Posts

Vladislav Klyushin Traveled Freely in Europe, Until He Didn’t Travel in Europe Freely

Bloomberg has a fascinating update on the case of Vladislav Klyushin, the guy who ran a pen-testing company for Vladimir Putin extradited to Boston on charges of insider trading last month. It states that Klyushin has (present tense) access to documents on the 2016 Russian hack and suggests he might be leveraged to share this information to get out of the lengthy insider trading sentence he faces.

According to people in Moscow who are close to the Kremlin and security services, Russian intelligence has concluded that Klyushin, 41, has access to documents relating to a Russian campaign to hack Democratic Party servers during the 2016 U.S. election. These documents, they say, establish the hacking was led by a team in Russia’s GRU military intelligence that U.S. cybersecurity companies have dubbed “Fancy Bear” or APT28. Such a cache would provide the U.S. for the first time with detailed documentary evidence of the alleged Russian efforts to influence the election, according to these people.

There’s a problem with this claim, though, at least as stated. The US already has documentary proof that GRU was behind the hack-and-leak. These documents would not be the first. And given the evidence cited in the indictment against Klyushin and Ivan Yermakov, the hacker cited in both this case and two GRU hack-and-leak cases, they collected more information from Yermakov over the last several years.

So such documents must go beyond mere confirmation of GRU’s role, if reports of Kremlin concerns are true.

Some insight about what the US might be after comes elsewhere in the story. It describes that on two earlier occasions, Western intelligence tried to recruit Klyushin.

U.S. and British intelligence tried twice to recruit Klyushin, according to Ciric, the attorney in Switzerland. U.S. intelligence attempted to engage him in summer 2019 in the south of France and British intelligence approached him in March 2020 in Edinburgh, Ciric said.

Klyushin memorialized that second meeting in a note he wrote a few weeks after the encounter and saved on his computer, according to Ciric. It took place at Edinburgh’s airport, as Klyushin was taking a flight back to Russia, according to the memo, which was submitted to the Swiss courts as part of his appeal against extradition. Klyushin wrote that the two British intelligence agents — one from MI5 and the other from MI6 — spoke to him for a few minutes in a room where he was led after a passport check.

The two Russian-speaking officers, a man and a woman, asked him if he would “cooperate” with U.K. secret services and took his phone number to set up a meeting on his next trip to London planned for May, according to the previously unreported document, which was reviewed by Bloomberg. Klyushin wrote that while he didn’t respond to the cooperation offer, he said he would be willing to see the agents again to discuss selling M-13 products to British intelligence.

It’s unclear whether Klyushin informed Russian intelligence about the U.S. and British recruitment efforts.

On top of the detail that US and British intelligence had targeted Klyushin for recruitment (and believed they had some reason to convince him to do so by summer 2019), this reveals that Klyushin has been traveling without arrest in recent years, both after the time in January 2020 that the indictment parallel constructs the investigation start date to, and well after the May 9, 2018 date when the US seems to have pinpointed Yermakov’s phone. It’s a point Klyushin himself made.

While in the Swiss prison, Klyushin told Bloomberg, through his lawyer, that he didn’t know why he was arrested in March and not before, saying that he had previously traveled freely to Europe. He blamed his detention on an “operation mounted by the U.S. in cooperation with Swiss authorities” to obtain “certain confidential information the American authorities consider” he has.

That is, it’s possible that the US waited to arrest him until they were done with their investigation, but these past interactions with western spooks suggest something else was behind the timing of his arrest. Similarly, the explanation offered by the Swiss lawyer — that the US only learned of Klyushin’s trip to Switzerland by an auspiciously timed hack of his phone — makes no sense, given the access to travel records the US would routinely have even without having someone targeted under Section 702, as Klyushin easily could have been.

The story leaves big questions about whether Klyushin wanted to be turned over or not. In addition to the open question about whether Klyushin told Russian authorities about the recruitment attempts, Bloomberg describes that Klyushin’s Swiss lawyer mailed his appeal of the extradition to the European Court of Human Rights rather than faxing it, with the result that the appeal arrived only after he had already been transferred to US custody.

But it’s hard to believe that Klyushin wanted to be extradited when he was arrested last March. That’s because his family returned to Russia at the end of their 10-day luxury vacation, which they wouldn’t have done if Klyushin had been planning to defect to the US (if one can start using the term again). So if Klyushin came to decide he wanted to be extradited over the nine months while he was held in Switzerland, he may have only come to that conclusion upon receiving more details about the charges against him, possibly including details that might expose him to the ire of the Kremlin.

It is true, however, that the Russian-speaking attorney Klyushin hired in Boston, Maksim Nemtsev, is not one of the ones (such as Igor Litvak) that Russian nationals retain when they’re refusing to cooperate; Nemtsev appears appropriate to the insider trading charges against Klyushin.

