin and Kislitsin had attended a meeting at a Moscow hotel in March 2012, along with several other Russians and Ukrainians, at a gathering that was dubbed the "summit of bad motherf*****s,” according to evidence submitted in Nikulin’s trial.
Kislitsin allegedly worked with another notorious Russian hacker, Aleksei Belan, to buy stolen data from Nikulin. Belan, who was also indicted in the Yahoo e-mail hack, is on the FBI’s list of its most-wanted hackers.
In his meeting with FBI agents, Kislitsin was notified of his legal rights, according to Justice Department filings. Kislitsin then indicated that he was “open for collaboration” and wanted to “mitigate problems.”
In April, Group-IB announced that it had finalized its move to leave Russia entirely.
"All of Group-IB's research and development processes, along with the company's full stack of technologies and products, will be withdrawn from Russia," the group said.
Group-IB did not respond to a new request for comment from RFE/RL.
Sachkov’s preemptive denunciation appeared aimed at pinning blame for Group-IB’s exit from Russia on the FSB, said Leslie of Recorded Future.
“It's a very, very interesting thing to say that the director of the FSB center that's effectively responsible for information in cybercrime more or less possibly pushed them out of Russia,” he said.
“But I think honestly, going back to what [Sachkov] said in 2020 and 2021 about cybercrime’s relationship with the Russian state, [that] was what started this snowballing effect of allegations and public scrutiny,” Leslie said. “He continues to say this in not only that video.
“Why is the Russian government not doing anything about it?” Leslie said. “It's probably because, a) it’s a source of revenue for some people; b) it's a source of soft power projection for the Russian state. It allows for a Russian kind of ‘FUD’ -- fear, uncertainty, and doubt -- in cyberspace to allow cybercrime out of Russia to run rampant.”
The FSB unit that Sachkov crossed swords with isn’t the only FSB division that has drawn scrutiny and the attention of law enforcement.
Last month, authorities in the United States, Britain, and three other Western nations announced a joint effort to unplug a pernicious and damaging malware called Snake, or Uroburos, that had been lurking around Internet servers in dozens of countries for decades.
The code was attributed to a FSB unit known as Center 16. Four Russians were charged by the FBI with various cybercrimes.
Snake was "the most sophisticated cyberespionage tool designed and used by Center 16 of Russia's Federal Security Service for long-term intelligence collection on sensitive targets," the U.S. government's cybersecurity agency said.