Crime across the internet knows no boundaries, yet cybercriminals initiate their act from a physical location within the geographic boundaries of some nation. Therefore, it stands to reason that victims and law enforcement both have a need to identify the miscreant, so the act that took place within the internet plane can be dealt with on the physical plane.
And while pages can be filled on the challenges of attribution today, we’ll assume that when an individual has been arrested abroad based on an outstanding warrant from the United States, the attribution question has been addressed adequately (or will be challenged in the courts).
Do Cybercriminals Ever Get Extradited?
The answer is, sometimes—and it depends.
Peter Yuryevich Levasho (aka Peter Severa and Peter of the North), arrested in Barcelona in early 2017 and extradited to the United State, was arraigned by in the U.S. Federal Court Feb. 2. Those familiar with Levasho will recognize him as the operator of the Kelihos botnet. Levasho’s indictment alleges Kelihos facilitated “malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.”
Yevgeniy A. Nikulin, meanwhile, was arrested in the Czech Republic in October 2016. An Interpol Red Notice was used as the grounds for his arrest. The United States requested his extradition in November 2016. The Czech Minister of Justice ordered Nikulin’s extradition in March. On March 30, Nikulin was charged with hacking into, damaging and stealing data from LinkedIn, Dropbox and Formspring.
To Extradite or Not
There are countries that don’t have extradition treaties with the United States. A list from 2015 shows 76 or so countries that don’t have extradition treaties with the United States, including China and Russia.
Recently the United States indicted 13 Russian individuals for the cyber shenanigans surrounding the 2016 U.S. presidential election. As Russia does not have an extradition treaty, U.S. law enforcement will be watching for a means to make an arrest and extradition. The likelihood is, arrests will be made when the indicted individuals travel abroad.
The two Russian nationals, Nikulin and Levasho, were both present in countries with which the country had a treaty with the United States.
Now, with the case of the 13 indicted Russians, Russian president Putin exclaimed to the world, “Never. Never. Russia does not extradite citizens to anyone.”
An extradition treaty in place isn’t a guarantee that a U.S. indictment or arrest warrant will be sufficient to extradite an individual. Such was the case of Lauri Love. Love successfully hacked into various U.S. government computer networks associated with U.S. Army, the Missile Defense Agency of the United States, Department of Defense, the Environmental Protection Agency and the National Aeronautics and Space Administration.
Love won his appeal to the British Appeals Court denying an extradition order for Love in February. He successfully claimed that “he could be easily tried in the UK. His family and physicians detailed the debilitating physical and mental health problems he has — including severe depression, Asperger’s syndrome, asthma, and eczema — that has incapacitated him for years.” The court noted the “inability of U.S. prisons to humanely and adequately treat his medical and mental health ailments. Extradition to the U.S. would be oppressive by reason of his physical and mental condition.”
The end result? The Crown Prosecution Service will now handle the case in the UK courts (no doubt with the assistance of the U.S. Department of Justice (DoJ).
Thus, extradition treaties are simply the framework from which the DoJ may seek the extradition of an individual from crimes in or against the United States. The ultimate decision on whether the extradition will occur is in the hands of the courts of the country in which the individual was arrested.