There may be a better explanation for the timing than an auspicious hack, though. As described, Klyushin’s trip to Switzerland was likely his first trip to a US extradition partner after Merrick Garland was sworn in as Attorney General on March 11, 2021, eight days before FBI obtained the arrest warrant for Klyushin.

And while the US has documentary evidence that GRU did the hack, what they hadn’t yet obtained when DOJ obtained the indictment against Yermakov and other GRU officers in 2018 was something far more important: what Russia did with two sets of data — the campaign strategy and polling information turned over from Paul Manafort and the analytics stolen from Hillary through the entire month of September. There’s certainly reason to believe DOJ knows more now than they did in 2018. Last April (so shortly after the arrest warrant for Kluyshin), Treasury stated as fact that the information Konstantin Kilimnik obtained from Manafort did get shared with Russian intelligence, even while asserting that Kilimnik was himself a spook. But how that information was shared and what happened with it has not been made public.

And those are the kinds of questions you might not raise aggressively until after Trump was gone.

Behind the Arrest of Putin’s Pen-Tester, Vladislav Klyushin

There’s a gratuitous passage in the March 20, 2021 complaint charging Vladislav Klyushin, Ivan Yermakov, Igor Sladkov, Mikhail Irzak, and Nikolay Rumyantev with conspiracy to violate the Computer Fraud and Abuse Act. It describes that Klyushin — the guy just extradited to the US on the charges — possessing a picture of Alexander Borodaev and Sergey Uryadov posing in front of Scotland Yard in London.

Thus far, it’s unclear who the guys in the picture are, other than customers of M-13’s “investment services,” for which they paid extortionate 60% commissions to benefit from the insider trading scheme allegedly run by Klyushin and Yermakov. But, in addition to alerting Klyushin to how many of his personal files the FBI has obtained, folks back in Russia will have a taste of the kind of information at risk now that Klyushin is in US custody.

That is, this passage, and a host of others in the charging documents, appear designed to maximize the discomfort of a number of people involved, as much as justifying the arrest and extradition of the guy who led a company that provided services that amount to information operations to Vladimir Putin. As the DOJ presser explained,

M-13’s website indicated that the company’s “IT solutions” were used by “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations.” In addition to these services, Klyushin, Ermakov and Rumiantcev also allegedly offered investment management services through M-13 to investors in exchange for up to 60 percent of the profit

The insider trader scheme works like this: Klyushin (the guy in US custody) and Yermakov (a key person involved in the 2016 DNC hack, described in DOJ’s press release as a “former” GRU officer), along with one other guy from M-13, area accused of hacking at least two US filing agents to obtain earnings reports before they were officially released. They conducted trades for a handful of clients — along with Borodaev and Uryadov, Boris Varshavskiy is mentioned. Klyushin also conducted trades for himself. The three M-13 figures were indicted on conspiracy, hacking, wire fraud, and securities fraud charges on April 6, 2021, an indictment that formalized the extradition request for Klyushin, who had already been arrested in Switzerland.

Then there are two apparent private citizens who live in St. Petersburg, Michail Irzak and Igor Sladkov. They were indicted on May 6, 2021 on conspiracy to hack and hacking charges, along with securities fraud. That indictment (like the complaint) focuses on some different trades than the Klyushin one (and because neither is likely to be extradited anytime soon, the second indictment may shield some portion of evidence from discovery).

Actions attributed elsewhere to Yermakov are attributed to Co-Conspirator 1 in that indictment, and it is on that basis that Irzak and Sladkov are exposed to the hacking charges. Irzak and Sladkov don’t appear to have been paying the extortionate 60% fees that the other M-13 clients were, which makes me wonder whether Yermakov was helping buddies get rich on the side. Worse still, Sladkov had some epically bad operational security; the indictment describes he had in his possession pictures showing:

  • A picture of a black Acer computer, with a blue Russian Olympic Committee sticker over the camera, showing a press release with Snap’s 2017 earnings that was not released publicly until 8 hours later.
  • A picture showing the same Acer computer with the same blue sticker showing his own trading activity on BrokerCreditService on May 2, 2018
  • A picture taken on July 24, 2018 at 2:05PM (ET) showing himself and Irzak sitting at a brown table; Irzak had Facebook running at the time, which showed him to be in the vicinity of Sladkov’s house
  • A picture dated July 25, 2018 showing him trading in a bunch of shares the earnings reports of which had been illegally accessed the day before
  • A picture dated October 14, 2018 showing a hand-written note instructing to “short” three shares, which Irzak did short two days later

In other words, Sladkov documented much of his insider training in photographs (perhaps to share the instructions with Irzak), and left all those photographs somewhere accessible to the US government.

