The US Department of Justice announced charges today against a Russian citizen who traveled to the US to recruit and convince an employee of a Nevada company to install malware on their employer's network in exchange for $1,000,000.
According to court documents unsealed today, Egor Igorevich Kriuchkov, a 27-year-old Russian, was identified as a member of a larger criminal gang who planned to use the malware to gain access to the company's network, steal sensitive documents, and then extort the victim company for a large ransom payment.
To mask the theft of corporate data, Kriuchkov told the employee that other members of his gang would launch DDoS attacks to keep the company's security team distracted.
Kriuchkov and his co-conspirators' plans were, however, upended, when the employee they wanted to recruit reported the incident to the FBI.
FBI agents kept Kriuchkov under observation during his stay in the US, and eventually arrested the Russian national on Saturday after they had gathered all the evidence they needed to prosecute.
Below is a chronological timeline of Kriuchkov's time in the US and his attempts to recruit the insider, along with additional commentary, where needed. All events took place in 2020.
- July 16: Kriuchkov contacts the employee working at the Nevada company via a WhatsApp message and informs him of his plans to visit the US. The employee, identified in court documents as CHS1, told the FBI he knew Kriuchkov from contact the two had years before, in 2016.
- July 28: Kriuchkov arrives from Russia in New York, travels to San Francisco, and then to Reno.
- August 1: Kriuchkov makes contact with CHS1 via phone.
- Aug. 2 and Aug. 3: Kriuchkov, CHS1, and friends travel to Emerald Pools and Lake Tahoe, where Kriuchkov pays for everyone's expenses while also trying to avoiding having his picture taken.
- Aug. 3: During the last day of the trip, at a bar late at night, Kriuchkov tells CHS1 he works for a group on "special projects" through which they pay employees for installing malware on their employers' networks. Kriuchkov then details the entire scheme to CHS1 and says that the malware could be provided on a USB thumb drive or sent to him via email. Initially, Kriuchkov told the employee he'd be paid only $500,000 for installing the malware, and that his gang would launch a DDoS attack to disguise the data exfiltration process.
- Following this proposal, CHS1 reports Kriuchkov to the FBI, and future meetings are kept under surveillance.
- Aug. 7: Kriuchkov has another meeting with CHS1. During this meeting, Kriuchkov attempts again to convince CHS1 to participate in the scheme, this time claiming that his group has been orchestrating these "special projects" for years and that all other employees who cooperated were never caught and still work for their employers. Kriuchkov also suggests that his gang can make the malware infection appear as it originated from another employee if CHS1 had anyone in mind they wanted "to teach a lesson." During this meeting, CHS1 also asks for a $1,000,000 payment, including $50,000 upfront.
- Aug. 17: In another meeting, Kriuchkov reveals more details about the gang he works, including the fact that they handle payments using escrow via "Exploit," the name of a well-known hacking forum. Kriuchkov also reveals he recruited at least two other employees, with one of the previous victim companies paying a $4 million ransom following a successful hack. Kriuchkov and CHS1 also had a WhatsApp call with a member of Kriuchkov's gang and talked payment and escrow details. Kriuchkov also claimed that a member of the group is an employee at a government bank in Russia and that the group paid $250,000 for the malware, which was written specifically for CHS1's company. Kriuchkov left a phone with CHS1 so he could get in contact in the future.
- Aug. 18: In a subsequent meeting, Kriuchkov tells CHS1 that the gang refused to pay him an upfront fee, as they have never done so before; however, they agreed to the $1,000,000 payment. Kriuchkov said his own cut was reduced to $250,000 following CHS1's demands. Kriuchkov also told CHS1 that he would need to provide details about his employer's network to the gang in order to customize the malware.
- Aug. 19: Kriuchkov met with CHS1 and said the gang eventually agreed to an upfront payment of 1 bitcoin.
- Aug. 21: Kriuchkov meets with CHS1 to inform him the "special project" was delayed due to another ongoing "special project" for which the gang expected a huge payout and needed to focus their efforts. Kriuchkov also told CHS1 he was leaving the US and then left instructions with CHS1 detailing how he would be contacted by gang members in the future.
- Following this meeting, an FBI agent contacts Kriuchkov by phone, who then attempts to hastily leave the country and is eventually arrested the next day in Los Angeles.
Kriuchkov was charged on Monday and faces up to five years in prison for his role in the scheme if found guilty.