Yevgeniy Nikulin Hacked LinkedIn, Dropbox, Formspring

A Russian national is staring down a federal indictment after allegedly breaching the computer systems of three major Bay Area tech firms—LinkedIn, Dropbox, and Formspring. Yevgeniy Aleksandrovich Nikulin, 29, of Moscow, was indicted by a federal grand jury in Oakland on charges tied to unauthorized computer access, data theft, and system sabotage. The cyberattack spree targeted Silicon Valley’s digital infrastructure, exposing vulnerabilities in firms trusted with millions of user accounts.

Nikulin is charged with three counts of computer intrusion under 18 U.S.C. § 1030(a)(2)(C), two counts of intentionally transmitting malicious code causing damage to protected computers under 18 U.S.C. § 1030(a)(5)(A), and two counts of aggravated identity theft under 18 U.S.C. § 1028A(a)(1). He also faces one count of trafficking in unauthorized access devices under 18 U.S.C. § 1029(a)(2) and one count of conspiracy under 18 U.S.C. § 371. Prosecutors allege he used stolen employee credentials to infiltrate systems and conspired with unnamed co-conspirators to traffic Formspring user data.

The indictment, unsealed today, claims Nikulin accessed computers belonging to LinkedIn, Dropbox, and Formspring without authorization, extracting sensitive information and damaging systems. He allegedly transmitted malicious code that corrupted computers belonging to a LinkedIn employee and the now-defunct social platform Formspring. The attacks exploited internal access points, leveraging compromised login details to move laterally through secure networks.

Nikulin was arrested on October 5, 2016, in the Czech Republic following a provisional arrest request from U.S. authorities. He remains in custody in Prague, awaiting potential extradition to the United States. The case was investigated by the Federal Bureau of Investigation with critical assistance from Czech law enforcement and the Department of Justice’s Criminal Division.

If convicted, Nikulin faces severe penalties: up to five years per computer intrusion count, ten years for transmitting damaging code, and ten years for trafficking access devices. The two counts of aggravated identity theft carry a mandatory two-year sentence each, to be served consecutively. Additional penalties include fines up to $250,000—or twice the gross gain or loss—three years of supervised release, forfeiture, restitution, and a $100 special assessment per count.

Assistant U.S. Attorney Michelle J. Kane is leading the prosecution, aided by Melissa Dorton and Elise Etter. The case underscores the federal government’s aggressive stance against foreign cyber intrusions targeting American companies. As digital breaches grow bolder, the Nikulin indictment sends a message: hackers operating overseas aren’t beyond reach. The Justice Department isn’t backing down from cyberwar on U.S. soil.