If Yermakov was sharing this information with these guys without permission, then Sladkov’s role in providing the US government really damning information that would form the basis for an arrest warrant for Klyushin, then things might get really hot.

But it’s not like Klyushin or Yermakov did much better. In addition to the pictures of the clients, above, and some screencaps that got sent showing trading activity (though with less obvious evidence of insider trading), there’s a bunch of messaging from both, including an oblique reference to messages Yermakov and Borodaev sent on November 19, 2020 that have nothing to do with the context of the indictment but happens to be after the US election. There are even pictures Klyushin shared with Yermakov, “showing a safe that contained growing stacks of U.S. one hundred dollar bills.”

Yermakov appears to have used one of his messaging accounts via multiple devices, because on December 3, 2018, when he “forgot telephone at work,” he was still able to message Klyushin about closing out a trade. Using the same messaging app across platforms would offer one means of compromise, especially if the FBI had gotten into Yermakov’s device updates. The indictment doesn’t mention a warrant for such messaging that you would expect if it took place on Facebook.

Again, this indictment seems to aim to cause discomfort and recriminations based on information in US possession.

But then there’s the question of how it came about, how it landed in Massachusetts rather than DC (where the lead FBI agent is from) or NY (where the trades get done) or Pittsburgh, where one of the prior indictments against Yermakov was done.

The indictments and complaint base the MA jurisdiction on the fact that the culprits used a VPN that used a server in MA on several occasions. At a presser the other day, Acting US Attorney Nathaniel Mendell suggested the case had been assigned to MA because of its good securities prosecution teams.

As to how it came about, purportedly, the story starts in January 2020, when two filing agents allegedly hacked by the men, FA1 and FA2, reported being hacked at virtually the same time. Someone had used an FA1 employee’s credentials on January 21, 2020 to access the earnings data for IBM, Steel Dynamics, and Avnet before those results were publicly announced the following day, but no similar transaction noted with respect to F2 (indeed, a list of accesses involving F2 have a gap from November 2019 through May 2020). The investigation determined that FA1 had first been hacked by November 2018 and that FA2 had first been hacked by October 2017.

FA1 and FA2 discovered this compromise just months after the third M-13 employee, Rumyantev, was blocked by his Russian-based brokerage account for suspicious transactions. Months after FA1 and FA2 reported their compromise, Rumyantev and Klyushin lied to a Denmark bank that they were working entirely off of public information. By that point, in other words, banks in at least two countries were onto them.

Then, the story goes, the FBI investigated those hacks — through domains hosted by Vultr Holdings to a hosting company in Sweden to a user account under the name Andrea Neumann. From there, the FBI tracked back through some Bitcoin transactions made in October and November 2018 to the IP address for M-13 where they just happened to discover one of the very same hackers that was behind the 2016 hack of the DNC was also behind this hack. Mendell sounded pretty sheepish when he offered that explanation at the press conference.

Perhaps it’s true, but another key piece of evidence dates to actions Yermakov took on May 9, 2018, when he was under very close scrutiny as part of the twin investigations into his role in the hacks of the DNC and doping agencies, but before the first indictment against him was obtained.

Based on a review of records obtained from a U.S.-based technology company (the “Tech Company”), I have learned that on or about May 9, 2018, at 3:44 a.m. (ET), an account linked to ERMAKOV received an update for three native applications associated to the Tech Company. Records show that the May 9, 2018 application updates were associated to IP address 119.204.194.11 (the “119 IP Address”).

Based on my review of a log file from FA 2, I learned that on or about that same day, May 9, 2018, starting at 3:46 a.m. (ET)–approximately two minutes after ERMAKOV received application updates from the Tech Company–the FA 2 employee’s compromised login credentials were used to gain unauthorized access to FA 2’s system from the same 119 IP Address, and to view and/or download earnings-related files of four companies: Cytomx Therapeutics, Horizon Therapeutics, Puma Biotechnology, and Synaptics.7 All four companies reported their quarterly earnings later that day.

It would be rather surprising if the FBI agents investigating the DNC hack had not at least attempted to ID the IP associated with Yermakov’s phone (or other device) back in 2018. Whether or not they watched him engage in insider trading for years after that — all the while collecting evidence from co-conspirators flaunting the proof of their insider trading — we may never learn. The discovery on this case, featuring evidence explaining how the FBI tracked the insider trading of Putin’s pen-tester, will certainly feature a number of law enforcement sensitive techniques that Klyushin would love to bring back to Putin.

But it’s possible these techniques were what the FBI used to target these guys four years ago now, and the insider trading that Yermakov was doing in addition to whatever he spent the rest of his time doing has now provided a convenient way to bring Putin’s pen-tester to the United States for a spell.

Update: Included the pictures of the safe included with his detention memo, as well as earnings reports from Sladkov’s computer. Note the detention memo says the latter came from an ISP.